http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_linux&no=4450 [º¹»ç]
Á¦ ±ÇÇÑÀº Á¦ÇѵŠÀÖ°í, run_me ¶ó´Â ÇÁ·Î±×·¥Àº setuid°¡ ¼³Á¤µÇ¾î ÀÖ¾î¼ run_me ¶ó´Â ÇÁ·Î±×·¥ »ó¿¡¼ flag(setuid·Î ½ÇÇàÇØ¾ß ÇÏ´Â ÆÄÀÏ)À» ¾Ë¾ÆºÁ¾ß Çϴµ¥¿ä.... ȯ°æº¯¼ö°¡ ¸ðµÎ »èÁ¦µÇ°í, ¹ØÀÇ º¯¼ö¸¸ ³²Àº »óÅ¿¡¼ ¾î¶»°Ô setuid¸¦ ±â¹ÝÀ¸·Î shellÀ» ½ÇÇàÇÒ ¼ö ÀÖÀ»±î¿ä?
./run_me /bin/sh Çϴϱñ ´ç¿¬È÷ ¹ØÀÇ ÇÊÅ͸µ¿¡ °É¸®´õ¶ó±¸¿ä...
µµ¿ÍÁÖ¼¼¿ä ¤Ð¤Ð
#include <stdio.h>
#include <string.h>
int filter(char *cmd) {
if (strstr(cmd, "f")) return 1;
if (strstr(cmd, "sh")) return 1;
if (strstr(cmd, "tmp")) return 1;
return 0;
}
extern char **environ;
int main(int argc, char *argv[], char *envp[]) {
char **p;
printf("I am king the Godzo...\n");
printf("I will let you execute a command again.\n");
printf("However, I am much stronger than Tracer.\n");
for (p=environ; *p; p++)
memset(*p, 0, strlen(*p));
putenv("PATH=/uri_mercy_gaemotham");
if (filter(argv[1])) {
printf("caught by filter!\n");
return 0;
}
system(argv[1]);
return 0;
}
|
Hit : 2832 Date : 2017/03/11 12:23
|