http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=8588 [º¹»ç]
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[])
{
if(argc<2){
printf("pass argv[1] a number\n");
return 0;
}
int fd = atoi( argv[1] ) - 0x1234;
int len = 0;
len = read(fd, buf, 32);
if(!strcmp("LETMEWIN\n", buf)){
printf("good job :)\n");
system("/bin/cat flag");
exit(0);
}
printf("learn about Linux file IO\n");
return 0;
}
¼¹ö°¡ ´Ù¿îµÇ¾ú´ø pwnable.krÀÌ ´Ù½Ã »ì¾Æ³µ´Ù.
¿¾³¯¿¡ Ç®¾ú´ø ¹®Á¦Àε¥ »ó´çÈ÷ ½±°Ô Ç®À̵Ǿú´ø °É·Î ±â¾ïÇÑ´Ù.
°ø·«À» Çغ¸ÀÚ¸é...
fd@pwnable:~$ ./fd 4660
argv[0]ÀÎÀÚ´Â "./fd"°¡ µÇ¸ç argv[1]ÀÎÀÚ´Â "4660"ÀÌ µÈ´Ù.
¿©±â¼ 4660À» ÀÔ·ÂÇÑ ÀÌÀ¯¸¦ °õ°õÈ÷ »ý°¢Çغ¸ÀÚ.
atoi(argv[1]) - 0x1234Àε¥...
atoiÇÔ¼ö¸¦ manÀ¸·Î ¾Ë¾Æº¸ÀÚ.
--------------------------------------------------------------------
The atoi() function converts the initial portion of the string
pointed to by nptr to int. The behavior is the same as
strtol(nptr, NULL, 10);
except that atoi() does not detect errors.
The atol() and atoll() functions behave the same as atoi(),
except that they convert the initial portion of the string to
their return type of long or long long.
Çؼ®
atoi() ÇÔ¼ö´Â nptr°¡ °¡¸®Å°´Â ¹®ÀÚ¿ÀÇ Ã³À½ ºÎºÐÀ» int ŸÀÔÀ¸·Î º¯È¯ÇÑ´Ù.
ÀÌ ÇÔ¼öÀÇ µ¿ÀÛÀº ´ÙÀ½°ú µ¿ÀÏÇÏ´Ù.
strtol(nptr, NULL, 10);
´Ù¸¸, atoi()´Â ¿À·ù¸¦ °¨ÁöÇÏÁö ¾Ê´Â´Ù´Â Á¡ÀÌ ´Ù¸£´Ù.
atol()°ú atoll() ÇÔ¼ö´Â atoi()¿Í µ¿ÀÏÇÑ ¹æ½ÄÀ¸·Î µ¿ÀÛÇÏÁö¸¸,
¹®ÀÚ¿ÀÇ Ã³À½ ºÎºÐÀ» °¢°¢ long ¶Ç´Â long long ŸÀÔÀ¸·Î º¯È¯ÇÑ´Ù.
----------------------------------------------------------------------------------
´ëÃæ ¸»ÇÏÀÚ¸é atoi("4660")¿¡¼ "4660"Àº intÇü... ±×·¯´Ï±ñ Á¤¼ö(¼ýÀÚ)°¡ ¾Æ´Ï¶ó
¹®ÀÚ¿ÀÌ´Ï ¹®ÀÚ¿ "4660"À» Á¤¼ö intÇü 4660À¸·Î º¯È¯À» ÇÏ´Â...
0x1234´Â 16Áø¼öÀ̸ç ÀÌ°ÍÀ» 10Áø¼ö·Î º¯Çü½Ã 4660ÀÌ µÈ´Ù.
Áï 4660-4660Àº 0ÀÌ µÈ´Ù.
¹Ù·Î ´Ù´ÙÀ½ÁÙÀÇ read ÇÔ¼ö¸¦ manÀ¸·Î ¾Ë¾Æº¸ÀÚ.
-----------------------------------------------------------------------
SYNOPSIS
#include <unistd.h>
ssize_t read(int fd, void buf[.count], size_t count);
DESCRIPTION
read() attempts to read up to count bytes from file descriptor fd
into the buffer starting at buf.
On files that support seeking, the read operation commences at
the file offset, and the file offset is incremented by the number
of bytes read. If the file offset is at or past the end of file,
no bytes are read, and read() returns zero.
If count is zero, read() may detect the errors described below.
In the absence of any errors, or if read() does not check for
errors, a read() with a count of 0 returns zero and has no other
effects.
According to POSIX.1, if count is greater than SSIZE_MAX, the
result is implementation-defined; see NOTES for the upper limit
on Linux.
Çؼ®
SYNOPSIS
#include <unistd.h>
ssize_t read(int fd, void buf[.count], size_t count);
read() ÇÔ¼ö´Â ÆÄÀÏ µð½ºÅ©¸³ÅÍ fd¿¡¼ ÃÖ´ë count ¹ÙÀÌÆ®¸¸Å
µ¥ÀÌÅ͸¦ Àоî¿Í buf¿¡ ÀúÀåÇÏ´Â ÇÔ¼ö´Ù.
¹Ýȯ°ªÀº ssize_t ŸÀÔÀ¸·Î, ÀÐÀº ¹ÙÀÌÆ® ¼ö¸¦ ³ªÅ¸³½´Ù.
¿À·ù°¡ ¹ß»ýÇϸé À½¼ö¸¦ ¹ÝȯÇÑ´Ù.
DESCRIPTION
±âº» µ¿ÀÛ
read()´Â fd¿¡¼ ÃÖ´ë count ¹ÙÀÌÆ®¸¦ Àоî¿Í buf¿¡ ÀúÀåÇÑ´Ù.
Àб⸦ Áö¿øÇÏ´Â ÆÄÀÏÀÇ °æ¿ì,
Àбâ´Â **ÆÄÀÏ ¿ÀÇÁ¼Â(file offset)**¿¡¼ ½ÃÀÛÇϸç
ÀÐÀº ¹ÙÀÌÆ® ¼ö¸¸Å ¿ÀÇÁ¼ÂÀÌ Áõ°¡ÇÑ´Ù.
ÆÄÀÏ ¿ÀÇÁ¼ÂÀÌ ÆÄÀÏ ³¡¿¡ Àְųª ÆÄÀÏ ³¡À» Áö³ª ÀÖÀ¸¸é
¾Æ¹«°Íµµ ÀÐÁö ¾Ê°í, read()´Â 0À» ¹ÝȯÇÑ´Ù.
count°¡ 0ÀÏ ¶§, count°¡ 0À̸é, read()´Â ¾Æ·¡¿¡ ¼³¸íµÈ ¿À·ù¸¦ °¨ÁöÇÒ ¼ö ÀÖ´Ù.
¿À·ù°¡ ¾ø°Å³ª read()°¡ ¿À·ù¸¦ È®ÀÎÇÏÁö ¾Ê´Â °æ¿ì,
count°¡ 0ÀÏ ¶§ È£ÃâµÈ read()´Â 0À» ¹ÝȯÇϸç
´Ù¸¥ È¿°ú´Â ¾ø´Ù.
count°¡ ¸Å¿ì Å« °æ¿ì
POSIX.1 Ç¥ÁØ¿¡ µû¸£¸é, count°¡ SSIZE_MAXº¸´Ù Å©¸é
°á°ú´Â ±¸Çö Á¤ÀÇ(implementation-defined)´Ù.
Linux¿¡¼ Çã¿ëµÇ´Â ÃÖ´ë °ª¿¡ ´ëÇÑ Á¤º¸´Â NOTES ¼½¼ÇÀ» Âü°íÇ϶ó.
----------------------------------------------------------------------
Á» ¾î·Æ°Ô ´À²¸Áö´Âµ¥ readÇÔ¼öÀÇ Ã¹¹ø° ÀÎÀÚ´Â 'ÆÄÀÏ µð½ºÅ©¸³ÅÍ'¸¦ ¶æÇÑ´Ù.
ÇÊÀÚ°¡ ¿À·¡Àü °øºÎÇßÀ» ´ç½Ã ¸®´ª½º´Â ¸ðµç µ¥ÀÌÅ͸¦ 'ÆÄÀÏ'·Î °£ÁÖÇÑ´Ù°í ¹è¿ü´Ù.
À©µµ¿ìÁî¿¡¼± ÆÄÀÏ µð½ºÅ©¸³ÅÍ¿Í °°Àº °ÍÀº 'ÀνºÅϽº ÇÚµé'À̶ó°í º» °ÍÀÌ ±â¾ï³´Ù.
ÆÄÀÏ µð½ºÅ©¸³ÅÍ(file descriptor)´Â ¿î¿µÃ¼Á¦¿¡¼ ÆÄÀÏÀ̳ª
ÀÔÃâ·Â ÀåÄ¡(¿¹: ÆÄÀÏ, ¼ÒÄÏ, ÆÄÀÌÇÁ µî)¸¦ ½Äº°Çϱâ À§ÇØ »ç¿ëÇÏ´Â Á¤¼ö °ªÀÌ´Ù.
À¯´Ð½º °è¿ ¿î¿µÃ¼Á¦(Linux Æ÷ÇÔ)¿¡¼ ÆÄÀÏ µð½ºÅ©¸³ÅÍ´Â
ÇÁ·Î¼¼½º°¡ ½Ã½ºÅÛ ¸®¼Ò½º¿¡ Á¢±ÙÇÒ ¶§ ÇÙ½ÉÀûÀ¸·Î »ç¿ëµÈ´Ù.
±×·¸´Ù¸é read°ªÀÌ fd°¡ µÇ°í ÀÌ fdº¯¼öÀÇ °ªÀÌ 0ÀÌ´Ù.
(¾Æ±î arg[1]ÀÎÀÚ·Î ³Ñ±ä ¹®ÀÚ¿Àº "4660"ÀÌ°í
4660-4660ÀÇ °ªÀ» fd º¯¼ö·Î ÀúÀåÇßÀ»Å×´Ï...)
0À̶ó´Â °ªÀº Ç¥ÁØÀÔ·Â(stdin)À» ÀǹÌÇÏ°í Å°º¸µå·Î °ªÀ» ¹Þ°Ú´Ù´Â °É ÀǹÌÇÑ´Ù.
±×¸®°í ifÁ¶°Ç¹®À¸·Î strcmpÇÔ¼ö¿¡¼ "LETMEWIN"À̶ó´Â ¹®ÀÚ¿ÀÌ ÀԷµǸé
(Á¤È®È÷ Ç¥ÇöÇÏÀÚ¸é Àü¿ªº¯¼ö buf[32]¿Í "LETMEWIN"ÀÌ ÀÏÄ¡ÇÑ´Ù¸é...)
if¹®¿¡ ÁøÀÔÇÏ¿© systemÇÔ¼ö¸¦ ½ÇÇàÇÏ¿© /bin/cat flag°¡ ½©¿¡¼ ½ÇÇàµÇ´Â °ÍÀÌ´Ù.
p.s. ´ç¿¬ÇÏÁö¸¸ ½ÇÇàÆÄÀÏ fdÀÌ ¾Æ´Ñ ±×³É cat flagÇϸé
Á¢±ÙÀÌ °ÅºÎ(Permission Denided)µÈ´Ù.
ÀÌ°ÍÀÎ SetUID¿Í °ü·ÃÀÌ Àִµ¥
fd@pwnable:~$ ls -al
total 40
drwxr-x--- 5 root fd 4096 Aug 31 16:09 .
drwxr-xr-x 116 root root 4096 Oct 30 2023 ..
d--------- 2 root root 4096 Jun 12 2014 .bash_history
-r-sr-x--- 1 fd_pwn fd 7322 Jun 11 2014 fd
-rw-r--r-- 1 root root 418 Jun 11 2014 fd.c
-r--r----- 1 fd_pwn root 50 Jun 11 2014 flag
-rw------- 1 root root 128 Oct 26 2016 .gdb_history
dr-xr-xr-x 2 root root 4096 Dec 19 2016 .irssi
drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache
¾Æ·¡¿Í °°ÀÌ fdÀÇ ¼Ó¼ºÀ» º¸¸é r-s·Î µÇ¾îÀÖÀ¸¸ç ÀÌ 's'´Â ÇÁ·Î±×·¥ÀÌ ½ÇÇàµÉ ¶§
ÇÁ·Î¼¼½º°¡ °ü¸®ÀÚ ±ÇÇÑÀ¸·Î ½ÇÇàÀÌ µÇ´Â °ÍÀ» ¶æÇÑ´Ù.
ÀÚ¼¼ÇÑ °Ç ÇØÄ¿½ºÄð F.T.Z¿¡¼ ³ª¿À´Ï ¸ð¸£°Ú´Ù¸é Çѹø F.T.Z¸¦ ±¸ÃàÇÏ¿© ¾Ë¾Æº¸±æ ¹Ù¶õ´Ù.
Always peace... |
Hit : 194 Date : 2024/11/23 12:20
|