|
http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=11 [º¹»ç]
BOF °øºÎÁß¿¡ ½©ÄÚµå Á¦ÀÛÀ» Çغ¸°íÇ ¸¶À½¿¡ ¸î°¡Áö ÀڷḦ ã¾Æº¸°í Áú¹®ÇÕ´Ï´Ù.
NULL@ROOT¿¡¼ willy´ÔÀÇ ½©ÄÚµåÁ¦ÀÛ°ÁÂ¿Í 'hacker4uÀÇ ÇØÅ· º¸¾È³ëÆ®(ÀÌÇÏh4)'µÎ°³·Î °øºÎ¸¦ ÇÏ°í Àִµ¥...
¾î¼Àºí¸®¾î¸¦ ÀÍÈ÷Áö ¾ÊÀº Å¿¿¡ Á» Èûµç°¨ÀÌ ÀÖ½À´Ï´Ù.
-----------------------------------------------------
//¼Ò½º
#include <stdio.h>
void main()
{
char *name[2];
name[0]="/bin/bash";
name[1]=0x0;
execve(name[0],name,name[1]);
}
---------------------------------------------------
//gdb
(gdb) disassemble main
Dump of assembler code for function main:
0x8048400 <main>: push %ebp
0x8048401 <main+1>: mov %esp,%ebp
0x8048403 <main+3>: sub $0x8,%esp
0x8048406 <main+6>: movl $0x8048498,0xfffffff8(%ebp)
0x804840d <main+13>: movl $0x0,0xfffffffc(%ebp)
0x8048414 <main+20>: sub $0x4,%esp
0x8048417 <main+23>: pushl 0xfffffffc(%ebp)
0x804841a <main+26>: lea 0xfffffff8(%ebp),%eax
0x804841d <main+29>: push %eax
0x804841e <main+30>: pushl 0xfffffff8(%ebp)
0x8048421 <main+33>: call 0x80482d0 <execve>
0x8048426 <main+38>: add $0x10,%esp
0x8048429 <main+41>: leave
0x804842a <main+42>: ret
0x804842b <main+43>: nop
0x804842c <main+44>: nop
0x804842d <main+45>: nop
0x804842e <main+46>: nop
0x804842f <main+47>: nop
End of assembler dump.
(gdb) disassemble execve
Dump of assembler code for function execve:
0x80482d0 <execve>: jmp *0x80495a0
0x80482d6 <execve+6>: push $0x8
0x80482db <execve+11>: jmp 0x80482b0 <_init+24>
End of assembler dump.
(gdb)
------------------------------------------------------------------------
*¼Ò½ºÃâÀú´Â h4ÀÔ´Ï´Ù
*gdb·Î µð½º¾î¼Àºí ÇÑ °ÍÀº FTZ¿¡¼ ÄÄÆÄÀÏÇؼ µð½º¾î¼Àºí ÇÑ°ÍÀÔ´Ï´Ù.
-----------------------------------------------------------------------
Ã¥¿¡ ³ª¿Â°Í°ú´Â Â÷ÀÌ°¡ ÀÖ½À´Ï´Ù.
Â÷ÀÌ°¡ ÀÖ´Â ÀÌÀ¯´Â ¹«¾ùÀΰ¡¿ä?
²À ¾î¼Àºí¸®¾î¸¦ ÀÍÇô¾ß Çմϱî? ÀÍÈ÷Áö ¾Ê°í¼µµ Á¦ÀÛ°úÁ¤¸¸ ÀÍÇôµÎ¸é ½©Äڵ带 ¸¸µé ¼ö ÀÖÁö ¾ÊÀ»±î¿ä?
¾î¼Àºí¸®¾î¸¦ ÀÍÈ÷±â À§Çؼ Âü°íÇغ¼¸¸ÇÑ ¹®¼°¡ ÀÖ´Ù¸é ÃßõÇØÁÖ¼ÌÀ¸¸é ÇÕ´Ï´Ù. |
Hit : 6032 Date : 2003/09/13 10:37
|
1574, 
79/79 
