|
http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1906 [º¹»ç]
[level13@ftz level13]$ ls
attackme hint public_html tmp
[level13@ftz level13]$ cp ./attackme ./tmp
[level13@ftz level13]$ cd tmp
[level13@ftz tmp]$ ls
attackme
[level13@ftz tmp]$ gdb -q attackme
(gdb) disas main
Dump of assembler code for function main:
0x080484a0 <main+0>: push %ebp
0x080484a1 <main+1>: mov %esp,%ebp
0x080484a3 <main+3>: sub $0x418,%esp
0x080484a9 <main+9>: movl $0x1234567,0xfffffff4(%ebp)
0x080484b0 <main+16>: sub $0x8,%esp
0x080484b3 <main+19>: push $0xc16
0x080484b8 <main+24>: push $0xc16
0x080484bd <main+29>: call 0x8048370 <setreuid>
0x080484c2 <main+34>: add $0x10,%esp
0x080484c5 <main+37>: cmpl $0x1,0x8(%ebp)
0x080484c9 <main+41>: jle 0x80484e5 <main+69>
0x080484cb <main+43>: sub $0x8,%esp
0x080484ce <main+46>: mov 0xc(%ebp),%eax
0x080484d1 <main+49>: add $0x4,%eax
0x080484d4 <main+52>: pushl (%eax)
0x080484d6 <main+54>: lea 0xfffffbe8(%ebp),%eax
0x080484dc <main+60>: push %eax
0x080484dd <main+61>: call 0x8048390 <strcpy>
0x080484e2 <main+66>: add $0x10,%esp
0x080484e5 <main+69>: cmpl $0x1234567,0xfffffff4(%ebp)
0x080484ec <main+76>: je 0x804850d <main+109>
0x080484ee <main+78>: sub $0xc,%esp
0x080484f1 <main+81>: push $0x80485a0
0x080484f6 <main+86>: call 0x8048360 <printf>
0x080484fb <main+91>: add $0x10,%esp
0x080484fe <main+94>: sub $0x8,%esp
0x08048501 <main+97>: push $0xb
0x08048503 <main+99>: push $0x0
0x08048505 <main+101>: call 0x8048380 <kill>
0x0804850a <main+106>: add $0x10,%esp
0x0804850d <main+109>: leave
0x0804850e <main+110>: ret
0x0804850f <main+111>: nop
End of assembler dump.
(gdb) b* main+69
Breakpoint 1 at 0x80484e5
(gdb) r `python -c 'print "A"*1024'`
Starting program: /home/level13/tmp/attackme `python -c 'print "A"*1024'`
Breakpoint 1, 0x080484e5 in main ()
(gdb) x/100x $ebp-100
0xbffff554: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff564: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff574: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff584: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff594: 0x41414141 0x41414141 0x41414141 0x08048300
0xbffff5a4: 0x42130a14 0xbffff5b8 0x01234567 0x4200af84
0xbffff5b4: 0x42130a14 0xbffff5d8 0x42015574 0x00000002
0xbffff5c4: 0xbffff604 0xbffff610 0x4001582c 0x00000002
0xbffff5d4: 0x080483a0 0x00000000 0x080483c1 0x080484a0
0xbffff5e4: 0x00000002 0xbffff604 0x08048308 0x08048550
0xbffff5f4: 0x4000c660 0xbffff5fc 0x00000000 0x00000002
0xbffff604: 0xbffff867 0xbffff882 0x00000000 0xbffffc83
0xbffff614: 0xbffffc9c 0xbffffcba 0xbffffcc5 0xbffffcd5
0xbffff624: 0xbffffce3 0xbffffcf0 0xbffffeb3 0xbffffef6
0xbffff634: 0xbfffff13 0xbfffff29 0xbfffff3e 0xbfffff4f
0xbffff644: 0xbfffff60 0xbfffff73 0xbfffff7b 0xbfffff9a
0xbffff654: 0xbfffffaa 0xbfffffcc 0x00000000 0x00000020
0xbffff664: 0xffffe000 0x00000010 0x0febfbff 0x00000006
0xbffff674: 0x00001000 0x00000011 0x00000064 0x00000003
0xbffff684: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffff694: 0x00000006 0x00000007 0x40000000 0x00000008
0xbffff6a4: 0x00000000 0x00000009 0x080483a0 0x0000000b
0xbffff6b4: 0x00000c15 0x0000000c 0x00000c15 0x0000000d
0xbffff6c4: 0x00000c15 0x0000000e 0x00000c15 0x0000000f
0xbffff6d4: 0xbffff862 0x00000000 0x00000000 0x00000000
(gdb)
ºê·¹ÀÌÅ© Æ÷ÀÎÆ®¸¦ Àâ°í µð¹ö±ëÀ» ÇѰǵ¥ º¸¸é
1024¹ÙÀÌÆ®±îÁø 'A'°¡ ²Ë áÀݾƿä.
±×¸®°í 12¹ÙÀÌÆ®µÚ¿¡ 0x01234567ÀÌ ÀÖ±¸¿ä.
±×¸®°í ±× 12¹ÙÀÌÆ®µÚ¿¡ ret°¡ ÀÖ±¸¿ä.
Á¦°¡ ¼¼úÇÑ "12¹ÙÀÌÆ®µÚ¿¡..."ÀÌ ºÎºÐÀ»
µð½º¾î¼ÀºíÇÑ ºÎºÐ¿¡ ¾îµô ºÁ¾ß ±× Á¤º¸¸¦ ¾Ë ¼ö ÀÖ´Â °Ì´Ï±î? |
Hit : 1917 Date : 2017/12/19 11:51
|
1574, 
4/79 
