1597, 1/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ÇØÅ·ÀßÇÏ°í½Í´Ù
   http://¾øÀ½
   [pwnable.kr] cmd1 °ø·«

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=8583 [º¹»ç]


PS C:\Users\mark> ssh cmd1@pwnable.kr -p2222
cmd1@pwnable.kr's password:
____  __    __  ____    ____  ____   _        ___      __  _  ____
|    \|  |__|  ||    \  /    ||    \ | |      /  _]    |  |/ ]|    \
|  o  )  |  |  ||  _  ||  o  ||  o  )| |     /  [_     |  ' / |  D  )
|   _/|  |  |  ||  |  ||     ||     || |___ |    _]    |    \ |    /
|  |  |  `  '  ||  |  ||  _  ||  O  ||     ||   [_  __ |     \|    \
|  |   \      / |  |  ||  |  ||     ||     ||     ||  ||  .  ||  .  \
|__|    \_/\_/  |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|

- Site admin : daehee87@khu.ac.kr
- irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
You have mail.
Last login: Tue Oct 22 20:36:27 2024 from
cmd1@pwnable:~$ ls -al
total 40
drwxr-x---   5 root cmd1     4096 Mar 23  2018 .
drwxr-xr-x 116 root root     4096 Oct 30  2023 ..
d---------   2 root root     4096 Jul 12  2015 .bash_history
-r-xr-sr-x   1 root cmd1_pwn 8513 Jul 14  2015 cmd1
-rw-r--r--   1 root root      320 Mar 23  2018 cmd1.c
-r--r-----   1 root cmd1_pwn   48 Jul 14  2015 flag
dr-xr-xr-x   2 root root     4096 Jul 22  2015 .irssi
drwxr-xr-x   2 root root     4096 Oct 23  2016 .pwntools-cache
cmd1@pwnable:~$









cmd1@pwnable:~$ cat cmd1.c
#include <stdio.h>
#include <string.h>

int filter(char* cmd){
        int r=0;
        r += strstr(cmd, "flag")!=0;
        r += strstr(cmd, "sh")!=0;
        r += strstr(cmd, "tmp")!=0;
        return r;
}

int main(int argc, char* argv[], char** envp){
        putenv("PATH=/thankyouverymuch");
        if(filter(argv[1])) return 0;
        system( argv[1] );
        return 0;
}

cmd1@pwnable:~$




Äڵ带 Çؼ®ÇÏÀÚ¸é putenv·Î ȯ°æº¯¼ö¸¦ µî·ÏÇÏ°í
filterÇÔ¼ö°¡ ÂüÀ» ¸®ÅÏÇϸé ÇÁ·Î±×·¥À» Á¾·áÇÑ´Ù.
»ý°¢À» °õ°õÈ÷ Çغ¸´Ï ȯ°æº¯¼ö·Î ±ÇÇÑ »ó½ÂÀ» ÇÏ´Â °æ¿ì¿Í
ÇÊÅÍ ÇÔ¼ö°¡ °ÅÁþÀ» ¸®ÅÏÇßÀ» ¶§, systemÇÔ¼ö·Î argv[1]°ªÀ»
½ÇÇàÇÏ´Â °ÍÀÌ ÀÖ´Â °Í °°Àºµ¥...

ÀÏ´ÜÀº ½¬¿î ¹æ¹ýÀÌ ÇÊÅÍ ÇÔ¼ö°¡ °ÅÁþ(0ÀÇ °ªÀ» ¸®ÅÏÇÑ´Ù¸é)À» ¸®ÅÏÇϸ鼭
/bin/sh, /bin/bash¿Í °°Àº ½©À» ½ÇÇà½ÃÅ°¸é ±ÇÇÑ »ó½Â°ú ÇÔ²²
°ø°ÝÀÌ °¡´ÉÇÏ´Ù´Â °á·ÐÀ» µµÃâÇÏ°Ô µÇ¾ú´Ù.

filter ÇÔ¼ö¸¦ ÀÚ¼¼È÷ ºÃ´Ù.

int filter(char* cmd){
        int r=0;
        r += strstr(cmd, "flag")!=0;
        r += strstr(cmd, "sh")!=0;
        r += strstr(cmd, "tmp")!=0;
        return r;
}

filterÇÔ¼ö°¡ returnÇßÀ» ¶§ ±× °ªÀÌ 0ÀÌ ¾Æ´Ñ °ªÀ» ¸®ÅÏÇÑ´Ù¸é
system(argv[1])¸¦ ½ÇÇàÇÒ °ÍÀÌ ¾Æ´Ñ°¡?
filterÇÔ¼ö¸¦ Çؼ®Çغ¸´Ï 'flag'¹®ÀÚ¿Í 'sh'¹®ÀÚ¿Í 'tmp'¹®ÀÚ°¡ ÀÖ´Ù¸é
0À» ¸®ÅÏÇÏ¿© mainÇÔ¼ö¿¡¼­ systemÇÔ¼ö¸¦ ½ÇÇà½Ãų ¼ö ¾ø°Ô µÈ´Ù´Â
°á·ÐÀ» µµÃâÇÒ ¼ö ÀÖ´Ù.

¿©±â¼­ ÇÑ °¡Áö, LinuxÀÇ bin µð·ºÅ͸®¿¡ ´ëÇØ ¾Ë°í ³Ñ¾î°¡º¸ÀÚ ÇÑ´Ù.




bin µð·ºÅ͸®¶õ?

¸®´ª½ºÀÇ /bin µð·ºÅ͸®´Â ½Ã½ºÅÛÀÇ ±âº» ¸í·É¾îµéÀÌ À§Ä¡ÇÑ µð·ºÅ͸®´Ù.
ÀÌ µð·ºÅ͸®¿¡´Â ÀÏ¹Ý »ç¿ëÀÚ¿Í ½Ã½ºÅÛ °ü¸®ÀÚ ¸ðµÎ°¡ »ç¿ëÇÒ ¼ö ÀÖ´Â
ÇÙ½ÉÀûÀÎ ¸í·É¾îµéÀÌ Æ÷ÇԵǾî ÀÖ´Ù.

/binÀÇ ÁÖ¿ä Ư¡Àº ´ÙÀ½°ú °°´Ù:

1. ±âº» ¸í·É¾î À§Ä¡

/bin¿¡´Â ÆÄÀÏ ½Ã½ºÅÛÀÇ ±âº» °ü¸®, ³×Æ®¿öÅ© ¼³Á¤, ÆÄÀÏ Á¶ÀÛ µîÀÇ ÀÛ¾÷À»
¼öÇàÇÏ´Â µ¥ ÇÊ¿äÇÑ ¸í·É¾îµéÀÌ Æ÷ÇԵǾî ÀÖ´Ù.
¿¹¸¦ µé¾î, ls, cp, mv, rm, cat, echo µîÀÌ ¿©±â¿¡ ¼ÓÇÑ´Ù.

¶ÇÇÑ ºñ½ÁÇÑ µð·ºÅ͸®·Î /usr/binÀÌ Àִµ¥,
/usr/bin¿¡´Â ºÎÆà ÀÌÈÄ ÀϹÝÀûÀÎ ÀÛ¾÷¿¡ »ç¿ëµÇ´Â ¸í·É¾îµéÀÌ Æ÷ÇԵȴÙ.
/bin°ú´Â ´Þ¸® /usr/binÀº Çʼö ½Ã½ºÅÛ ¸í·É¾î ¿Ü¿¡
Ãß°¡ÀûÀÎ ÀÀ¿ë ÇÁ·Î±×·¥À» Á¦°øÇÑ´Ù.








¸®´ª½º ¸í·É¾îÁß¿¡ ÆÄÀÏ ³»¿ëÀ» Àд ¸í·É¾îÀÎ catÀ̶ó´Â ¸í·É¾î°¡ ÀÖ´Ù.
±×¸®°í flag¶ó´Â °ªÀ» Àоî¾ß µÇ´Âµ¥ *(¾Ö½ºÅ͸®½ºÅ©¶ó°í ºÎ¸§)¸¦ ÀÔ·ÂÇϸé...

'ab*'¶ó°í ÀÔ·ÂÇϸé flµÚ¿¡ ¾î¶² ¹®ÀÚ°¡ ¿Àµç ab¸¸ ¿Â´Ù¸é ¸ðµç ¹®ÀÚ¸¦ Æ÷ÇÔÇÏ°í
'*cd'¶ó°í ÀÔ·ÂÇϸé 'cd'¹®ÀÚ ¾Õ¿¡ ¾î¶² ¹®ÀÚ°¡ ¿Àµç ¸ðµç ¹®ÀÚ¸¦ Æ÷ÇÔÇÑ´Ù.




»ç½Ç ³»°¡ ¾²°íµµ ³»°¡ ¹«½¼ ¸» ÇÏ´ÂÁö ¸ð¸£°Ú´Âµ¥
ÇÊÀÚÀÇ ºÎÁ·ÇÑ ÇÊ·ÂÀ» ÀÌÇØÇÏ±æ ¹Ù¶õ´Ù...







cmd1@pwnable:~$ ./cmd1 "/bin/cat fl*"



ÀÌ·¸°Ô ÀÔ·ÂÇϸé cmd1ÀÇ flag°ªÀÌ Ãâ·ÂµÈ´Ù.

  Hit : 265     Date : 2024/10/23 10:04



    
     [°øÁö] °­Á¸¦ ¿Ã¸®½Ç ¶§´Â ¸»¸Ó¸®¸¦ ´Þ¾ÆÁÖ¼¼¿ä^¤Ñ^ [29] ¸Û¸Û 02/27 19480
1596   [pwnable.kr] bof     ÇØÅ·ÀßÇÏ°í½Í´Ù
12/25 12
1595   [pwnable.kr] Shellshock[1]     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/23 127
1594   ShellshockÀÇ ±âº» ¿ä¾à     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/23 109
1593   [pwnable.kr] fd     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/23 104
1592   VPNÀÌ ¿¬°áµÇ¾ú´Ù°¡ µµÁß¿¡ ²¨µµ À¥ ºê¶ó¿ìÀú»ó¿¡¼­ À¯ÁöµÇ´Â ÀÌÀ¯     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/22 111
1591   ÇØÄ¿µéÀÌ ÇØÅ·½Ã »ç¿ëÇÏ´Â µð·ºÅ丮 °ø°£[1]     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/22 150
1590   Keyboard Hooking -part2 - (Python3 ver)     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/20 128
1589   [Windows API] Keyboard Hooking     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/20 104
  [pwnable.kr] cmd1 °ø·«     ÇØÅ·ÀßÇÏ°í½Í´Ù
10/23 264
1587   netdiscover ÆÄÀ̽ãÀ¸·Î ±¸ÇöÇϱ⠠   ÇØÅ·ÀßÇÏ°í½Í´Ù
08/13 542
1586   ÆÄÀ̽ãÀ» ÀÌ¿ëÇÑ ½ÉÇà À¥ Å©·Ñ·¯     ÇØÅ·ÀßÇÏ°í½Í´Ù
08/13 431
1585   ÆÄÀ̽ã random¸ðµâÀ» ÀÌ¿ëÇÑ ¼ýÀÚ¸ÂÃ߱⠰ÔÀÓ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/30 985
1584   ÆÄÀ̽ã äÆà ÇÁ·Î±×·¥ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/28 876
1583   ÆÄÀ̽㠼ÒÄÏ ÇÁ·Î±×·¡¹ÖÀÇ ±âÃÊ     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/26 1027
1582   ¸®´ª½º À¥ ·Î±× ºÐ¼®     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/20 693
1581   ¸®´ª½º/À©µµ¿ì º¸¾È Àåºñ ·Î±×     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/20 840
1580   °í¼ö´ÔµéÀÇ µµ¿òÀ» ¹Þ°í ½Í½À´Ï´Ù     vbnm111
02/11 930
1579   ¸®´ª½º Ä¿³Î 2.6 ¹öÀü ÀÌÈÄÀÇ LKM     jdo
07/25 1445
1578   ½©ÄÚµå ¸ðÀ½     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/15 2328
1 [2][3][4][5][6][7][8][9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org