1596, 1/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ^^
   [Æß]Ptrace¸¦ ÀÌ¿ëÇÑ Àç¹Ì´Â ÇØÅ·.

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=475 [º¹»ç]


/*
*   PtraceÀ» ÀÌ¿ëÇÑ Àç¹Õ´Â ÇØÅ·
*   ¹Ú¼ºÇö psh21a@hanmail.net
*   http://psh21a.org, http://psh21a.ttongfly.net
*/



ptrace´Â »ý¼ºµÈ ÇÁ·Î¼¼½º¿¡ ´ëÇÑ Á¤º¸¸¦ ÃßÀûÇϱâ À§ÇØ ¸¸µé¾îÁø
½Ã½ºÅÛ ÄÝÀÌ´Ù.
µð¹ö°Å¸¦ ÀÌ¿ëÇÏ¿© Àç¹Õ´Â ÇØÅ·À» ÇÒ ¼ö ÀÖ´Ù.

[psh21a@psh21a ptrace]$ cat euid.c
int main()
{
        int uid;
        uid = geteuid();

        if(uid == 0){
                printf("You Are Roo\n");
        }

        printf("%d\n", uid);
}
[psh21a@psh21a ptrace]$ gcc -o euid euid.c -g -static

Áö±Ý ÀÌ ¼Ò½º´Â geteuid()ÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿©, euid¸¦ ¹Þ¾Æ¿Â´Ù. ±×·¡¼­ uid¿¡
ÇÒ´çÇÑÈÄ¿¡ if¹®¿¡¼­ uid°¡ 0À̶û °°ÀºÁö È®ÀÎÀ» Çؼ­ °°´Ù¸é You are ROOT
¶ó´Â ¹®ÀåÀ» Ãâ·ÂÇÏ°Ô ÇØÁØ´Ù.
±×·±µ¥ uid°¡ 0ÀÌ¸é ·çÆ® ±ÇÇÑÀÌ ÀÖ´Ù´Â ¶æÀε¥ °ú¿¬ ¾î¶»°Ô ÇÒ±î?
uid°¡ 0À̶û °°Áö ¾Ê´Ù¸é Áö±Ý ÀÚ±âÀÚ½ÅÀÇ uid¸¦ º¸¿©ÁÖ°í ³¡ÀÌ ³­´Ù.
ÀÌ ÀÛ¾÷À» ÇÒ¶§´Â ²À ·çÆ®°¡ ¾Æ´Ñ ÀϹݰèÁ¤À¸·Î ÇؾßÇÑ´Ù.

µð¹ö°Å¸¦ ÀÌ¿ëÇؼ­ Àç¹Õ´Â°É Çغ¸°Ú´Ù.

(gdb) disas main
Dump of assembler code for function main:
0x080481d0 <main+0>:    push   %ebp
0x080481d1 <main+1>:    mov    %esp,%ebp
0x080481d3 <main+3>:    sub    $0x8,%esp
0x080481d6 <main+6>:    and    $0xfffffff0,%esp
0x080481d9 <main+9>:    mov    $0x0,%eax
0x080481de <main+14>:   sub    %eax,%esp
0x080481e0 <main+16>:   call   0x804da10 <geteuid>
0x080481e5 <main+21>:   mov    %eax,0xfffffffc(%ebp)
0x080481e8 <main+24>:   cmpl   $0x0,0xfffffffc(%ebp)
0x080481ec <main+28>:   jne    0x80481fe <main+46>
0x080481ee <main+30>:   sub    $0xc,%esp
0x080481f1 <main+33>:   push   $0x808ef68
0x080481f6 <main+38>:   call   0x80488c4 <printf>
0x080481fb <main+43>:   add    $0x10,%esp
0x080481fe <main+46>:   sub    $0x8,%esp
0x08048201 <main+49>:   pushl  0xfffffffc(%ebp)
0x08048204 <main+52>:   push   $0x808ef76
0x08048209 <main+57>:   call   0x80488c4 <printf>
0x0804820e <main+62>:   add    $0x10,%esp
0x08048211 <main+65>:   leave
0x08048212 <main+66>:   ret
End of assembler dump.

geteuidÇÔ¼ö°¡ È£ÃâµÈ´Ù.

(gdb) disas geteuid
Dump of assembler code for function geteuid:
0x0804da10 <geteuid+0>: mov    0x80a36b0,%eax
0x0804da15 <geteuid+5>: push   %ebp
0x0804da16 <geteuid+6>: test   %eax,%eax
0x0804da18 <geteuid+8>: mov    %esp,%ebp
0x0804da1a <geteuid+10>:        jle    0x804da28 <geteuid+24>
0x0804da1c <geteuid+12>:        mov    $0x31,%eax
0x0804da21 <geteuid+17>:        int    $0x80
0x0804da23 <geteuid+19>:        leave
0x0804da24 <geteuid+20>:        ret
0x0804da25 <geteuid+21>:        lea    0x0(%esi),%esi
0x0804da28 <geteuid+24>:        mov    $0xc9,%eax
0x0804da2d <geteuid+29>:        int    $0x80
0x0804da2f <geteuid+31>:        cmp    $0xfffff000,%eax
0x0804da34 <geteuid+36>:        jbe    0x804da23 <geteuid+19>
0x0804da36 <geteuid+38>:        cmp    $0xffffffda,%eax
0x0804da39 <geteuid+41>:        jne    0x804da23 <geteuid+19>
0x0804da3b <geteuid+43>:        movl   $0x1,0x80a36b0
0x0804da45 <geteuid+53>:        jmp    0x804da1c <geteuid+12>
0x0804da47 <geteuid+55>:        nop
End of assembler dump.

¿ì¸®´Â geteuidÇÔ¼ö¿¡¼­ ret ÇϱâÀü¿¡ ºê·¹ÀÌÅ©¸¦ °É¾î¼­ uid°¡ 0ÀÌ
µÇµµ·Ï ¸¸µé¾îº¼°ÍÀÌ´Ù.
±×·¯±â À§Çؼ­ ¿ì¸®´Â ret¿¡ ºê·¹ÀÌÅ©¸¦ °É¾î¾ßÇÑ´Ù.

(gdb) break *geteuid+20
Breakpoint 1 at 0x804da24

±×·± ÈÄ¿¡ ½ÇÇàÀ» ½ÃŲ´Ù.

(gdb) run
Starting program: /home/psh21a/test/ptrace/euid

Breakpoint 1, 0x0804da24 in geteuid ()

½ÇÇàÀ» ½ÃÅ°¸é geteuid()¾È¿¡¼­ 0x0804da24¿¡¼­ ºê·¹ÀÌÅ©°¡ °É·È´Ù°í ³ª¿Â´Ù.

(gdb) info reg
eax            0x1f4    500
ecx            0x33f    831
edx            0x37f    895
ebx            0xbffff3bc       -1073744964
esp            0xbffff14c       0xbffff14c
ebp            0xbffff158       0xbffff158
esi            0xbffff3b4       -1073744972
edi            0x1      1
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

·¹Áö½ºÅ͵éÀÇ °ªÀ» º¸¿©ÁØ´Ù.
Àú±â º¸¸é eax¿¡ Áö±Ý 500À̶ó´Â Áö±Ý ¾ÆÀ̵ðÀÇ uid°¡ ³ª¿Â´Ù.
Àú±â eax ºÎºÐÀ» ¹Ù²ãÁØ´Ù.

(gdb) set $eax = 0
(gdb) info reg
eax            0x0      0
ecx            0x33f    831
edx            0x37f    895
ebx            0xbffff3bc       -1073744964
esp            0xbffff14c       0xbffff14c
ebp            0xbffff158       0xbffff158
esi            0xbffff3b4       -1073744972
edi            0x1      1
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

eax·¹Áö½ºÅÍÀÇ °ªÀÌ ¹Ù²ï°ÍÀ» º¼ ¼ö ÀÖ´Ù.

(gdb) c
Continuing.

Breakpoint 1, 0x0804da24 in geteuid ()
(gdb) info reg
eax            0x1f4    500
ecx            0x2f2f2f2f       791621423
edx            0x80a3ebc        134889148
ebx            0x8048584        134514052
esp            0xbffff16c       0xbffff16c
ebp            0xbffff178       0xbffff178
esi            0x2d     45
edi            0x20414  132116
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0

´Ù½Ã eax°¡ 500À¸·Î µ¹¾Æ¿Ô´Ù. ±×·³ ´Ù½Ã 0À¸·Î ¹Ù²ãÁØ´Ù.

(gdb) set $eax = 0
(gdb) info reg
eax            0x0      0
ecx            0x2f2f2f2f       791621423
edx            0x80a3ebc        134889148
ebx            0x8048584        134514052
esp            0xbffff16c       0xbffff16c
ebp            0xbffff178       0xbffff178
esi            0x2d     45
edi            0x20414  132116
eip            0x804da24        0x804da24
eflags         0x203    515
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb) c
Continuing.
You Are Root
0

Program exited with code 02.
(gdb)

ÀÌ·¸°Ô ÇÏ°Ô µÇ¸é ROOT¶ó°í ¶ß´Â°ÍÀ» º¼ ¼ö ÀÖÀ»°ÍÀÌ´Ù.
¾Æ¾Æ.. ÀÌ ¾ó¸¶³ª ±â»Û ¼ø°£Àΰ¡!

ps. ptrace¿¡ ´ëÇؼ­ ´õ ¾Ë°í ½ÍÀ¸¸é googleÀ» ÀÌ¿ëÇؼ­ °Ë»öÇغ¸½Ã±æ!
  Hit : 13708     Date : 2006/02/08 11:20


    
ckdmsghcoh ¤»¤» ¿ØÁö ¾ÈµÉµíÇÑ .¤Ñ,.,.,.,., 2006/02/09  
mzzang ÀÌ»óÇÏ°Ô ptrace´Â Çѹøµµ ¾È¾²½Ã±¸ gdb¸¸ ¾²½Åµí...???? 2006/02/10  
whqkdnf000 ¾ÈµÅ¿ä-_- 2007/02/26  
exceed@null gdb¸¸ ¾²³×... 2007/07/16  
     [°øÁö] °­Á¸¦ ¿Ã¸®½Ç ¶§´Â ¸»¸Ó¸®¸¦ ´Þ¾ÆÁÖ¼¼¿ä^¤Ñ^ [29] ¸Û¸Û 02/27 19450
1595   [pwnable.kr] Shellshock[1]     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/23 96
1594   ShellshockÀÇ ±âº» ¿ä¾à     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/23 77
1593   [pwnable.kr] fd     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/23 70
1592   VPNÀÌ ¿¬°áµÇ¾ú´Ù°¡ µµÁß¿¡ ²¨µµ À¥ ºê¶ó¿ìÀú»ó¿¡¼­ À¯ÁöµÇ´Â ÀÌÀ¯     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/22 77
1591   ÇØÄ¿µéÀÌ ÇØÅ·½Ã »ç¿ëÇÏ´Â µð·ºÅ丮 °ø°£[1]     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/22 115
1590   Keyboard Hooking -part2 - (Python3 ver)     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/20 84
1589   [Windows API] Keyboard Hooking     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/20 74
1588   [pwnable.kr] cmd1 °ø·«     ÇØÅ·ÀßÇÏ°í½Í´Ù
 10/23 236
1587   netdiscover ÆÄÀ̽ãÀ¸·Î ±¸ÇöÇϱ⠠   ÇØÅ·ÀßÇÏ°í½Í´Ù
 08/13 515
1586   ÆÄÀ̽ãÀ» ÀÌ¿ëÇÑ ½ÉÇà À¥ Å©·Ñ·¯     ÇØÅ·ÀßÇÏ°í½Í´Ù
 08/13 407
1585   ÆÄÀ̽ã random¸ðµâÀ» ÀÌ¿ëÇÑ ¼ýÀÚ¸ÂÃ߱⠰ÔÀÓ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/30 957
1584   ÆÄÀ̽ã äÆà ÇÁ·Î±×·¥ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/28 847
1583   ÆÄÀ̽㠼ÒÄÏ ÇÁ·Î±×·¡¹ÖÀÇ ±âÃÊ     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/26 987
1582   ¸®´ª½º À¥ ·Î±× ºÐ¼®     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/20 675
1581   ¸®´ª½º/À©µµ¿ì º¸¾È Àåºñ ·Î±×     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/20 826
1580   °í¼ö´ÔµéÀÇ µµ¿òÀ» ¹Þ°í ½Í½À´Ï´Ù     vbnm111
 02/11 914
1579   ¸®´ª½º Ä¿³Î 2.6 ¹öÀü ÀÌÈÄÀÇ LKM     jdo
 07/25 1430
1578   ½©ÄÚµå ¸ðÀ½     ÇØÅ·ÀßÇÏ°í½Í´Ù
 01/15 2306
1577   Call by value VS Call by Reference     ÇØÅ·ÀßÇÏ°í½Í´Ù
 01/15 1608
1 [2][3][4][5][6][7][8][9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org