1581, 8/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ^^
   [Æß]Ptrace¸¦ ÀÌ¿ëÇÑ Àç¹Ì´Â ÇØÅ·.

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=475 [º¹»ç]


/*
*   PtraceÀ» ÀÌ¿ëÇÑ Àç¹Õ´Â ÇØÅ·
*   ¹Ú¼ºÇö psh21a@hanmail.net
*   http://psh21a.org, http://psh21a.ttongfly.net
*/



ptrace´Â »ý¼ºµÈ ÇÁ·Î¼¼½º¿¡ ´ëÇÑ Á¤º¸¸¦ ÃßÀûÇϱâ À§ÇØ ¸¸µé¾îÁø
½Ã½ºÅÛ ÄÝÀÌ´Ù.
µð¹ö°Å¸¦ ÀÌ¿ëÇÏ¿© Àç¹Õ´Â ÇØÅ·À» ÇÒ ¼ö ÀÖ´Ù.

[psh21a@psh21a ptrace]$ cat euid.c
int main()
{
        int uid;
        uid = geteuid();

        if(uid == 0){
                printf("You Are Roo\n");
        }

        printf("%d\n", uid);
}
[psh21a@psh21a ptrace]$ gcc -o euid euid.c -g -static

Áö±Ý ÀÌ ¼Ò½º´Â geteuid()ÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿©, euid¸¦ ¹Þ¾Æ¿Â´Ù. ±×·¡¼­ uid¿¡
ÇÒ´çÇÑÈÄ¿¡ if¹®¿¡¼­ uid°¡ 0À̶û °°ÀºÁö È®ÀÎÀ» Çؼ­ °°´Ù¸é You are ROOT
¶ó´Â ¹®ÀåÀ» Ãâ·ÂÇÏ°Ô ÇØÁØ´Ù.
±×·±µ¥ uid°¡ 0ÀÌ¸é ·çÆ® ±ÇÇÑÀÌ ÀÖ´Ù´Â ¶æÀε¥ °ú¿¬ ¾î¶»°Ô ÇÒ±î?
uid°¡ 0À̶û °°Áö ¾Ê´Ù¸é Áö±Ý ÀÚ±âÀÚ½ÅÀÇ uid¸¦ º¸¿©ÁÖ°í ³¡ÀÌ ³­´Ù.
ÀÌ ÀÛ¾÷À» ÇÒ¶§´Â ²À ·çÆ®°¡ ¾Æ´Ñ ÀϹݰèÁ¤À¸·Î ÇؾßÇÑ´Ù.

µð¹ö°Å¸¦ ÀÌ¿ëÇؼ­ Àç¹Õ´Â°É Çغ¸°Ú´Ù.

(gdb) disas main
Dump of assembler code for function main:
0x080481d0 <main+0>:    push   %ebp
0x080481d1 <main+1>:    mov    %esp,%ebp
0x080481d3 <main+3>:    sub    $0x8,%esp
0x080481d6 <main+6>:    and    $0xfffffff0,%esp
0x080481d9 <main+9>:    mov    $0x0,%eax
0x080481de <main+14>:   sub    %eax,%esp
0x080481e0 <main+16>:   call   0x804da10 <geteuid>
0x080481e5 <main+21>:   mov    %eax,0xfffffffc(%ebp)
0x080481e8 <main+24>:   cmpl   $0x0,0xfffffffc(%ebp)
0x080481ec <main+28>:   jne    0x80481fe <main+46>
0x080481ee <main+30>:   sub    $0xc,%esp
0x080481f1 <main+33>:   push   $0x808ef68
0x080481f6 <main+38>:   call   0x80488c4 <printf>
0x080481fb <main+43>:   add    $0x10,%esp
0x080481fe <main+46>:   sub    $0x8,%esp
0x08048201 <main+49>:   pushl  0xfffffffc(%ebp)
0x08048204 <main+52>:   push   $0x808ef76
0x08048209 <main+57>:   call   0x80488c4 <printf>
0x0804820e <main+62>:   add    $0x10,%esp
0x08048211 <main+65>:   leave
0x08048212 <main+66>:   ret
End of assembler dump.

geteuidÇÔ¼ö°¡ È£ÃâµÈ´Ù.

(gdb) disas geteuid
Dump of assembler code for function geteuid:
0x0804da10 <geteuid+0>: mov    0x80a36b0,%eax
0x0804da15 <geteuid+5>: push   %ebp
0x0804da16 <geteuid+6>: test   %eax,%eax
0x0804da18 <geteuid+8>: mov    %esp,%ebp
0x0804da1a <geteuid+10>:        jle    0x804da28 <geteuid+24>
0x0804da1c <geteuid+12>:        mov    $0x31,%eax
0x0804da21 <geteuid+17>:        int    $0x80
0x0804da23 <geteuid+19>:        leave
0x0804da24 <geteuid+20>:        ret
0x0804da25 <geteuid+21>:        lea    0x0(%esi),%esi
0x0804da28 <geteuid+24>:        mov    $0xc9,%eax
0x0804da2d <geteuid+29>:        int    $0x80
0x0804da2f <geteuid+31>:        cmp    $0xfffff000,%eax
0x0804da34 <geteuid+36>:        jbe    0x804da23 <geteuid+19>
0x0804da36 <geteuid+38>:        cmp    $0xffffffda,%eax
0x0804da39 <geteuid+41>:        jne    0x804da23 <geteuid+19>
0x0804da3b <geteuid+43>:        movl   $0x1,0x80a36b0
0x0804da45 <geteuid+53>:        jmp    0x804da1c <geteuid+12>
0x0804da47 <geteuid+55>:        nop
End of assembler dump.

¿ì¸®´Â geteuidÇÔ¼ö¿¡¼­ ret ÇϱâÀü¿¡ ºê·¹ÀÌÅ©¸¦ °É¾î¼­ uid°¡ 0ÀÌ
µÇµµ·Ï ¸¸µé¾îº¼°ÍÀÌ´Ù.
±×·¯±â À§Çؼ­ ¿ì¸®´Â ret¿¡ ºê·¹ÀÌÅ©¸¦ °É¾î¾ßÇÑ´Ù.

(gdb) break *geteuid+20
Breakpoint 1 at 0x804da24

±×·± ÈÄ¿¡ ½ÇÇàÀ» ½ÃŲ´Ù.

(gdb) run
Starting program: /home/psh21a/test/ptrace/euid

Breakpoint 1, 0x0804da24 in geteuid ()

½ÇÇàÀ» ½ÃÅ°¸é geteuid()¾È¿¡¼­ 0x0804da24¿¡¼­ ºê·¹ÀÌÅ©°¡ °É·È´Ù°í ³ª¿Â´Ù.

(gdb) info reg
eax            0x1f4    500
ecx            0x33f    831
edx            0x37f    895
ebx            0xbffff3bc       -1073744964
esp            0xbffff14c       0xbffff14c
ebp            0xbffff158       0xbffff158
esi            0xbffff3b4       -1073744972
edi            0x1      1
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

·¹Áö½ºÅ͵éÀÇ °ªÀ» º¸¿©ÁØ´Ù.
Àú±â º¸¸é eax¿¡ Áö±Ý 500À̶ó´Â Áö±Ý ¾ÆÀ̵ðÀÇ uid°¡ ³ª¿Â´Ù.
Àú±â eax ºÎºÐÀ» ¹Ù²ãÁØ´Ù.

(gdb) set $eax = 0
(gdb) info reg
eax            0x0      0
ecx            0x33f    831
edx            0x37f    895
ebx            0xbffff3bc       -1073744964
esp            0xbffff14c       0xbffff14c
ebp            0xbffff158       0xbffff158
esi            0xbffff3b4       -1073744972
edi            0x1      1
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

eax·¹Áö½ºÅÍÀÇ °ªÀÌ ¹Ù²ï°ÍÀ» º¼ ¼ö ÀÖ´Ù.

(gdb) c
Continuing.

Breakpoint 1, 0x0804da24 in geteuid ()
(gdb) info reg
eax            0x1f4    500
ecx            0x2f2f2f2f       791621423
edx            0x80a3ebc        134889148
ebx            0x8048584        134514052
esp            0xbffff16c       0xbffff16c
ebp            0xbffff178       0xbffff178
esi            0x2d     45
edi            0x20414  132116
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

´Ù½Ã eax°¡ 500À¸·Î µ¹¾Æ¿Ô´Ù. ±×·³ ´Ù½Ã 0À¸·Î ¹Ù²ãÁØ´Ù.

(gdb) set $eax = 0
(gdb) info reg
eax            0x0      0
ecx            0x2f2f2f2f       791621423
edx            0x80a3ebc        134889148
ebx            0x8048584        134514052
esp            0xbffff16c       0xbffff16c
ebp            0xbffff178       0xbffff178
esi            0x2d     45
edi            0x20414  132116
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb) c
Continuing.
You Are Root
0

Program exited with code 02.
(gdb)

ÀÌ·¸°Ô ÇÏ°Ô µÇ¸é ROOT¶ó°í ¶ß´Â°ÍÀ» º¼ ¼ö ÀÖÀ»°ÍÀÌ´Ù.
¾Æ¾Æ.. ÀÌ ¾ó¸¶³ª ±â»Û ¼ø°£Àΰ¡!

ps. ptrace¿¡ ´ëÇؼ­ ´õ ¾Ë°í ½ÍÀ¸¸é googleÀ» ÀÌ¿ëÇؼ­ °Ë»öÇغ¸½Ã±æ!

  Hit : 12901     Date : 2006/02/08 11:20



    
ckdmsghcoh ¤»¤» ¿ØÁö ¾ÈµÉµíÇÑ .¤Ñ,.,.,.,., 2006/02/09  
mzzang ÀÌ»óÇÏ°Ô ptrace´Â Çѹøµµ ¾È¾²½Ã±¸ gdb¸¸ ¾²½Åµí...???? 2006/02/10  
whqkdnf000 ¾ÈµÅ¿ä-_- 2007/02/26  
exceed@null gdb¸¸ ¾²³×... 2007/07/16  
1441   ³×Æ®¿öÅ© °³³ä ÈÖ¾îÀâ±â 4[14]     ¼ÒÀ¯
09/13 13221
1440   ³×Æ®¿öÅ© °³³ä ÈÖ¾îÀâ±â 3[17]     ¼ÒÀ¯
09/12 13218
1439   * À©µµ¿ì ÇØÅ·ÀÇ ±âº» ¿ø¸®*[29]     oes2
08/26 13191
1438   ¿øÀç¾Æºü´ÔÀÇ gcc 2.96¿¡¼­ÀÇ ¹öÆÛ ±¸Á¶ °­ÁÂ.[9]     ttongfly
09/19 13133
1437   [802.11] How to Crack WPA[6]     DCos
02/17 13092
1436   [Project] Àü±â,ÀüÀÚ »ó½Ä ¹× »þÇÁ½ÉÀ¸·Î Àü±¸¸¸µé±â. - 3[16]     ¾ÆÀÌÇÁ¸®µå
02/03 13091
1435   [802.11] How to Attack WiFi Phishing??[2]     DCos
02/27 13090
1434   °³ÀÎÁ¤º¸ ÀÌ¿ë³»¿ª ÅëÁöÁ¦µµ¶õ     HongMK900
08/13 13070
1433   [Á¤¸®] ÇØÄð °­ÁÂ½Ç ³»¿ë 14~48pÁö Á¤¸®[7]     W.H.
03/13 12971
1432   À©µµ¿ì ¸í·É¾î[12]     whqkdnf000
10/26 12911
1431   ¹è¿­ ³»¿¡¼­ ·£´ýÇÑ n°³ ÃßÃâÇϱâ[2]     kjwon15
12/05 12902
  [Æß]Ptrace¸¦ ÀÌ¿ëÇÑ Àç¹Ì´Â ÇØÅ·.[4]     ^^
02/08 12900
1429   "ÇØÄ¿°¡ µÇ·Á¸é ¹«¾ùÀ» ¾Ë¾Æ¾ß Çϳª¿ä?" ÀÇ ´äº¯(¹ßÃé)[48]     mati
08/01 12880
1428   Sendmail ¼Ò½º·Î ¼³Ä¡Çϱâ[1]     h41d35
09/12 12880
1427   ³×Æ®¿öÅ© °³³ä ÈÖ¾îÀâ±â 5[10]     ¼ÒÀ¯
09/14 12867
1426   3¹ø°c°­ÁÂÀÔ´Ï´Ù~¤»[8]     ±«µµjs
07/14 12858
1425   ±¸±Û ÇØÅ·?[7]     nsh009
11/06 12855
1424   [Æß]½º´ÏÇÎ[1]     loveaaav
03/24 12846
1423   [C±âÃÊ] 11 - ÇÔ¼ö ¸Å°³º¯¼ö·Î ¹è¿­À» ³Ñ±â·Á¸é?      sihun1113
05/01 12821
1422   I. ¸®´ª½º ±¸Á¶ ¹× ÀÏ¹Ý ¸í·É¾î.     ±«µµjs
07/04 12797
[1][2][3][4][5][6][7] 8 [9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org