|
|
|
|
|
|
|
|
|
|
|
|
|
1574, 7/79 |
|
wjsqud011 | |||||||
http://¾ø´Ù. | |||||||
½©Äڵ忡 ´ëÇØ ´Ù½Ã Áú¹®ÇÏ°Ú½À´Ï´Ù. | |||||||
http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1522 [º¹»ç]
Hit : 3372 Date : 2011/08/23 10:53
|
|||||||
´¾´¾ | ¿ì¼± ¾î¶²±ÇÇÑ¿¡ ÀÖÀ»¶§ /bin/sh ³ª /bin/bash °°Àº ½©À» ½ÇÇà½ÃÅ°°Ô µÇ¸é ±× ±ÇÇÑÀ¸·Î ¸í·ÉÀ» ³»¸± ¼ö ÀÖ½À´Ï´Ù. ½©ÄÚµå´Â ¸»±×´ë·Î ½©À» ½ÇÇà½ÃÅ°´Â ±â°è¾î Äڵ屸¿ä ¿¹¸¦µé¾î Ãë¾àÇÑ ÇÁ·Î±×·¥ À̸§ÀÌ vul ÀÌ°í ·çÆ®ÀÇ setuid°¡ °É·ÁÀÖÀ¸¸ç(setuid¿¡ °üÇؼ´Â ftz trainer9¿´³ª 10¿¡ ³ª¿É´Ï´Ù) ¹öÆÛ°¡ 520¹ÙÀÌÆ®¶ó°í Ãĺ¼°Ô¿ä ±×·¯¸é ÇÁ·Î±×·¥ÀÌ ½ÇÇàµÇ´Â¼ø°£¿¡´Â ·çÆ®ÀÇ ±ÇÇÑÀÌ µÇ¹Ç·Î ÀÌ»óÅ¿¡¼ ½©À» ½ÇÇà½ÃÅ°°ÔµÇ¸é ·çÆ®ÀÇ ±ÇÇÑÀ» °®°Ô µË´Ï´Ù. vul ÀÇ ¼Ò½º¸¦ ´ëÃæ ¸¸µé¾îº¼°Ô¿ä #include <stdio.h> int main(int argc, char **argv[]){ char buffer[500]; strcpy(buffer,argv[1]); } gcc 3.2.2¹öÁ¯(ftz¿¡ ±ò·ÁÀÖ¾î¿ä)À¸·Î ÄÄÆÄÀÏÇß°í ftz¿¡ ÀÖ´Â gdb·Î ¶â¾îºÃ½À´Ï´Ù gdb·Î ±îº¸½Ã¸é ¹öÆÛÅ©±â°¡ 520ÀΰÍÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù. ¿©±â¿¡ sfp¸¦ ´õÇؼ nop+½©Äڵ尡 µÇ¾ßÇÒ ¹ÙÀÌÆ®¼ö´Â 524¹ÙÀÌÆ® ÀÔ´Ï´Ù. ±ò²ûÇÏ°Ô ¸Â¾Æ ¶³¾î¶ß¸®±âÀ§ÇØ ./vul `perl -e 'print "\x90"x424,25¹ÙÀÌÆ®½©ÄÚµå,"\x90"x75,"¸®ÅϾîµå·¹½º(nopÁÖ¼Ò·Î ÇϽøéµÇ¿ë)"'` ³× ÀÌ·±½ÄÀ¸·Î ÀÌ·ç¾îÁý´Ï´Ù. Á¦°¡ ¹æ±Ý gdb·Î ºÃÀ»¶§´Â ¸®ÅϾîµå·¹½º°¡ ¹öÆÛ ½ÃÀÛÁ¡ÀÌ 0xbffff940 À¸·Î ³ª¿Ô´Âµ¥ ¾ÈµÇ±æ·¡ 0xbffff840 À¸·Î Çß´õ´Ï µÇ´õ±º¿ä ´õ ÀÚ¼¼ÇÑ ³»¿ëÀº ´Þ°í³ª´ÔÀÌ ÀÛ¼ºÇϽŠÇØÄ¿Áö¸Á»ýÀ»À§ÇÑ buffer overflow ±âÃÊ ¹®¼¸¦ Àо½Ã±æ ¹Ù¶ø´Ï´Ù http://wowhacker.org/board.php?bid=174&bs_type=&bs_str=&cate=0&pg=20&mode=filedown&puid=154748&uid=28 |
2011/08/24 | |
|
|