1601, 1/81 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ÇØÅ·ÀßÇÏ°í½Í´Ù
   http://¾øÀ½
   [pwnable.kr] fd

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=8588 [º¹»ç]


#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char buf[32];

int main(int argc, char* argv[], char* envp[])
{
        if(argc<2){
                printf("pass argv[1] a number\n");
                return 0;
        }
        int fd = atoi( argv[1] ) - 0x1234;
        int len = 0;
        len = read(fd, buf, 32);
        if(!strcmp("LETMEWIN\n", buf)){
                printf("good job :)\n");
                system("/bin/cat flag");
                exit(0);
        }
        printf("learn about Linux file IO\n");
        return 0;
}









¼­¹ö°¡ ´Ù¿îµÇ¾ú´ø pwnable.krÀÌ ´Ù½Ã »ì¾Æ³µ´Ù.
¿¾³¯¿¡ Ç®¾ú´ø ¹®Á¦Àε¥ »ó´çÈ÷ ½±°Ô Ç®À̵Ǿú´ø °É·Î ±â¾ïÇÑ´Ù.
°ø·«À» Çغ¸ÀÚ¸é...

fd@pwnable:~$ ./fd 4660



argv[0]ÀÎÀÚ´Â "./fd"°¡ µÇ¸ç argv[1]ÀÎÀÚ´Â "4660"ÀÌ µÈ´Ù.
¿©±â¼­ 4660À» ÀÔ·ÂÇÑ ÀÌÀ¯¸¦ °õ°õÈ÷ »ý°¢Çغ¸ÀÚ.


atoi(argv[1]) - 0x1234Àε¥...
atoiÇÔ¼ö¸¦ manÀ¸·Î ¾Ë¾Æº¸ÀÚ.


--------------------------------------------------------------------
The atoi() function converts the initial portion of the string
pointed to by nptr to int.  The behavior is the same as

    strtol(nptr, NULL, 10);

except that atoi() does not detect errors.
The atol() and atoll() functions behave the same as atoi(),
except that they convert the initial portion of the string to
their return type of long or long long.



Çؼ®

atoi() ÇÔ¼ö´Â nptr°¡ °¡¸®Å°´Â ¹®ÀÚ¿­ÀÇ Ã³À½ ºÎºÐÀ» int ŸÀÔÀ¸·Î º¯È¯ÇÑ´Ù.
ÀÌ ÇÔ¼öÀÇ µ¿ÀÛÀº ´ÙÀ½°ú µ¿ÀÏÇÏ´Ù.

strtol(nptr, NULL, 10);
´Ù¸¸, atoi()´Â ¿À·ù¸¦ °¨ÁöÇÏÁö ¾Ê´Â´Ù´Â Á¡ÀÌ ´Ù¸£´Ù.

atol()°ú atoll() ÇÔ¼ö´Â atoi()¿Í µ¿ÀÏÇÑ ¹æ½ÄÀ¸·Î µ¿ÀÛÇÏÁö¸¸,
¹®ÀÚ¿­ÀÇ Ã³À½ ºÎºÐÀ» °¢°¢ long ¶Ç´Â long long ŸÀÔÀ¸·Î º¯È¯ÇÑ´Ù.
----------------------------------------------------------------------------------




´ëÃæ ¸»ÇÏÀÚ¸é atoi("4660")¿¡¼­ "4660"Àº intÇü... ±×·¯´Ï±ñ Á¤¼ö(¼ýÀÚ)°¡ ¾Æ´Ï¶ó
¹®ÀÚ¿­ÀÌ´Ï ¹®ÀÚ¿­ "4660"À» Á¤¼ö intÇü 4660À¸·Î º¯È¯À» ÇÏ´Â...
0x1234´Â 16Áø¼öÀ̸ç ÀÌ°ÍÀ» 10Áø¼ö·Î º¯Çü½Ã 4660ÀÌ µÈ´Ù.
Áï 4660-4660Àº 0ÀÌ µÈ´Ù.

¹Ù·Î ´Ù´ÙÀ½ÁÙÀÇ read ÇÔ¼ö¸¦ manÀ¸·Î ¾Ë¾Æº¸ÀÚ.







-----------------------------------------------------------------------
SYNOPSIS
       #include <unistd.h>
       ssize_t read(int fd, void buf[.count], size_t count);

DESCRIPTION
       read() attempts to read up to count bytes from file descriptor fd
       into the buffer starting at buf.

       On files that support seeking, the read operation commences at
       the file offset, and the file offset is incremented by the number
       of bytes read.  If the file offset is at or past the end of file,
       no bytes are read, and read() returns zero.

       If count is zero, read() may detect the errors described below.
       In the absence of any errors, or if read() does not check for
       errors, a read() with a count of 0 returns zero and has no other
       effects.

       According to POSIX.1, if count is greater than SSIZE_MAX, the
       result is implementation-defined; see NOTES for the upper limit
       on Linux.




Çؼ®

SYNOPSIS

#include <unistd.h>
ssize_t read(int fd, void buf[.count], size_t count);

read() ÇÔ¼ö´Â ÆÄÀÏ µð½ºÅ©¸³ÅÍ fd¿¡¼­ ÃÖ´ë count ¹ÙÀÌÆ®¸¸Å­
µ¥ÀÌÅ͸¦ Àоî¿Í buf¿¡ ÀúÀåÇÏ´Â ÇÔ¼ö´Ù.
¹Ýȯ°ªÀº ssize_t ŸÀÔÀ¸·Î, ÀÐÀº ¹ÙÀÌÆ® ¼ö¸¦ ³ªÅ¸³½´Ù.
¿À·ù°¡ ¹ß»ýÇϸé À½¼ö¸¦ ¹ÝȯÇÑ´Ù.

DESCRIPTION

±âº» µ¿ÀÛ

read()´Â fd¿¡¼­ ÃÖ´ë count ¹ÙÀÌÆ®¸¦ Àоî¿Í buf¿¡ ÀúÀåÇÑ´Ù.
Àб⸦ Áö¿øÇÏ´Â ÆÄÀÏÀÇ °æ¿ì,
Àбâ´Â **ÆÄÀÏ ¿ÀÇÁ¼Â(file offset)**¿¡¼­ ½ÃÀÛÇϸç
ÀÐÀº ¹ÙÀÌÆ® ¼ö¸¸Å­ ¿ÀÇÁ¼ÂÀÌ Áõ°¡ÇÑ´Ù.
ÆÄÀÏ ¿ÀÇÁ¼ÂÀÌ ÆÄÀÏ ³¡¿¡ Àְųª ÆÄÀÏ ³¡À» Áö³ª ÀÖÀ¸¸é
¾Æ¹«°Íµµ ÀÐÁö ¾Ê°í, read()´Â 0À» ¹ÝȯÇÑ´Ù.

count°¡ 0ÀÏ ¶§, count°¡ 0À̸é, read()´Â ¾Æ·¡¿¡ ¼³¸íµÈ ¿À·ù¸¦ °¨ÁöÇÒ ¼ö ÀÖ´Ù.
¿À·ù°¡ ¾ø°Å³ª read()°¡ ¿À·ù¸¦ È®ÀÎÇÏÁö ¾Ê´Â °æ¿ì,
count°¡ 0ÀÏ ¶§ È£ÃâµÈ read()´Â 0À» ¹ÝȯÇϸç
´Ù¸¥ È¿°ú´Â ¾ø´Ù.
count°¡ ¸Å¿ì Å« °æ¿ì

POSIX.1 Ç¥ÁØ¿¡ µû¸£¸é, count°¡ SSIZE_MAXº¸´Ù Å©¸é
°á°ú´Â ±¸Çö Á¤ÀÇ(implementation-defined)´Ù.
Linux¿¡¼­ Çã¿ëµÇ´Â ÃÖ´ë °ª¿¡ ´ëÇÑ Á¤º¸´Â NOTES ¼½¼ÇÀ» Âü°íÇ϶ó.
----------------------------------------------------------------------





Á» ¾î·Æ°Ô ´À²¸Áö´Âµ¥ readÇÔ¼öÀÇ Ã¹¹ø° ÀÎÀÚ´Â 'ÆÄÀÏ µð½ºÅ©¸³ÅÍ'¸¦ ¶æÇÑ´Ù.
ÇÊÀÚ°¡ ¿À·¡Àü °øºÎÇßÀ» ´ç½Ã ¸®´ª½º´Â ¸ðµç µ¥ÀÌÅ͸¦ 'ÆÄÀÏ'·Î °£ÁÖÇÑ´Ù°í ¹è¿ü´Ù.
À©µµ¿ìÁî¿¡¼± ÆÄÀÏ µð½ºÅ©¸³ÅÍ¿Í °°Àº °ÍÀº 'ÀνºÅϽº ÇÚµé'À̶ó°í º» °ÍÀÌ ±â¾ï³­´Ù.

ÆÄÀÏ µð½ºÅ©¸³ÅÍ(file descriptor)´Â ¿î¿µÃ¼Á¦¿¡¼­ ÆÄÀÏÀ̳ª
ÀÔÃâ·Â ÀåÄ¡(¿¹: ÆÄÀÏ, ¼ÒÄÏ, ÆÄÀÌÇÁ µî)¸¦ ½Äº°Çϱâ À§ÇØ »ç¿ëÇÏ´Â Á¤¼ö °ªÀÌ´Ù.
À¯´Ð½º °è¿­ ¿î¿µÃ¼Á¦(Linux Æ÷ÇÔ)¿¡¼­ ÆÄÀÏ µð½ºÅ©¸³ÅÍ´Â
ÇÁ·Î¼¼½º°¡ ½Ã½ºÅÛ ¸®¼Ò½º¿¡ Á¢±ÙÇÒ ¶§ ÇÙ½ÉÀûÀ¸·Î »ç¿ëµÈ´Ù.

±×·¸´Ù¸é read°ªÀÌ fd°¡ µÇ°í ÀÌ fdº¯¼öÀÇ °ªÀÌ 0ÀÌ´Ù.
(¾Æ±î arg[1]ÀÎÀÚ·Î ³Ñ±ä ¹®ÀÚ¿­Àº "4660"ÀÌ°í
4660-4660ÀÇ °ªÀ» fd º¯¼ö·Î ÀúÀåÇßÀ»Å×´Ï...)

0À̶ó´Â °ªÀº Ç¥ÁØÀÔ·Â(stdin)À» ÀǹÌÇÏ°í Å°º¸µå·Î °ªÀ» ¹Þ°Ú´Ù´Â °É ÀǹÌÇÑ´Ù.
±×¸®°í ifÁ¶°Ç¹®À¸·Î strcmpÇÔ¼ö¿¡¼­ "LETMEWIN"À̶ó´Â ¹®ÀÚ¿­ÀÌ ÀԷµǸé
(Á¤È®È÷ Ç¥ÇöÇÏÀÚ¸é Àü¿ªº¯¼ö buf[32]¿Í "LETMEWIN"ÀÌ ÀÏÄ¡ÇÑ´Ù¸é...)
if¹®¿¡ ÁøÀÔÇÏ¿© systemÇÔ¼ö¸¦ ½ÇÇàÇÏ¿© /bin/cat flag°¡ ½©¿¡¼­ ½ÇÇàµÇ´Â °ÍÀÌ´Ù.








p.s. ´ç¿¬ÇÏÁö¸¸ ½ÇÇàÆÄÀÏ fdÀÌ ¾Æ´Ñ ±×³É cat flagÇϸé
Á¢±ÙÀÌ °ÅºÎ(Permission Denided)µÈ´Ù.
ÀÌ°ÍÀÎ SetUID¿Í °ü·ÃÀÌ Àִµ¥

fd@pwnable:~$ ls -al
total 40
drwxr-x---   5 root   fd   4096 Aug 31 16:09 .
drwxr-xr-x 116 root   root 4096 Oct 30  2023 ..
d---------   2 root   root 4096 Jun 12  2014 .bash_history
-r-sr-x---   1 fd_pwn fd   7322 Jun 11  2014 fd
-rw-r--r--   1 root   root  418 Jun 11  2014 fd.c
-r--r-----   1 fd_pwn root   50 Jun 11  2014 flag
-rw-------   1 root   root  128 Oct 26  2016 .gdb_history
dr-xr-xr-x   2 root   root 4096 Dec 19  2016 .irssi
drwxr-xr-x   2 root   root 4096 Oct 23  2016 .pwntools-cache


¾Æ·¡¿Í °°ÀÌ fdÀÇ ¼Ó¼ºÀ» º¸¸é r-s·Î µÇ¾îÀÖÀ¸¸ç ÀÌ 's'´Â ÇÁ·Î±×·¥ÀÌ ½ÇÇàµÉ ¶§
ÇÁ·Î¼¼½º°¡ °ü¸®ÀÚ ±ÇÇÑÀ¸·Î ½ÇÇàÀÌ µÇ´Â °ÍÀ» ¶æÇÑ´Ù.
ÀÚ¼¼ÇÑ °Ç ÇØÄ¿½ºÄð F.T.Z¿¡¼­ ³ª¿À´Ï ¸ð¸£°Ú´Ù¸é Çѹø F.T.Z¸¦ ±¸ÃàÇÏ¿© ¾Ë¾Æº¸±æ ¹Ù¶õ´Ù.




Always peace...

  Hit : 192     Date : 2024/11/23 12:20



    
     [°øÁö] °­Á¸¦ ¿Ã¸®½Ç ¶§´Â ¸»¸Ó¸®¸¦ ´Þ¾ÆÁÖ¼¼¿ä^¤Ñ^ [29] ¸Û¸Û 02/27 19542
1600   °£´ÜÇÑ ½Ã½ºÅÛ ÄÝ ÃßÀû ÇÁ·Î±×·¥ ¸¸µé±â     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/18 5
1599   [overthewire.org] - leviathan1     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/14 46
1598   [overthewire.org] - leviathan0     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/14 25
1597   [Write Up] Crypto Cat's CTF 2024 - BabyFlow     ÇØÅ·ÀßÇÏ°í½Í´Ù
12/29 107
1596   [pwnable.kr] bof     ÇØÅ·ÀßÇÏ°í½Í´Ù
12/25 98
1595   [pwnable.kr] Shellshock[1]     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/23 235
1594   ShellshockÀÇ ±âº» ¿ä¾à     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/23 202
  [pwnable.kr] fd     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/23 191
1592   VPNÀÌ ¿¬°áµÇ¾ú´Ù°¡ µµÁß¿¡ ²¨µµ À¥ ºê¶ó¿ìÀú»ó¿¡¼­ À¯ÁöµÇ´Â ÀÌÀ¯     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/22 194
1591   ÇØÄ¿µéÀÌ ÇØÅ·½Ã »ç¿ëÇÏ´Â µð·ºÅ丮 °ø°£[1]     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/22 236
1590   Keyboard Hooking -part2 - (Python3 ver)     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/20 210
1589   [Windows API] Keyboard Hooking     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/20 192
1588   [pwnable.kr] cmd1 °ø·«     ÇØÅ·ÀßÇÏ°í½Í´Ù
10/23 369
1587   netdiscover ÆÄÀ̽ãÀ¸·Î ±¸ÇöÇϱ⠠   ÇØÅ·ÀßÇÏ°í½Í´Ù
08/13 641
1586   ÆÄÀ̽ãÀ» ÀÌ¿ëÇÑ ½ÉÇà À¥ Å©·Ñ·¯     ÇØÅ·ÀßÇÏ°í½Í´Ù
08/13 519
1585   ÆÄÀ̽ã random¸ðµâÀ» ÀÌ¿ëÇÑ ¼ýÀÚ¸ÂÃ߱⠰ÔÀÓ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/30 1070
1584   ÆÄÀ̽ã äÆà ÇÁ·Î±×·¥ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/28 975
1583   ÆÄÀ̽㠼ÒÄÏ ÇÁ·Î±×·¡¹ÖÀÇ ±âÃÊ     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/26 1124
1582   ¸®´ª½º À¥ ·Î±× ºÐ¼®     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/20 745
1 [2][3][4][5][6][7][8][9][10]..[81]

Copyright 1999-2025 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org