1581, 72/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ^^
   [Æß]Ptrace¸¦ ÀÌ¿ëÇÑ Àç¹Ì´Â ÇØÅ·.

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=475 [º¹»ç]


/*
*   PtraceÀ» ÀÌ¿ëÇÑ Àç¹Õ´Â ÇØÅ·
*   ¹Ú¼ºÇö psh21a@hanmail.net
*   http://psh21a.org, http://psh21a.ttongfly.net
*/



ptrace´Â »ý¼ºµÈ ÇÁ·Î¼¼½º¿¡ ´ëÇÑ Á¤º¸¸¦ ÃßÀûÇϱâ À§ÇØ ¸¸µé¾îÁø
½Ã½ºÅÛ ÄÝÀÌ´Ù.
µð¹ö°Å¸¦ ÀÌ¿ëÇÏ¿© Àç¹Õ´Â ÇØÅ·À» ÇÒ ¼ö ÀÖ´Ù.

[psh21a@psh21a ptrace]$ cat euid.c
int main()
{
        int uid;
        uid = geteuid();

        if(uid == 0){
                printf("You Are Roo\n");
        }

        printf("%d\n", uid);
}
[psh21a@psh21a ptrace]$ gcc -o euid euid.c -g -static

Áö±Ý ÀÌ ¼Ò½º´Â geteuid()ÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿©, euid¸¦ ¹Þ¾Æ¿Â´Ù. ±×·¡¼­ uid¿¡
ÇÒ´çÇÑÈÄ¿¡ if¹®¿¡¼­ uid°¡ 0À̶û °°ÀºÁö È®ÀÎÀ» Çؼ­ °°´Ù¸é You are ROOT
¶ó´Â ¹®ÀåÀ» Ãâ·ÂÇÏ°Ô ÇØÁØ´Ù.
±×·±µ¥ uid°¡ 0ÀÌ¸é ·çÆ® ±ÇÇÑÀÌ ÀÖ´Ù´Â ¶æÀε¥ °ú¿¬ ¾î¶»°Ô ÇÒ±î?
uid°¡ 0À̶û °°Áö ¾Ê´Ù¸é Áö±Ý ÀÚ±âÀÚ½ÅÀÇ uid¸¦ º¸¿©ÁÖ°í ³¡ÀÌ ³­´Ù.
ÀÌ ÀÛ¾÷À» ÇÒ¶§´Â ²À ·çÆ®°¡ ¾Æ´Ñ ÀϹݰèÁ¤À¸·Î ÇؾßÇÑ´Ù.

µð¹ö°Å¸¦ ÀÌ¿ëÇؼ­ Àç¹Õ´Â°É Çغ¸°Ú´Ù.

(gdb) disas main
Dump of assembler code for function main:
0x080481d0 <main+0>:    push   %ebp
0x080481d1 <main+1>:    mov    %esp,%ebp
0x080481d3 <main+3>:    sub    $0x8,%esp
0x080481d6 <main+6>:    and    $0xfffffff0,%esp
0x080481d9 <main+9>:    mov    $0x0,%eax
0x080481de <main+14>:   sub    %eax,%esp
0x080481e0 <main+16>:   call   0x804da10 <geteuid>
0x080481e5 <main+21>:   mov    %eax,0xfffffffc(%ebp)
0x080481e8 <main+24>:   cmpl   $0x0,0xfffffffc(%ebp)
0x080481ec <main+28>:   jne    0x80481fe <main+46>
0x080481ee <main+30>:   sub    $0xc,%esp
0x080481f1 <main+33>:   push   $0x808ef68
0x080481f6 <main+38>:   call   0x80488c4 <printf>
0x080481fb <main+43>:   add    $0x10,%esp
0x080481fe <main+46>:   sub    $0x8,%esp
0x08048201 <main+49>:   pushl  0xfffffffc(%ebp)
0x08048204 <main+52>:   push   $0x808ef76
0x08048209 <main+57>:   call   0x80488c4 <printf>
0x0804820e <main+62>:   add    $0x10,%esp
0x08048211 <main+65>:   leave
0x08048212 <main+66>:   ret
End of assembler dump.

geteuidÇÔ¼ö°¡ È£ÃâµÈ´Ù.

(gdb) disas geteuid
Dump of assembler code for function geteuid:
0x0804da10 <geteuid+0>: mov    0x80a36b0,%eax
0x0804da15 <geteuid+5>: push   %ebp
0x0804da16 <geteuid+6>: test   %eax,%eax
0x0804da18 <geteuid+8>: mov    %esp,%ebp
0x0804da1a <geteuid+10>:        jle    0x804da28 <geteuid+24>
0x0804da1c <geteuid+12>:        mov    $0x31,%eax
0x0804da21 <geteuid+17>:        int    $0x80
0x0804da23 <geteuid+19>:        leave
0x0804da24 <geteuid+20>:        ret
0x0804da25 <geteuid+21>:        lea    0x0(%esi),%esi
0x0804da28 <geteuid+24>:        mov    $0xc9,%eax
0x0804da2d <geteuid+29>:        int    $0x80
0x0804da2f <geteuid+31>:        cmp    $0xfffff000,%eax
0x0804da34 <geteuid+36>:        jbe    0x804da23 <geteuid+19>
0x0804da36 <geteuid+38>:        cmp    $0xffffffda,%eax
0x0804da39 <geteuid+41>:        jne    0x804da23 <geteuid+19>
0x0804da3b <geteuid+43>:        movl   $0x1,0x80a36b0
0x0804da45 <geteuid+53>:        jmp    0x804da1c <geteuid+12>
0x0804da47 <geteuid+55>:        nop
End of assembler dump.

¿ì¸®´Â geteuidÇÔ¼ö¿¡¼­ ret ÇϱâÀü¿¡ ºê·¹ÀÌÅ©¸¦ °É¾î¼­ uid°¡ 0ÀÌ
µÇµµ·Ï ¸¸µé¾îº¼°ÍÀÌ´Ù.
±×·¯±â À§Çؼ­ ¿ì¸®´Â ret¿¡ ºê·¹ÀÌÅ©¸¦ °É¾î¾ßÇÑ´Ù.

(gdb) break *geteuid+20
Breakpoint 1 at 0x804da24

±×·± ÈÄ¿¡ ½ÇÇàÀ» ½ÃŲ´Ù.

(gdb) run
Starting program: /home/psh21a/test/ptrace/euid

Breakpoint 1, 0x0804da24 in geteuid ()

½ÇÇàÀ» ½ÃÅ°¸é geteuid()¾È¿¡¼­ 0x0804da24¿¡¼­ ºê·¹ÀÌÅ©°¡ °É·È´Ù°í ³ª¿Â´Ù.

(gdb) info reg
eax            0x1f4    500
ecx            0x33f    831
edx            0x37f    895
ebx            0xbffff3bc       -1073744964
esp            0xbffff14c       0xbffff14c
ebp            0xbffff158       0xbffff158
esi            0xbffff3b4       -1073744972
edi            0x1      1
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

·¹Áö½ºÅ͵éÀÇ °ªÀ» º¸¿©ÁØ´Ù.
Àú±â º¸¸é eax¿¡ Áö±Ý 500À̶ó´Â Áö±Ý ¾ÆÀ̵ðÀÇ uid°¡ ³ª¿Â´Ù.
Àú±â eax ºÎºÐÀ» ¹Ù²ãÁØ´Ù.

(gdb) set $eax = 0
(gdb) info reg
eax            0x0      0
ecx            0x33f    831
edx            0x37f    895
ebx            0xbffff3bc       -1073744964
esp            0xbffff14c       0xbffff14c
ebp            0xbffff158       0xbffff158
esi            0xbffff3b4       -1073744972
edi            0x1      1
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

eax·¹Áö½ºÅÍÀÇ °ªÀÌ ¹Ù²ï°ÍÀ» º¼ ¼ö ÀÖ´Ù.

(gdb) c
Continuing.

Breakpoint 1, 0x0804da24 in geteuid ()
(gdb) info reg
eax            0x1f4    500
ecx            0x2f2f2f2f       791621423
edx            0x80a3ebc        134889148
ebx            0x8048584        134514052
esp            0xbffff16c       0xbffff16c
ebp            0xbffff178       0xbffff178
esi            0x2d     45
edi            0x20414  132116
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

´Ù½Ã eax°¡ 500À¸·Î µ¹¾Æ¿Ô´Ù. ±×·³ ´Ù½Ã 0À¸·Î ¹Ù²ãÁØ´Ù.

(gdb) set $eax = 0
(gdb) info reg
eax            0x0      0
ecx            0x2f2f2f2f       791621423
edx            0x80a3ebc        134889148
ebx            0x8048584        134514052
esp            0xbffff16c       0xbffff16c
ebp            0xbffff178       0xbffff178
esi            0x2d     45
edi            0x20414  132116
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb) c
Continuing.
You Are Root
0

Program exited with code 02.
(gdb)

ÀÌ·¸°Ô ÇÏ°Ô µÇ¸é ROOT¶ó°í ¶ß´Â°ÍÀ» º¼ ¼ö ÀÖÀ»°ÍÀÌ´Ù.
¾Æ¾Æ.. ÀÌ ¾ó¸¶³ª ±â»Û ¼ø°£Àΰ¡!

ps. ptrace¿¡ ´ëÇؼ­ ´õ ¾Ë°í ½ÍÀ¸¸é googleÀ» ÀÌ¿ëÇؼ­ °Ë»öÇغ¸½Ã±æ!
  Hit : 13003     Date : 2006/02/08 11:20


    
ckdmsghcoh ¤»¤» ¿ØÁö ¾ÈµÉµíÇÑ .¤Ñ,.,.,.,., 2006/02/09  
mzzang ÀÌ»óÇÏ°Ô ptrace´Â Çѹøµµ ¾È¾²½Ã±¸ gdb¸¸ ¾²½Åµí...???? 2006/02/10  
whqkdnf000 ¾ÈµÅ¿ä-_- 2007/02/26  
exceed@null gdb¸¸ ¾²³×... 2007/07/16  
161   Hacking Ä¿¸®Å§·³ ½Ã½ºÅۺоߠ    Ä«¸£ÆäÀÌ
 05/08 8000
160   Á¤º¸Ã³¸®±â´É»ç ¼ÒÇÁÆ®¿þ¾î °øÇÐ ¸ðÀ½Áý ÀÔ´Ï´Ù.[1]     Ä«¸£ÆäÀÌ
 05/08 8101
159   ·¹Áö½ºÆ®¸® ÇÙ½É ¸í·É¾î ¿ä¾à[1]     Ä«¸£ÆäÀÌ
 05/08 9002
158   °°ÀÌ°øºÎÇϽǺÐ~[1]     Ä«¸£ÆäÀÌ
 04/23 8407
157   PHP°øºÎÇϽǺÐ? ±¸ÇÕ´Ï´Ù.[1]     Ä«¸£ÆäÀÌ
 04/23 7397
156   cisco ios ¼ÒÇÁÆ®¿þ¾î cli [1] ÀÌ±Û ¿Ã·ÁµÎµÇ³ª...???     ij·²¸°
 04/27 9176
155   Linux ¿¡¼­ APM(apache+php+mysql) ¼Ò½º·Î ¼³Ä¡ Çϱâ[5]     Æ÷ºñ
 10/29 7883
  [Æß]Ptrace¸¦ ÀÌ¿ëÇÑ Àç¹Ì´Â ÇØÅ·.[4]     ^^
 02/08 13002
153   ÇØÄð level2 °­ÀÇ[10]     °áºù
 07/07 11759
152   ÇØÅ·Åø ÆË´Ï´Ù.^^ Å°·Î±×![14]     °í½¿µµÄ¡
 09/12 9195
151   [Æß]¿ìºÐÅõ(ubuntu) »ç»óÀ̶õ?     ±èº´±Ç
 02/04 10169
150   [ÀÚÀÛ] ¾ÆÁ÷Àº ºÎÁ·ÇÏÁö¸¸ Á¦°¡ Á¤¸®ÇÑ ÅؽºÆ® ÀÔ´Ï´Ù[8]     ±è¼º±Ù
 02/06 6991
149   ftz ¸¦À§ÇÑ ÀÚÀßÇÑ tipÀ» ¾Ë·ÁÁÖ¼¼¿ä[3]     ±Ýºû°©¿Ê
 11/14 6846
148   Ä¿³Î¹öÀü È®ÀÎÇϱ⤻[1]     ±«µµjs
 07/02 9169
147   II. ÀϹݸí·É¾î2.     ±«µµjs
 07/04 10442
146   C¾ð¾î ±âº»±¸Á¶[1]     ±«µµjs
 07/02 12563
145   [C°­ÁÂ] C¾ð¾îÀÇ ±âº»°³¿ä     ±«µµjs
 07/02 11317
144   [Bash Shell] Á¤º¹Çϱâ[1]     ±«µµjs
 07/04 10151
143   C°­ÁÂ;;¶ó ÇÒ°ÍÀÕ³ª?[1]     ±«µµjs
 07/03 11310
142   2¹ø°C°­ÁÂ~![9]     ±«µµjs
 07/03 12014
[1]..[71] 72 [73][74][75][76][77][78][79][80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org