1601, 80/81 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ÇØÅ·ÀßÇÏ°í½Í´Ù
   http://¾øÀ½
   [pwnable.kr] fd

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=8588 [º¹»ç]


#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char buf[32];

int main(int argc, char* argv[], char* envp[])
{
        if(argc<2){
                printf("pass argv[1] a number\n");
                return 0;
        }
        int fd = atoi( argv[1] ) - 0x1234;
        int len = 0;
        len = read(fd, buf, 32);
        if(!strcmp("LETMEWIN\n", buf)){
                printf("good job :)\n");
                system("/bin/cat flag");
                exit(0);
        }
        printf("learn about Linux file IO\n");
        return 0;
}









¼­¹ö°¡ ´Ù¿îµÇ¾ú´ø pwnable.krÀÌ ´Ù½Ã »ì¾Æ³µ´Ù.
¿¾³¯¿¡ Ç®¾ú´ø ¹®Á¦Àε¥ »ó´çÈ÷ ½±°Ô Ç®À̵Ǿú´ø °É·Î ±â¾ïÇÑ´Ù.
°ø·«À» Çغ¸ÀÚ¸é...

fd@pwnable:~$ ./fd 4660



argv[0]ÀÎÀÚ´Â "./fd"°¡ µÇ¸ç argv[1]ÀÎÀÚ´Â "4660"ÀÌ µÈ´Ù.
¿©±â¼­ 4660À» ÀÔ·ÂÇÑ ÀÌÀ¯¸¦ °õ°õÈ÷ »ý°¢Çغ¸ÀÚ.


atoi(argv[1]) - 0x1234Àε¥...
atoiÇÔ¼ö¸¦ manÀ¸·Î ¾Ë¾Æº¸ÀÚ.


--------------------------------------------------------------------
The atoi() function converts the initial portion of the string
pointed to by nptr to int.  The behavior is the same as

    strtol(nptr, NULL, 10);

except that atoi() does not detect errors.
The atol() and atoll() functions behave the same as atoi(),
except that they convert the initial portion of the string to
their return type of long or long long.



Çؼ®

atoi() ÇÔ¼ö´Â nptr°¡ °¡¸®Å°´Â ¹®ÀÚ¿­ÀÇ Ã³À½ ºÎºÐÀ» int ŸÀÔÀ¸·Î º¯È¯ÇÑ´Ù.
ÀÌ ÇÔ¼öÀÇ µ¿ÀÛÀº ´ÙÀ½°ú µ¿ÀÏÇÏ´Ù.

strtol(nptr, NULL, 10);
´Ù¸¸, atoi()´Â ¿À·ù¸¦ °¨ÁöÇÏÁö ¾Ê´Â´Ù´Â Á¡ÀÌ ´Ù¸£´Ù.

atol()°ú atoll() ÇÔ¼ö´Â atoi()¿Í µ¿ÀÏÇÑ ¹æ½ÄÀ¸·Î µ¿ÀÛÇÏÁö¸¸,
¹®ÀÚ¿­ÀÇ Ã³À½ ºÎºÐÀ» °¢°¢ long ¶Ç´Â long long ŸÀÔÀ¸·Î º¯È¯ÇÑ´Ù.
----------------------------------------------------------------------------------




´ëÃæ ¸»ÇÏÀÚ¸é atoi("4660")¿¡¼­ "4660"Àº intÇü... ±×·¯´Ï±ñ Á¤¼ö(¼ýÀÚ)°¡ ¾Æ´Ï¶ó
¹®ÀÚ¿­ÀÌ´Ï ¹®ÀÚ¿­ "4660"À» Á¤¼ö intÇü 4660À¸·Î º¯È¯À» ÇÏ´Â...
0x1234´Â 16Áø¼öÀ̸ç ÀÌ°ÍÀ» 10Áø¼ö·Î º¯Çü½Ã 4660ÀÌ µÈ´Ù.
Áï 4660-4660Àº 0ÀÌ µÈ´Ù.

¹Ù·Î ´Ù´ÙÀ½ÁÙÀÇ read ÇÔ¼ö¸¦ manÀ¸·Î ¾Ë¾Æº¸ÀÚ.







-----------------------------------------------------------------------
SYNOPSIS
       #include <unistd.h>
       ssize_t read(int fd, void buf[.count], size_t count);

DESCRIPTION
       read() attempts to read up to count bytes from file descriptor fd
       into the buffer starting at buf.

       On files that support seeking, the read operation commences at
       the file offset, and the file offset is incremented by the number
       of bytes read.  If the file offset is at or past the end of file,
       no bytes are read, and read() returns zero.

       If count is zero, read() may detect the errors described below.
       In the absence of any errors, or if read() does not check for
       errors, a read() with a count of 0 returns zero and has no other
       effects.

       According to POSIX.1, if count is greater than SSIZE_MAX, the
       result is implementation-defined; see NOTES for the upper limit
       on Linux.




Çؼ®

SYNOPSIS

#include <unistd.h>
ssize_t read(int fd, void buf[.count], size_t count);

read() ÇÔ¼ö´Â ÆÄÀÏ µð½ºÅ©¸³ÅÍ fd¿¡¼­ ÃÖ´ë count ¹ÙÀÌÆ®¸¸Å­
µ¥ÀÌÅ͸¦ Àоî¿Í buf¿¡ ÀúÀåÇÏ´Â ÇÔ¼ö´Ù.
¹Ýȯ°ªÀº ssize_t ŸÀÔÀ¸·Î, ÀÐÀº ¹ÙÀÌÆ® ¼ö¸¦ ³ªÅ¸³½´Ù.
¿À·ù°¡ ¹ß»ýÇϸé À½¼ö¸¦ ¹ÝȯÇÑ´Ù.

DESCRIPTION

±âº» µ¿ÀÛ

read()´Â fd¿¡¼­ ÃÖ´ë count ¹ÙÀÌÆ®¸¦ Àоî¿Í buf¿¡ ÀúÀåÇÑ´Ù.
Àб⸦ Áö¿øÇÏ´Â ÆÄÀÏÀÇ °æ¿ì,
Àбâ´Â **ÆÄÀÏ ¿ÀÇÁ¼Â(file offset)**¿¡¼­ ½ÃÀÛÇϸç
ÀÐÀº ¹ÙÀÌÆ® ¼ö¸¸Å­ ¿ÀÇÁ¼ÂÀÌ Áõ°¡ÇÑ´Ù.
ÆÄÀÏ ¿ÀÇÁ¼ÂÀÌ ÆÄÀÏ ³¡¿¡ Àְųª ÆÄÀÏ ³¡À» Áö³ª ÀÖÀ¸¸é
¾Æ¹«°Íµµ ÀÐÁö ¾Ê°í, read()´Â 0À» ¹ÝȯÇÑ´Ù.

count°¡ 0ÀÏ ¶§, count°¡ 0À̸é, read()´Â ¾Æ·¡¿¡ ¼³¸íµÈ ¿À·ù¸¦ °¨ÁöÇÒ ¼ö ÀÖ´Ù.
¿À·ù°¡ ¾ø°Å³ª read()°¡ ¿À·ù¸¦ È®ÀÎÇÏÁö ¾Ê´Â °æ¿ì,
count°¡ 0ÀÏ ¶§ È£ÃâµÈ read()´Â 0À» ¹ÝȯÇϸç
´Ù¸¥ È¿°ú´Â ¾ø´Ù.
count°¡ ¸Å¿ì Å« °æ¿ì

POSIX.1 Ç¥ÁØ¿¡ µû¸£¸é, count°¡ SSIZE_MAXº¸´Ù Å©¸é
°á°ú´Â ±¸Çö Á¤ÀÇ(implementation-defined)´Ù.
Linux¿¡¼­ Çã¿ëµÇ´Â ÃÖ´ë °ª¿¡ ´ëÇÑ Á¤º¸´Â NOTES ¼½¼ÇÀ» Âü°íÇ϶ó.
----------------------------------------------------------------------





Á» ¾î·Æ°Ô ´À²¸Áö´Âµ¥ readÇÔ¼öÀÇ Ã¹¹ø° ÀÎÀÚ´Â 'ÆÄÀÏ µð½ºÅ©¸³ÅÍ'¸¦ ¶æÇÑ´Ù.
ÇÊÀÚ°¡ ¿À·¡Àü °øºÎÇßÀ» ´ç½Ã ¸®´ª½º´Â ¸ðµç µ¥ÀÌÅ͸¦ 'ÆÄÀÏ'·Î °£ÁÖÇÑ´Ù°í ¹è¿ü´Ù.
À©µµ¿ìÁî¿¡¼± ÆÄÀÏ µð½ºÅ©¸³ÅÍ¿Í °°Àº °ÍÀº 'ÀνºÅϽº ÇÚµé'À̶ó°í º» °ÍÀÌ ±â¾ï³­´Ù.

ÆÄÀÏ µð½ºÅ©¸³ÅÍ(file descriptor)´Â ¿î¿µÃ¼Á¦¿¡¼­ ÆÄÀÏÀ̳ª
ÀÔÃâ·Â ÀåÄ¡(¿¹: ÆÄÀÏ, ¼ÒÄÏ, ÆÄÀÌÇÁ µî)¸¦ ½Äº°Çϱâ À§ÇØ »ç¿ëÇÏ´Â Á¤¼ö °ªÀÌ´Ù.
À¯´Ð½º °è¿­ ¿î¿µÃ¼Á¦(Linux Æ÷ÇÔ)¿¡¼­ ÆÄÀÏ µð½ºÅ©¸³ÅÍ´Â
ÇÁ·Î¼¼½º°¡ ½Ã½ºÅÛ ¸®¼Ò½º¿¡ Á¢±ÙÇÒ ¶§ ÇÙ½ÉÀûÀ¸·Î »ç¿ëµÈ´Ù.

±×·¸´Ù¸é read°ªÀÌ fd°¡ µÇ°í ÀÌ fdº¯¼öÀÇ °ªÀÌ 0ÀÌ´Ù.
(¾Æ±î arg[1]ÀÎÀÚ·Î ³Ñ±ä ¹®ÀÚ¿­Àº "4660"ÀÌ°í
4660-4660ÀÇ °ªÀ» fd º¯¼ö·Î ÀúÀåÇßÀ»Å×´Ï...)

0À̶ó´Â °ªÀº Ç¥ÁØÀÔ·Â(stdin)À» ÀǹÌÇÏ°í Å°º¸µå·Î °ªÀ» ¹Þ°Ú´Ù´Â °É ÀǹÌÇÑ´Ù.
±×¸®°í ifÁ¶°Ç¹®À¸·Î strcmpÇÔ¼ö¿¡¼­ "LETMEWIN"À̶ó´Â ¹®ÀÚ¿­ÀÌ ÀԷµǸé
(Á¤È®È÷ Ç¥ÇöÇÏÀÚ¸é Àü¿ªº¯¼ö buf[32]¿Í "LETMEWIN"ÀÌ ÀÏÄ¡ÇÑ´Ù¸é...)
if¹®¿¡ ÁøÀÔÇÏ¿© systemÇÔ¼ö¸¦ ½ÇÇàÇÏ¿© /bin/cat flag°¡ ½©¿¡¼­ ½ÇÇàµÇ´Â °ÍÀÌ´Ù.








p.s. ´ç¿¬ÇÏÁö¸¸ ½ÇÇàÆÄÀÏ fdÀÌ ¾Æ´Ñ ±×³É cat flagÇϸé
Á¢±ÙÀÌ °ÅºÎ(Permission Denided)µÈ´Ù.
ÀÌ°ÍÀÎ SetUID¿Í °ü·ÃÀÌ Àִµ¥

fd@pwnable:~$ ls -al
total 40
drwxr-x---   5 root   fd   4096 Aug 31 16:09 .
drwxr-xr-x 116 root   root 4096 Oct 30  2023 ..
d---------   2 root   root 4096 Jun 12  2014 .bash_history
-r-sr-x---   1 fd_pwn fd   7322 Jun 11  2014 fd
-rw-r--r--   1 root   root  418 Jun 11  2014 fd.c
-r--r-----   1 fd_pwn root   50 Jun 11  2014 flag
-rw-------   1 root   root  128 Oct 26  2016 .gdb_history
dr-xr-xr-x   2 root   root 4096 Dec 19  2016 .irssi
drwxr-xr-x   2 root   root 4096 Oct 23  2016 .pwntools-cache


¾Æ·¡¿Í °°ÀÌ fdÀÇ ¼Ó¼ºÀ» º¸¸é r-s·Î µÇ¾îÀÖÀ¸¸ç ÀÌ 's'´Â ÇÁ·Î±×·¥ÀÌ ½ÇÇàµÉ ¶§
ÇÁ·Î¼¼½º°¡ °ü¸®ÀÚ ±ÇÇÑÀ¸·Î ½ÇÇàÀÌ µÇ´Â °ÍÀ» ¶æÇÑ´Ù.
ÀÚ¼¼ÇÑ °Ç ÇØÄ¿½ºÄð F.T.Z¿¡¼­ ³ª¿À´Ï ¸ð¸£°Ú´Ù¸é Çѹø F.T.Z¸¦ ±¸ÃàÇÏ¿© ¾Ë¾Æº¸±æ ¹Ù¶õ´Ù.




Always peace...

  Hit : 194     Date : 2024/11/23 12:20



    
21   °í¼ö´ÔµéÀÇ µµ¿òÀ» ¹Þ°í ½Í½À´Ï´Ù     vbnm111
02/11 987
20   ¸®´ª½º/À©µµ¿ì º¸¾È Àåºñ ·Î±×     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/20 902
19   ¸®´ª½º À¥ ·Î±× ºÐ¼®     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/20 746
18   ÆÄÀ̽㠼ÒÄÏ ÇÁ·Î±×·¡¹ÖÀÇ ±âÃÊ     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/26 1124
17   ÆÄÀ̽ã äÆà ÇÁ·Î±×·¥ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/28 975
16   ÆÄÀ̽ã random¸ðµâÀ» ÀÌ¿ëÇÑ ¼ýÀÚ¸ÂÃ߱⠰ÔÀÓ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/30 1071
15   ÆÄÀ̽ãÀ» ÀÌ¿ëÇÑ ½ÉÇà À¥ Å©·Ñ·¯     ÇØÅ·ÀßÇÏ°í½Í´Ù
08/13 520
14   netdiscover ÆÄÀ̽ãÀ¸·Î ±¸ÇöÇϱ⠠   ÇØÅ·ÀßÇÏ°í½Í´Ù
08/13 642
13   [pwnable.kr] cmd1 °ø·«     ÇØÅ·ÀßÇÏ°í½Í´Ù
10/23 371
12   [Windows API] Keyboard Hooking     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/20 195
11   Keyboard Hooking -part2 - (Python3 ver)     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/20 212
10   ÇØÄ¿µéÀÌ ÇØÅ·½Ã »ç¿ëÇÏ´Â µð·ºÅ丮 °ø°£[1]     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/22 238
9   VPNÀÌ ¿¬°áµÇ¾ú´Ù°¡ µµÁß¿¡ ²¨µµ À¥ ºê¶ó¿ìÀú»ó¿¡¼­ À¯ÁöµÇ´Â ÀÌÀ¯     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/22 195
  [pwnable.kr] fd     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/23 193
7   ShellshockÀÇ ±âº» ¿ä¾à     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/23 204
6   [pwnable.kr] Shellshock[1]     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/23 237
5   [pwnable.kr] bof     ÇØÅ·ÀßÇÏ°í½Í´Ù
12/25 98
4   [Write Up] Crypto Cat's CTF 2024 - BabyFlow     ÇØÅ·ÀßÇÏ°í½Í´Ù
12/29 107
3   [overthewire.org] - leviathan0     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/14 25
2   [overthewire.org] - leviathan1     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/14 47
[1]..[71][72][73][74][75][76][77][78][79] 80 ..[81]

Copyright 1999-2025 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org