http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1903 [º¹»ç]
[ka0r1@localhost ka0r1]$ cat test.c
#include <stdio.h>
main()
{
char str1[10];
char str2[20];
printf("It can be overflow : ");
fgets(str2, 40, stdin);
if(strncmp(str1, "go", 2)==0)
{
printf("Good Skill!\n");
system("/bin/bash");
}
}
[ka0r1@localhost ka0r1]$ gcc -o test test.c
[ka0r1@localhost ka0r1]$ ./test
It can be overflow : 12345
[ka0r1@localhost ka0r1]$ gdb -q test
(gdb) disas main
Dump of assembler code for function main:
0x8048488 <main>: push %ebp
0x8048489 <main+1>: mov %esp,%ebp
0x804848b <main+3>: sub $0x20,%esp
0x804848e <main+6>: push $0x8048540
0x8048493 <main+11>: call 0x80483cc <printf>
0x8048498 <main+16>: add $0x4,%esp
0x804849b <main+19>: mov 0x804965c,%eax
0x80484a0 <main+24>: push %eax
0x80484a1 <main+25>: push $0x28
0x80484a3 <main+27>: lea 0xffffffe0(%ebp),%eax
0x80484a6 <main+30>: push %eax
0x80484a7 <main+31>: call 0x804839c <fgets>
0x80484ac <main+36>: add $0xc,%esp
0x80484af <main+39>: push $0x2
0x80484b1 <main+41>: push $0x8048556
0x80484b6 <main+46>: lea 0xfffffff4(%ebp),%eax
0x80484b9 <main+49>: push %eax
0x80484ba <main+50>: call 0x80483ac <strncmp>
0x80484bf <main+55>: add $0xc,%esp
0x80484c2 <main+58>: mov %eax,%eax
0x80484c4 <main+60>: test %eax,%eax
0x80484c6 <main+62>: jne 0x80484e2 <main+90>
0x80484c8 <main+64>: push $0x8048559
0x80484cd <main+69>: call 0x80483cc <printf>
0x80484d2 <main+74>: add $0x4,%esp
0x80484d5 <main+77>: push $0x8048566
0x80484da <main+82>: call 0x804837c <system>
0x80484df <main+87>: add $0x4,%esp
0x80484e2 <main+90>: leave
0x80484e3 <main+91>: ret
0x80484e4 <main+92>: nop
0x80484e5 <main+93>: nop
0x80484e6 <main+94>: nop
0x80484e7 <main+95>: nop
0x80484e8 <main+96>: nop
0x80484e9 <main+97>: nop
0x80484ea <main+98>: nop
0x80484eb <main+99>: nop
0x80484ec <main+100>: nop
0x80484ed <main+101>: nop
0x80484ee <main+102>: nop
0x80484ef <main+103>: nop
End of assembler dump.
(gdb) q
[ka0r1@localhost ka0r1]$ test
[ka0r1@localhost ka0r1]$ ./test
It can be overflow : 12345678901234go
[ka0r1@localhost ka0r1]$ ./test
It can be overflow : 12345678901234go
[ka0r1@localhost ka0r1]$
0x80484a3 <main+27>: lea 0xffffffe0(%ebp),%eax
0x80484a6 <main+30>: push %eax
0x80484a7 <main+31>: call 0x804839c <fgets>
0x80484ac <main+36>: add $0xc,%esp¿ä
0x80484af <main+39>: push $0x2
0x80484b1 <main+41>: push $0x8048556
0x80484b6 <main+46>: lea 0xfffffff4(%ebp),%eax
¿©±â¼ 0xffffff4 - 0xffffffe0À» Çϴϱñ 14°¡ ³ª¿À´õ¶ó±¸¿ä
±×·¡¼
12345678901234go¸¦ ÀÔ·ÂÇߴµ¥ /bin/bash¸¦ ½ÇÇàÇÏÁö ¸øÇß½À´Ï´Ù.
¹è¿ °è»ê ¾î¶»°Ô ÇÏ´Â °Ç°¡¿ä? |
Hit : 1931 Date : 2017/12/14 12:46
|