1581, 71/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ^^
   [Æß]Ptrace¸¦ ÀÌ¿ëÇÑ Àç¹Ì´Â ÇØÅ·.

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=475 [º¹»ç]


/*
*   PtraceÀ» ÀÌ¿ëÇÑ Àç¹Õ´Â ÇØÅ·
*   ¹Ú¼ºÇö psh21a@hanmail.net
*   http://psh21a.org, http://psh21a.ttongfly.net
*/



ptrace´Â »ý¼ºµÈ ÇÁ·Î¼¼½º¿¡ ´ëÇÑ Á¤º¸¸¦ ÃßÀûÇϱâ À§ÇØ ¸¸µé¾îÁø
½Ã½ºÅÛ ÄÝÀÌ´Ù.
µð¹ö°Å¸¦ ÀÌ¿ëÇÏ¿© Àç¹Õ´Â ÇØÅ·À» ÇÒ ¼ö ÀÖ´Ù.

[psh21a@psh21a ptrace]$ cat euid.c
int main()
{
        int uid;
        uid = geteuid();

        if(uid == 0){
                printf("You Are Roo\n");
        }

        printf("%d\n", uid);
}
[psh21a@psh21a ptrace]$ gcc -o euid euid.c -g -static

Áö±Ý ÀÌ ¼Ò½º´Â geteuid()ÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿©, euid¸¦ ¹Þ¾Æ¿Â´Ù. ±×·¡¼­ uid¿¡
ÇÒ´çÇÑÈÄ¿¡ if¹®¿¡¼­ uid°¡ 0À̶û °°ÀºÁö È®ÀÎÀ» Çؼ­ °°´Ù¸é You are ROOT
¶ó´Â ¹®ÀåÀ» Ãâ·ÂÇÏ°Ô ÇØÁØ´Ù.
±×·±µ¥ uid°¡ 0ÀÌ¸é ·çÆ® ±ÇÇÑÀÌ ÀÖ´Ù´Â ¶æÀε¥ °ú¿¬ ¾î¶»°Ô ÇÒ±î?
uid°¡ 0À̶û °°Áö ¾Ê´Ù¸é Áö±Ý ÀÚ±âÀÚ½ÅÀÇ uid¸¦ º¸¿©ÁÖ°í ³¡ÀÌ ³­´Ù.
ÀÌ ÀÛ¾÷À» ÇÒ¶§´Â ²À ·çÆ®°¡ ¾Æ´Ñ ÀϹݰèÁ¤À¸·Î ÇؾßÇÑ´Ù.

µð¹ö°Å¸¦ ÀÌ¿ëÇؼ­ Àç¹Õ´Â°É Çغ¸°Ú´Ù.

(gdb) disas main
Dump of assembler code for function main:
0x080481d0 <main+0>:    push   %ebp
0x080481d1 <main+1>:    mov    %esp,%ebp
0x080481d3 <main+3>:    sub    $0x8,%esp
0x080481d6 <main+6>:    and    $0xfffffff0,%esp
0x080481d9 <main+9>:    mov    $0x0,%eax
0x080481de <main+14>:   sub    %eax,%esp
0x080481e0 <main+16>:   call   0x804da10 <geteuid>
0x080481e5 <main+21>:   mov    %eax,0xfffffffc(%ebp)
0x080481e8 <main+24>:   cmpl   $0x0,0xfffffffc(%ebp)
0x080481ec <main+28>:   jne    0x80481fe <main+46>
0x080481ee <main+30>:   sub    $0xc,%esp
0x080481f1 <main+33>:   push   $0x808ef68
0x080481f6 <main+38>:   call   0x80488c4 <printf>
0x080481fb <main+43>:   add    $0x10,%esp
0x080481fe <main+46>:   sub    $0x8,%esp
0x08048201 <main+49>:   pushl  0xfffffffc(%ebp)
0x08048204 <main+52>:   push   $0x808ef76
0x08048209 <main+57>:   call   0x80488c4 <printf>
0x0804820e <main+62>:   add    $0x10,%esp
0x08048211 <main+65>:   leave
0x08048212 <main+66>:   ret
End of assembler dump.

geteuidÇÔ¼ö°¡ È£ÃâµÈ´Ù.

(gdb) disas geteuid
Dump of assembler code for function geteuid:
0x0804da10 <geteuid+0>: mov    0x80a36b0,%eax
0x0804da15 <geteuid+5>: push   %ebp
0x0804da16 <geteuid+6>: test   %eax,%eax
0x0804da18 <geteuid+8>: mov    %esp,%ebp
0x0804da1a <geteuid+10>:        jle    0x804da28 <geteuid+24>
0x0804da1c <geteuid+12>:        mov    $0x31,%eax
0x0804da21 <geteuid+17>:        int    $0x80
0x0804da23 <geteuid+19>:        leave
0x0804da24 <geteuid+20>:        ret
0x0804da25 <geteuid+21>:        lea    0x0(%esi),%esi
0x0804da28 <geteuid+24>:        mov    $0xc9,%eax
0x0804da2d <geteuid+29>:        int    $0x80
0x0804da2f <geteuid+31>:        cmp    $0xfffff000,%eax
0x0804da34 <geteuid+36>:        jbe    0x804da23 <geteuid+19>
0x0804da36 <geteuid+38>:        cmp    $0xffffffda,%eax
0x0804da39 <geteuid+41>:        jne    0x804da23 <geteuid+19>
0x0804da3b <geteuid+43>:        movl   $0x1,0x80a36b0
0x0804da45 <geteuid+53>:        jmp    0x804da1c <geteuid+12>
0x0804da47 <geteuid+55>:        nop
End of assembler dump.

¿ì¸®´Â geteuidÇÔ¼ö¿¡¼­ ret ÇϱâÀü¿¡ ºê·¹ÀÌÅ©¸¦ °É¾î¼­ uid°¡ 0ÀÌ
µÇµµ·Ï ¸¸µé¾îº¼°ÍÀÌ´Ù.
±×·¯±â À§Çؼ­ ¿ì¸®´Â ret¿¡ ºê·¹ÀÌÅ©¸¦ °É¾î¾ßÇÑ´Ù.

(gdb) break *geteuid+20
Breakpoint 1 at 0x804da24

±×·± ÈÄ¿¡ ½ÇÇàÀ» ½ÃŲ´Ù.

(gdb) run
Starting program: /home/psh21a/test/ptrace/euid

Breakpoint 1, 0x0804da24 in geteuid ()

½ÇÇàÀ» ½ÃÅ°¸é geteuid()¾È¿¡¼­ 0x0804da24¿¡¼­ ºê·¹ÀÌÅ©°¡ °É·È´Ù°í ³ª¿Â´Ù.

(gdb) info reg
eax            0x1f4    500
ecx            0x33f    831
edx            0x37f    895
ebx            0xbffff3bc       -1073744964
esp            0xbffff14c       0xbffff14c
ebp            0xbffff158       0xbffff158
esi            0xbffff3b4       -1073744972
edi            0x1      1
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

·¹Áö½ºÅ͵éÀÇ °ªÀ» º¸¿©ÁØ´Ù.
Àú±â º¸¸é eax¿¡ Áö±Ý 500À̶ó´Â Áö±Ý ¾ÆÀ̵ðÀÇ uid°¡ ³ª¿Â´Ù.
Àú±â eax ºÎºÐÀ» ¹Ù²ãÁØ´Ù.

(gdb) set $eax = 0
(gdb) info reg
eax            0x0      0
ecx            0x33f    831
edx            0x37f    895
ebx            0xbffff3bc       -1073744964
esp            0xbffff14c       0xbffff14c
ebp            0xbffff158       0xbffff158
esi            0xbffff3b4       -1073744972
edi            0x1      1
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

eax·¹Áö½ºÅÍÀÇ °ªÀÌ ¹Ù²ï°ÍÀ» º¼ ¼ö ÀÖ´Ù.

(gdb) c
Continuing.

Breakpoint 1, 0x0804da24 in geteuid ()
(gdb) info reg
eax            0x1f4    500
ecx            0x2f2f2f2f       791621423
edx            0x80a3ebc        134889148
ebx            0x8048584        134514052
esp            0xbffff16c       0xbffff16c
ebp            0xbffff178       0xbffff178
esi            0x2d     45
edi            0x20414  132116
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

´Ù½Ã eax°¡ 500À¸·Î µ¹¾Æ¿Ô´Ù. ±×·³ ´Ù½Ã 0À¸·Î ¹Ù²ãÁØ´Ù.

(gdb) set $eax = 0
(gdb) info reg
eax            0x0      0
ecx            0x2f2f2f2f       791621423
edx            0x80a3ebc        134889148
ebx            0x8048584        134514052
esp            0xbffff16c       0xbffff16c
ebp            0xbffff178       0xbffff178
esi            0x2d     45
edi            0x20414  132116
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb) c
Continuing.
You Are Root
0

Program exited with code 02.
(gdb)

ÀÌ·¸°Ô ÇÏ°Ô µÇ¸é ROOT¶ó°í ¶ß´Â°ÍÀ» º¼ ¼ö ÀÖÀ»°ÍÀÌ´Ù.
¾Æ¾Æ.. ÀÌ ¾ó¸¶³ª ±â»Û ¼ø°£Àΰ¡!

ps. ptrace¿¡ ´ëÇؼ­ ´õ ¾Ë°í ½ÍÀ¸¸é googleÀ» ÀÌ¿ëÇؼ­ °Ë»öÇغ¸½Ã±æ!
  Hit : 12975     Date : 2006/02/08 11:20


    
ckdmsghcoh ¤»¤» ¿ØÁö ¾ÈµÉµíÇÑ .¤Ñ,.,.,.,., 2006/02/09  
mzzang ÀÌ»óÇÏ°Ô ptrace´Â Çѹøµµ ¾È¾²½Ã±¸ gdb¸¸ ¾²½Åµí...???? 2006/02/10  
whqkdnf000 ¾ÈµÅ¿ä-_- 2007/02/26  
exceed@null gdb¸¸ ¾²³×... 2007/07/16  
181   [ÀÚÀÛ]ÇÁ·Î¼¼½º¸ð´ÏÅÍOperationÇÊÅÍ     havu
 01/10 12131
180   ³×Æ®¿öÅ© °³³ä ÈÖ¾îÀâ±â 7[8]     ¼ÒÀ¯
 09/16 12157
179   ¸®´ª½º ¸í·É¾î ÇѲ¨¹ø¿¡(¼ÒÀ¯´Ô²¨)[11]     ssakura
 07/07 12194
178   [Æß] ÇØÅ·ÀÇ ¿ª»ç     dzhfldk
 08/22 12232
177   c++ °­ÁÂ[7]     jhon55
 08/12 12251
176   ¿Ø¸¸ÇÑ»ç¶÷µéÀº´Ù¾ËÁöµµ¸ð¸£°ÚÁö¸¸[6]     ¹é·æÃâÇØ
 03/17 12302
175   trozan(Æ®·ÎÀ̸ñ¸¶) Æ÷Æ® ¸ñ·Ï[2]     whqkdnf000
 02/22 12368
174   C¾ð¾î(Áø¹ý)[9]     whqkdnf000
 02/25 12462
173   [Æß]ÇØÄ¿µéÀÇ ÈçÀûÁö¿ì´Â¹æ¹ý[28]     starztp
 10/08 12500
172   ping¾Æ´Â Ä«Æä ÇØÅ· °í¼ö´Ô¿¡°Ô µéÀº ¼Ò¸®ÀÔ´Ï´Ù[21]     Àå¼¼¸¸
 07/14 12539
171   C¾ð¾î ±âº»±¸Á¶[1]     ±«µµjs
 07/02 12541
170   °³¹ßÀÚ°¡ ¾Ë¾Æ¾ßÇÒ 10°¡Áö º¸¾ÈÆÁÀ¸·Î Äڵ带 º¸È£ÇÏÀÚ.     Ǫ¸¥ÇÏ´Ã
 09/01 12616
169   ÇØÅ·±â¹ý? (±â¹ßÇÏ´Ù°í ÇؾßÇϳª,¿ô±â´Ù°í ÇؾßÇϳª)[35]     whqkdnf000
 07/31 12642
168   [Reverse Engineering] ¸®¹ö½ÌÀÇ ±âÃÊ - ¹ü¿ë ·¹Áö½ºÅÍ¿Í Assembly(Pop,Mov)     zen0c1de
 07/18 12642
167   c¾ð¾î for¹®      hacs98
 06/15 12716
166   Ãʺ¸°¡ Àû¾îº» À©µµ¿ì ħÅõ[6]     awsedr45
 12/06 12722
165   ÇØÄ¿°¡ µÇ±âÀ§ÇØ ¾Ë¾Æ¾ßÇÒ 30°¡Áö Ãâó :ÇØÄ¿´ëÇÐ[5]     asdzxc301
 12/12 12757
164   * ÇØÄ¿°¡ µÇ°í½Í³ª ? *[19]     HackerMapia
 03/01 12789
163   ¾Ë±â ¾î·Æ°Ô ¼³¸íÇÑ Buffer Overflow[4]     blackcoder
 02/17 12812
162   ¸Þ¸ð¸® ´ýÇÁ(ºí·ç ½ºÅ©¸°=STOP ½ºÅ©¸°) ÄÚµå ¹× ÇØ°á[1]     ROK.AF
 02/09 12832
[1].. 71 [72][73][74][75][76][77][78][79][80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org