½Ã½ºÅÛ ÇØÅ·

 1574, 5/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   you88311
   FTZ level11 °ü·Ã Áú¹® ÀÖ½À´Ï´Ù.

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1898 [º¹»ç]


Æ÷¸Ë½ºÆ®¸µ,¹öÆÛ¿À¹öÇ÷οì·Î ¸ðµÎ ¹®Á¦¸¦ Ç®¾ú½À´Ï´Ù.
¹®Á¦´Â ¿ø·¡ ftz.hackerschool.org°¡ ¾Æ´Ñ Á÷Á¢ ftz ¼­¹ö¸¦ ±¸ÃàÇÑ °÷¿¡¼­´Â
¿ÏÀüÈ÷ µ¿ÀÏÇÑ ¹æ¹ýÀ¸·Î ¹öÆÛ¿À¹öÇ÷ο츦 »ç¿ëÇߴµ¥µµ ºÒ±¸ÇÏ°í °ø°ÝÀÌ ¾ÈµÇ´õ±º¿ä. ƯÈ÷ gdb·Î ºÃÀ» ¶§
¿ø·¡ ftz¼­¹ö °°Àº °æ¿ì¿¡´Â

(gdb) r `python -c 'print "A"*264+"B"*4+"C"*4'`
Starting program: /home/level11/tmp/attack `python -c 'print "A"*264+"B"*4+"C"*4'`

Breakpoint 1, 0x08048470 in main ()
(gdb) x/130x $esp
0xbffff9dc:     0x40033917      0x00000002      0xbffffa24      0xbffffa30
0xbffff9ec:     0x4001582c      0x00000002      0x08048370      0x00000000
0xbffff9fc:     0x08048391      0x08048470      0x00000002      0xbffffa24
0xbffffa0c:     0x080482e4      0x08048500      0x4000c660      0xbffffa1c
0xbffffa1c:     0x00000000      0x00000002      0xbffffb0e      0xbffffb27
0xbffffa2c:     0x00000000      0xbffffc38      0xbffffc56      0xbffffc66
0xbffffa3c:     0xbffffc71      0xbffffc7f      0xbffffca0      0xbffffcb3
0xbffffa4c:     0xbffffcc0      0xbffffe83      0xbffffec6      0xbffffee3
0xbffffa5c:     0xbffffef9      0xbfffff0e      0xbfffff1f      0xbfffff30
0xbffffa6c:     0xbfffff43      0xbfffff4b      0xbfffff6a      0xbfffff7a
0xbffffa7c:     0xbfffffac      0xbfffffce      0x00000000      0x00000010
0xbffffa8c:     0x0fabfbff      0x00000006      0x00001000      0x00000011
0xbffffa9c:     0x00000064      0x00000003      0x08048034      0x00000004
0xbffffaac:     0x00000020      0x00000005      0x00000006      0x00000007
0xbffffabc:     0x40000000      0x00000008      0x00000000      0x00000009
0xbffffacc:     0x08048370      0x0000000b      0x00000c13      0x0000000c
0xbffffadc:     0x00000c13      0x0000000d      0x00000c13      0x0000000e
0xbffffaec:     0x00000c13      0x0000000f      0xbffffb09      0x00000000
0xbffffafc:     0x00000000      0x00000000      0x00000000      0x38366900
0xbffffb0c:     0x682f0036      0x2f656d6f      0x6576656c      0x2f31316c
0xbffffb1c:     0x2f706d74      0x61747461      0x41006b63      0x41414141
0xbffffb2c:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffb3c:     0x41414141      0x41414141      0x41414141      0x41414141

·Î Á¦°¡ ÀÔ·ÂÇÑ ÀÎÀÚµéÀÌ ³ª¿À´Âµ¥ Á÷Á¢ ±¸ÃàÇÑ ftz¼­¹ö °°Àº °æ¿ì

(gdb) b *main
Breakpoint 1 at 0x8048470
(gdb) r `python -c 'print "A"*264+"B"*4+"C"*4'`
Starting program: /home/level11/tmp/hello `python -c 'print "A"*264+"B"*4+"C"*4'`

Breakpoint 1, 0x08048470 in main ()
(gdb) x/100x $esp
0xbfffeacc:     0x42015574      0x00000002      0xbfffeb14      0xbfffeb20
0xbfffeadc:     0x4001582c      0x00000002      0x08048370      0x00000000
0xbfffeaec:     0x08048391      0x08048470      0x00000002      0xbfffeb14
0xbfffeafc:     0x080482e4      0x08048500      0x4000c660      0xbfffeb0c
0xbfffeb0c:     0x00000000      0x00000002      0xbffffb0b      0xbffffb23
0xbfffeb1c:     0x00000000      0xbffffc34      0xbffffc52      0xbffffc62
0xbfffeb2c:     0xbffffc6d      0xbffffc7b      0xbffffc9d      0xbffffcb0
0xbfffeb3c:     0xbffffcbd      0xbffffe80      0xbffffec3      0xbffffee0
0xbfffeb4c:     0xbffffef6      0xbfffff0b      0xbfffff1c      0xbfffff2d
0xbfffeb5c:     0xbfffff40      0xbfffff48      0xbfffff67      0xbfffff77
0xbfffeb6c:     0xbfffffad      0xbfffffcf      0x00000000      0x00000020
0xbfffeb7c:     0xffffe000      0x00000010      0x0fabfbff      0x00000006
0xbfffeb8c:     0x00001000      0x00000011      0x00000064      0x00000003
0xbfffeb9c:     0x08048034      0x00000004      0x00000020      0x00000005
0xbfffebac:     0x00000006      0x00000007      0x40000000      0x00000008
0xbfffebbc:     0x00000000      0x00000009      0x08048370      0x0000000b
0xbfffebcc:     0x00000c13      0x0000000c      0x00000c13      0x0000000d
0xbfffebdc:     0x00000c13      0x0000000e      0x00000c13      0x0000000f
0xbfffebec:     0xbffffb06      0x00000000      0x00000000      0x00000000
0xbfffebfc:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffec0c:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffec1c:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffec2c:     0x00000000      0x00000000      0x00000000      0x00000000

¾Æ¹«¸® ³»·Á°¡µµ 0x00000000 ¸¸ ³ªÅ¸³ª°í Á¦°¡ ÀÔ·ÂÇÑ ÀÎÀÚ°ªÀÌ º¸ÀÌÁö ¾Ê½À´Ï´Ù. ¾î¶² Â÷ÀÌ ¶§¹®¿¡ ÀÌ·¯ÇÑ ÀÏÀÌ ÀϾ´ÂÁö ¾Ë·ÁÁֽøé Á¤¸» °¨»çÇÏ°Ú½À´Ï´Ù.
  Hit : 2411     Date : 2017/09/27 01:09


    
±è´äº¯ ´õ ³»·Á°¡¸é º¸ÀÏÅÙµ¥¿ä Á¤ ¾Èº¸ÀÎ´Ù¸é ´Ù¸¥¹æ¹ýµµ ÀÖ½À´Ï´Ù mainÇÔ¼öÀÇ ÇÁ·Ñ·Î±×¿Í ¿¡Çʷα׸¦ Á¦¿ÜÇÑ ºÎºÐ, ±×·¯´Ï±î ¸ÞÀÎÇÔ¼öÀÇ ½ºÅÃÇÁ·¹ÀÓÀÌ ±×´ë·Î esp¿Í ebp¿¡ ÀÇÇؼ­ °¡¸£ÄÑÁö´Â ºÎºÐ ¾Æ¹«°÷À̳ª ºê·¹ÀÌÅ©Æ÷ÀÎÆ®¸¦ °É°í
±× ½ÃÁ¡¿¡¼­ ebp°¡ °¡¸£Å°´Â°ÍÀº SFP, ebp+4´Â ¸®ÅϾîµå·¹½º, ebp+8Àº argc, ebp+12´Â argv¹è¿­À» °¡¸£Åµ´Ï´Ù
x/2wx $ebp+12 ÇϽøé argv[0]°ú argv[1]ÀÌ ¼ø¼­´ë·Î ³ª¿À°í
¿©±â¼­ x/s argv[1]À§Ä¡¿¡ ÀÖ´Â ÁÖ¼Ò
ÇϽøé ÀÔ·ÂÇÏ½Å°Ô Ãâ·ÂµÇ°í ÁÖ¼Òµµ º¸ÀÏ°Ì´Ï´Ù		 2017/09/27  
you88311 ¿À¿À »ý°¢Çغ¸´Ï ¾îÂ¥ÇÇ ÀÎÀÚ´Ï ebp+12·Î ÇÏ´Â °Íµµ °¡´ÉÇϱº¿ä!! ±×·¡µµ ¿©ÀüÈ÷ º» ftz¼­¹ö¿¡¼­´Â ¸ÔÈ÷´Âµ¥ ±¸ÃàÇÑ ftz¼­¹ö¿¡¼­´Â ¾ÈµÇ³×¿ä¤¾¤¾ Á» ´õ °øºÎÇغÁ¾ß°Ú³×¿ä ¾î·µç ´äº¯ Á¤¸» °¨»çÇÕ´Ï´Ù!! 2017/09/27  
±è´äº¯ ÀÌ»óÇÏ³×¿ä ¤»¤» ¿Ã·ÁÁֽŠ¸Þ¸ð¸®´ýÇÁ¿¡º¸¸é º»¼·¿¡¼­´Â argv[1]ÀÌ 0xbffffb27, env[0]ÀÌ 0xbfffffc38
±×¸®°í ±¸ÃàÇϽŰſ¡¼± argv[1] = 0xbffffb23, env[0] = 0xbffffc34
µÎ°³ÀÇ °Å¸®Â÷°¡ °°¾Æ¼­ ºÐ¸í Àß ¿Ã¶ó°¬À»°Í°°Àºµ¥¿ä
FTZ¼­¹ö¸¦ Á÷Á¢ ±¸ÃàÇÒ¶§ÀÇ ¹®Á¦Á¡Àº »ç½Ç ÀÌ·¸°Ô gdb·Î º¼ ¶§ ½ºÅÿ¡ ¿Ã¶ó°¡³Ä ¾È¿Ã¶ó°¡³Ä¿¡¼­ ¹®Á¦°¡ »ý±âÁø ¾Ê°í gdb¿¡¼­ È®ÀÎÇÑ ÁÖ¼Ò·Î ¸®ÅÏÇßÀ»¶§ ½©ÀÌ ¾ÈµûÀÌ´Â ¹®Á¦°¡ Àִµ¥, ftz º»¼·¿¡¼­´Â ½ºÅÿ¡ ASLRÀÌ µµÀԵDZâ Àü Ä¿³ÎÀ» ¾²°í ÀÖ°í Á÷Á¢±¸ÃàÇÏ¸é ½ºÅÿ¡ ASLRÀÌ ÀÖ´Â ¹öÁ¯À¸·Î ±¸ÃàÇϱ⶧¹®¿¡ ½ºÅÃÇÁ·¹ÀÓÀ̳ª argv·ÎÀÇ ¸®ÅÏÀÌ ¾î·Æ°í, ½ºÅÿ¡ ASLRÀÌ °É·ÁÀִµ¥ ÀÌ»óÇÏ°Ô È¯°æº¯¼öÀÖ´ÂÂÊÀº ASLRÀÌ ¾ø¾î¼­ ¿¡±×½©À̳ª RTLÀ» ÀÌ¿ëÇؼ­ Ç®¾î¾ß ÇÕ´Ï´Ù		 2017/09/28  
you88311 ¾Æ¾Æ¾Æ¾Æ!! Á¦°¡ ¾Ë°í ½Í¾ú´ø°Ô ÀÌ°Å¿´½À´Ï´Ù. ¼­·Î Ä¿³Î ¹öÀüÀÌ ´Þ¶ó ASLR¸é¿¡¼­ Â÷ÀÌ°¡ ÀÖ±º¿ä¤Ð¤Ð¤Ð »ç½Ç ±¸ÃàÇÑ ftz¿¡¼­ call strcpy ÀÌ°÷¿¡ break °É°í ¹öÆÛ È®ÀÎÇÏ¸é ½ºÅÿ¡ 4141ÀÌ ³ª¿À´Âµ¥ ±× ÁÖ¼Ò·Î ¾Æ¹«¸® Çصµ ½©ÀÌ ¾È³ª¿À´õ±º¿ä. while¹®À¸·Î ¹Ýº¹ µ¹·Áµµ ÇØ°áÀÌ ¾ÈµÅ¼­ ¹º°¡ À߸øÇÏ°íÀÖ±¸³ª ½Í¾î¼­ ¾Æ¿¹ ÃÊ¹Ý ÇÔ¼ö ÇÁ·Ñ·Î±×??¿¡ break°É°í ÀÎÀÚ È®ÀÎÇÑ °Çµ¥ ¿©±â¼­´Â ¾Æ¿¹ argv°¡ ¾Èº»¿©¼­ Áú¹®ÇÑ°Å¿´½À´Ï´Ù. Æ÷¸Ë ½ºÆ®¸µÀ̶û ȯ°æº¯¼ö·Î´Â ´Ù µÇ´Âµ¥ ÀÌ °ø°Ý¸¸ ¾ÈÅëÇÏ´õ±¸¿ä.
´öºÐ¿¡ ¼Ó½Ã¿øÇÏ°Ô ¾Ë¾Æ°©´Ï´Ù. °¨»çÇÕ´Ï´Ù!!!		 2017/09/28  
1494   ¹è¿­ »çÀÌÀÇ ´õ¹Ì[2]     ka0r1
 12/14 1931
1493   Google ChromeÀ» ºÐ¼®ÇÒ·ÁÇϴµ¥...     vngkv123
 12/11 2005
1492   BOF ÇÚµåºÏ ½Ã½ºÅÛ ÇØÅ· ¸¶Áö¸·¹®Á¦ Áú¹®ÀÔ´Ï´Ù[1]     deccj97
 11/28 2094
1491   ¸®¹ö½ÌÈ­¸éÀÌ ÀÌ»óÇÏ°Ô¶°¿ä[1]     qw3709
 11/16 2005
1490   ÇÔ¼ö Á¾·á¿Í ½ºÅà °ü·Ã Áú¹®[1]     you88311
 11/05 1947
  FTZ level11 °ü·Ã Áú¹® ÀÖ½À´Ï´Ù.[4]     you88311
 09/27 2410
1488   ptraceÇÔ¼ö¸¦ ÅëÇØ µð¹ö°Å¸¦ ±¸ÇöÇϴµ¥...     vngkv123
 09/25 2121
1487   fuzzer¸¦ ±¸ÇöÇÏ°í½ÍÀºµ¥...[3]     vngkv123
 08/25 3845
1486   Áö±Ý ftz ÆÄÀÏ»ý¼º µÇ½Ã³ª¿ä??¤Ð¤Ð[1]     waijeies
 08/22 2423
1485     [re] Áö±Ý ftz ÆÄÀÏ»ý¼º µÇ½Ã³ª¿ä??¤Ð¤Ð     ÇѽÂÀç
 08/18 2548
1484   remote exploit½Ã¿¡ ¾ÈµÇ´Â°Å ÀÌÀ¯ ¾Ë ¼ö ÀÖÀ»±î¿ä,..[2]     vngkv123
 08/13 2275
1483   arena ÀÇ ¶æ...     choboKing
 08/09 3780
1482   heap exploit ±â¹ý °øºÎ ¹æ¹ý....     choboKing
 08/09 2219
1481   ÃֽŠglibc¿¡¼­ »ç¿ë °¡´ÉÇÑ heap exploit ±â¹ý     choboKing
 08/09 2000
1480   ITºÐ¾ß·Î Áø·Î°í¹ÎÀ̳ª,Ãë¾÷,ÀÌÁ÷°í¹ÎÀ¸·Î ±Ã±ÝÇÑÁ¡µéÀÌ ¸¹À¸½ÃÁÒ~?     koreais0
 08/08 2212
1479   libc-db¿¡¼­ main_arena ¾î¶»°Ô ãÁÒ?     vngkv123
 07/30 2320
1478   Æ÷¸Ë½ºÆ®¸µ °³³ä Á¦´ë·Î ¼³¸íÇØÁֽǺÐ[1]     pkdo1030
 07/24 2297
1477   pwnable.kr uaf ¹®Á¦ Áú¹®ÀÖ½À´Ï´Ù     pkdo1030
 07/22 2256
1476   FTZ - Level12..[1]     ys200209
 07/19 2094
1475   hex ray Áú¹®[2]     wwwlk
 07/16 2138
[1][2][3][4] 5 [6][7][8][9][10]..[79]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org