½Ã½ºÅÛ ÇØÅ·

 1576, 1/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   asdf456
   ´ëÇб³ÀÇ BOF°­ÁÂÁß Áú¹®ÀÔ´Ï´Ù

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=1553 [º¹»ç]


int main(int argc, char *argv[])
{
        char buffer[20] = {0, };                        // 0À¸·Î ÃʱâÈ­
        int *pointer_to_ret = (int *)(buffer+24);        // retÀ» Ãâ·ÂÇϱâ À§ÇÑ Æ÷ÀÎÅÍ º¯¼ö

        if(argc < 2)
        {
                printf("argument error\n");
                exit(-1);
        }

        // dumpcode·Î ¸Þ¸ð¸® ´ýÇÁ
        dumpcode(buffer, 28);          
        printf("[*] BEFORE : the return address is 0x%08x\n\n", *pointer_to_ret);

        // buffer overflow!!
        strcpy(buffer, argv[1]);
        
        // dumpcode·Î ¸Þ¸ð¸® ´ýÇÁ
        dumpcode(buffer, 28);          
        printf("[*] AFTER : the return address is 0x%08x\n\n", *pointer_to_ret);
}


¿©±â¼­ ¸®ÅϾîµå·¹½º ¼öÁ¤Àä,
µµÀúÈ÷ ÀÌÇØ°¡¾ÈµÇ´Â°Ô....

¸®ÅϾîµå·¹½º°¡ ¸Ö¸»Çϴ°ǰ¡¿ä??
¿©±â¼­ bufferÀ̶ó´Â º¯¼öÀºµ¥ ¿Ö ¸®ÅϾîµå·¹½º°¡ÇÊ¿äÇÑÁö¿ä
  Hit : 3417     Date : 2011/12/27 05:07


    
phpmyadmin ¸®ÅϾîµå·¹½º´Â ¸»±×´ë·Î ÇØ´ç ÇÔ¼ö°¡ Á¾·áµÇ¸é ¸®ÅϵǴ ÁÖ¼Ò¸¦ ¸»ÇÕ´Ï´Ù.(RET)

ÀÌÇÁ·Î±×·¥Àº argv¸¦ ÅëÇØ »ç¿ëÀÚ°¡ ÀÔ·ÂÇÑ °ªÀ» bufferº¯¼ö¿¡ ³Ö½À´Ï´Ù.
µû¶ó¼­ bufferº¯¼ö¸¦ ¿À¹öÇ÷οì½ÃÅ°¸é *pointer_to_ret º¯¼ö¸¦¹Ù²Ü¼öÀÖ½À´Ï´Ù.

ÀÌ°­Á¿¡¼± *pointer_to_retÀ̶õ º¯¼ö·Î ¸®ÅϾîµå·¹½º¸¦ ´ë½ÅÇßÁö¸¸
½ÇÁ¦·Î´Â °¢ ÇÁ·Î±×·¥ÀÇ ÇÔ¼ö¸¶´Ù ¸®ÅϾîµå·¹½º°¡ Á¸ÀçÇÕ´Ï´Ù.

À̹ø °­ÀÇ´Â ÀÌ·± ¸®ÅϾîµå·¹½º¸¦ ¹Ù²Ù´Â ¿¬½ÀÀ» ÇÏ´Â °­Àdz׿ä		 2011/12/27  
asdf456 À½ ±×·¸´Ù¸é mainÇÔ¼öÀÇ ¸®ÅϾîµå·¹½ºÀΰ¡¿ä??
±Û°í ¸®ÅϾîµå·¹½º´Â º¯¼ö ¸ÇµÚ¿¡ Á¸ÀçÇϴ°ÇÁö¿ä??		 2011/12/27  
phpmyadmin 1. ³×(ÇöÀç °­Á¿¡¼± ½ÇÁ¦ ¸®ÅϾîµå·¹½º´ë½Å *pointer_to_ret¸¦ ÅëÇØ ÇнÀÇÏ´Â ¹æ¹ýÀÔ´Ï´Ù.)
2. º¯¼ö ¸ÇµÚ´Â ¾Æ´Ï°í º¯¼ö ³Ê¸Ó¿¡ ÀÖ´Ù°í ºÁ¾ß°Ú½À´Ï´Ù. ¿©±â¼± ¹öÆ۹迭¿¡ Á¤ÇØÁØ °ø°£ÀÎ 20À» ³Ñ±ä´ÙÀ½ ºÎÅÍ ¹öÆÛ ¿À¹öÇ÷ο찡 ¹ß»ýÇϴµ¥¿ä. º¯¼ö¹Ù·ÎµÚ°¡ ¾Æ´Ñ buffer+24ºÎºÐ ºÎÅÍ *pointer_to_ret°¡ ÀÖ½À´Ï´Ù.

Áï 24°³ÀÇ ÀÎÀÚ¸¦ ³Ñ°ÜÁÖ¸é *pointer_to_ret¹Ù·Î ¾Õ±îÁö ¸Þ¸ð¸®°¡ µ¤¾î¾º¿öÁö°ÔµÇ°í
28°³ÀÇ ÀÎÀÚ¸¦ ³Ñ°ÜÁØ°æ¿ì *pointer_to_ret¿¡ ÇØ´ç(25~28ºÎºÐ)ÀÎÀÚ°¡ *pointer_to_ret¿¡µé¾î°©´Ï´Ù. À̶§ ¸Þ¸ð¸®¿£ ¸®Æ²¿£µð¾È ¹æ½ÄÀ¸·Î ÀÎÀÚ°¡ µé¾î°¡´Ï °ü·Ã °­Á ²À Àо½Ã±â¹Ù¶ø´Ï´Ù.

¸¸¾à ÀÎÀÚ 20°³ÀÇ °ø°£±îÁø bufferº¯¼ö°í 25~28±îÁö 4Ä­Àº *pointer_to_retÀ̶ó ÇÏ¿´À»¶§ ½ÇÁ¦ »óȲ¿¡¼­ 21~24´Â ¹«¾ùÀÎÁö ¹¯´Â´Ù¸é Àú´Â SFP. (SFP(esp)´Â ´ëÇб³°­Á¿¡¼± ¾ÆÁ÷ ¾ð±ÞÀÌ ¸¹Áö¾Ê³×¿ä. ±×·³ Àúµµ Æнº. Àִٴ°͸¸ ¾Ë¾ÆµÎ½Ã.....Áö ¸¶½Ã°í °£´ÜÇÏ°Ô ¼³¸íµå¸®ÀÚ¸é ½ºÅÃÀÇ ÃÖ»óÀ§¸¦ °¡¸®Å°´Â Æ÷ÀÎÅ͸¦ ¶æÇÕ´Ï´Ù. ¿ä°Íµµ ³ªÁß¿¡ ¹öÆÛ¿À¹öÇ÷ο츦 ÅëÇØ °ªÀ» ¹Ù²Ù¼Å¼­ ¸®ÅϾîµå·¹½º º¯°æ¿¡ ±â¿©ÇÒ¼öÀÖÁÒ, ¶ÇÇÑ Æ¯Á¤ gcc ¹öÀüºÎÅÍ´Â ±âº»¿É¼ÇÀ¸·Î ÄÄÆÄÀϽà dummy(´õ¹Ì)¶ó´Â ºó°ø°£ÀÌ »ý±é´Ï´Ù. ½ºÅÿ¡¼± ¸®ÅϾîµå·¹½º¿Í Áö¿ªº¯¼ö»çÀÌ Á¸ÀçÇÏÁÒ. ´õ¹Ì°¡ Àִ°æ¿ì SFP´Â ¸®ÅϾîµå·¹½º ¹Ù·Î ¾Õ¿¡ À§Ä¡ÇÕ´Ï´Ù.)		 2011/12/27  
asdf456 phpmyadmin´Ô ÂÊÁöº¸³Â¾î¿ä È®ÀÎÁ»ÇØÁÖ¼¼¿ä 2011/12/27  
phpmyadmin ¼öÁ¤.. SFP(ebp)³×¿ä Á¦°¡ À߸ø¾Ë°íÀ־..
esp´Â ½ºÅÃÀÇ À§¸¦ °¡¸®Å°´Â Æ÷ÀÎÅÍ°¡ ¸Â°í ebp´Â º£À̽ºÆ÷ÀÎÅͶó°íµµ ºÒ¸³´Ï´Ù.
º£À̽ºÆ÷ÀÎÅÍ´Â ÇÔ¼ö°¡ È£ÃâµÇ¾úÀ»¶§ ±× ¼ø°£ÀÇ esp ¸¦ ÀúÀåÇÏ°í ÀÖ´Ù°¡, ÇÔ¼ö°¡ ¸®ÅÏÇϱâ Á÷Àü¿¡ ´Ù½Ã esp ¿¡ °ªÀ» µÇµ¹·ÁÁÝ´Ï´Ù.		 2011/12/31