--
crypt --
bash-2.05a$
ln -sf /usr/sbin/crypt vuln
bash-2.05a$
gdb ./vuln
GNU
gdb Red Hat Linux (5.1.90CVS-5)
Copyright
2002 Free Software Foundation, Inc.
GDB
is free software, covered by the GNU General Public
License, and you are
welcome
to change it and/or distribute copies of it under certain
conditions.
Type
"show copying" to see the conditions.
There
is absolutely no warranty for GDB. Type "show warranty"
for details.
This
GDB was configured as "i386-redhat-linux"...
(gdb)
disas main
Dump
of assembler code for function main:
0x8048510
<main>:push %ebp
0x8048511
<main+1>:mov %esp,%ebp
0x8048513
<main+3>:push %edi
0x8048514
<main+4>:push %esi
0x8048515
<main+5>:sub $0x60,%esp
0x8048518
<main+8>:lea 0xffffffd8(%ebp),%edi
0x804851b
<main+11>:mov $0x8048658,%esi
0x8048520
<main+16>:cld
0x8048521
<main+17>:mov $0x15,%ecx
0x8048526
<main+22>:repz movsb %ds:(%esi),%es:(%edi)
0x8048528
<main+24>:movb $0x0,0xffffffed(%ebp)
0x804852c
<main+28>:lea 0xffffffb8(%ebp),%edi
0x804852f
<main+31>:mov $0x804866d,%esi
0x8048534
<main+36>:cld
0x8048535
<main+37>:mov $0x15,%ecx
0x804853a
<main+42>:repz movsb %ds:(%esi),%es:(%edi)
0x804853c
<main+44>:movb $0x0,0xffffffcd(%ebp)
0x8048540
<main+48>:lea 0xffffffa8(%ebp),%edi
0x8048543
<main+51>:mov $0x8048682,%esi
0x8048548
<main+56>:cld
0x8048549
<main+57>:mov $0xd,%ecx
0x804854e
<main+62>:repz movsb %ds:(%esi),%es:(%edi)
---Type
<return> to continue, or q <return> to quit---
0x8048550
<main+64>:sub $0x8,%esp
0x8048553
<main+67>:push $0x80485d4
0x8048558
<main+72>:push $0x3
0x804855a
<main+74>:call 0x8048394 <signal>
0x804855f
<main+79>:add $0x10,%esp
0x8048562
<main+82>:sub $0x8,%esp
0x8048565
<main+85>:push $0x80485d4
0x804856a
<main+90>:push $0x2
0x804856c
<main+92>:call 0x8048394 <signal>
0x8048571
<main+97>:add $0x10,%esp
0x8048574
<main+100>:sub $0xc,%esp
0x8048577
<main+103>:push $0x804868f
0x804857c
<main+108>:call 0x80483a4 <getpass>
0x8048581
<main+113>:add $0x10,%esp
0x8048584
<main+116>:mov %eax,0xffffffa4(%ebp)
0x8048587
<main+119>:sub $0x8,%esp
0x804858a
<main+122>:pushl 0xffffffa4(%ebp)
0x804858d
<main+125>:lea 0xffffffa8(%ebp),%eax
0x8048590
<main+128>:add $0x5,%eax
0x8048593
<main+131>:push %eax
0x8048594
<main+132>:call 0x8048384 <strcmp>
0x8048599
<main+137>:add $0x10,%esp
0x804859c
<main+140>:mov %eax,%eax
---Type
<return> to continue, or q <return> to quit---
0x804859e
<main+142>:test %eax,%eax
0x80485a0
<main+144>:je 0x80485bc <main+172>
0x80485a2
<main+146>:sub $0xc,%esp
0x80485a5
<main+149>:push $0x804869a
0x80485aa
<main+154>:call 0x80483e4 <printf>
0x80485af
<main+159>:add $0x10,%esp
0x80485b2
<main+162>:sub $0xc,%esp
0x80485b5
<main+165>:push $0xffffffff
0x80485b7
<main+167>:call 0x80483f4 <exit>
0x80485bc
<main+172>:sub $0xc,%esp
0x80485bf
<main+175>:push $0x80486a8
0x80485c4
<main+180>:call 0x80483e4 <printf>
0x80485c9
<main+185>:add $0x10,%esp
0x80485cc
<main+188>:lea 0xfffffff8(%ebp),%esp
0x80485cf
<main+191>:pop %esi
0x80485d0
<main+192>:pop %edi
0x80485d1
<main+193>:pop %ebp
0x80485d2
<main+194>:ret
0x80485d3
<main+195>:nop
End
of assembler dump.
(gdb)
q
bash-2.05a$
./vuln
Password:
Ʋ·È½À´Ï´Ù.
bash-2.05a$
strace ./vuln
execve("./vuln",
["./vuln"], [/* 18 vars */]) = 0
uname({sys="Linux",
node="localhost.localdomain", ...}) = 0
brk(0)
= 0x80497f0
open("/etc/ld.so.preload",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache",
O_RDONLY) = 3
fstat64(3,
{st_mode=S_IFREG|0644, st_size=23102, ...}) = 0
old_mmap(NULL,
23102, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40014000
close(3)
= 0
open("/lib/i686/libc.so.6",
O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`u\1B4\0"...,
1024) = 10
24
fstat64(3,
{st_mode=S_IFREG|0755, st_size=1401027, ...}) = 0
old_mmap(0x42000000,
1264928, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x420000
00
mprotect(0x4212c000,
36128, PROT_NONE) = 0
old_mmap(0x4212c000,
20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x12
c000)
= 0x4212c000
old_mmap(0x42131000,
15648, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANON
YMOUS,
-1, 0) = 0x42131000
close(3)
= 0
munmap(0x40014000,
23102) = 0
brk(0)
= 0x80497f0
brk(0x8049820)
= 0x8049820
brk(0x804a000)
= 0x804a000
rt_sigaction(SIGQUIT,
{0x80485d4, [QUIT], SA_RESTART|0x4000000}, {SIG_DFL},
8) =
0
rt_sigaction(SIGINT,
{0x80485d4, [INT], SA_RESTART|0x4000000}, {SIG_DFL},
8) = 0
open("/dev/tty",
O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
ioctl(3,
SNDCTL_TMR_TIMEBASE, {B9600 opost isig icanon echo ...})
= 0
ioctl(3,
SNDCTL_TMR_CONTINUE, {B9600 opost -isig icanon -echo
...}) = 0
fstat64(3,
{st_mode=S_IFCHR|0666, st_rdev=makedev(5, 0), ...})
= 0
ioctl(3,
SNDCTL_TMR_TIMEBASE, {B9600 opost -isig icanon -echo
...}) = 0
mmap2(NULL,
4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x40
014000
write(3,
"Password: ", 10Password: ) = 10
read(3,
"csa\n", 4096) = 4
write(3,
"\n", 1
)
= 1
ioctl(3,
SNDCTL_TMR_CONTINUE, {B9600 opost isig icanon echo ...})
= 0
close(3)
= 0
munmap(0x40014000,
4096) = 0
fstat64(1,
{st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...})
= 0
mmap2(NULL,
4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x40
014000
write(1,
"\n", 1
)
= 1
write(1,
"\306\262\267\310\275\300\264\317\264\331.\n",
12Ʋ·È½À´Ï´Ù.
)
= 12
munmap(0x40014000,
4096) = 0
_exit(-1)
= ?
bash-2.05a$
gdb ./vuln
GNU
gdb Red Hat Linux (5.1.90CVS-5)
Copyright
2002 Free Software Foundation, Inc.
GDB
is free software, covered by the GNU General Public
License, and you are
welcome
to change it and/or distribute copies of it under certain
conditions.
Type
"show copying" to see the conditions.
There
is absolutely no warranty for GDB. Type "show warranty"
for details.
This
GDB was configured as "i386-redhat-linux"...
(gdb)
info ofuinc func
All
defined functions:
Non-debugging
symbols:
0x0804834c
_init
0x08048374
__register_frame_info
0x08048384
strcmp
0x08048394
signal
0x080483a4
getpass
0x080483b4
__deregister_frame_info
0x080483c4
psignal
0x080483d4
__libc_start_main
0x080483e4
printf
0x080483f4
exit
0x08048410
_start
0x08048434
call_gmon_start
0x08048460
__do_global_dtors_aux
0x080484c0
fini_dummy
0x080484d0
frame_dummy
0x08048500
init_dummy
0x08048510
main
0x080485d4
handler
0x080485f0
__do_global_ctors_aux
0x08048620
init_dummy
---Type
<return> to continue, or q <return> to quit---
0x08048630
_fini
(gdb)
b strcmp
Breakpoint
1 at 0x8048384
(gdb)
r
Starting
program: /usr/sbin/crypt
Breakpoint
1 at 0x4207fa70
Password:
Breakpoint
1, 0x4207fa70 in strcmp () from /lib/i686/libc.so.6
(gdb)
info reg
eax
0xbffffb35-1073743051
ecx
0x00
edx
0x4212e1101108533520
ebx
0x4213030c1108542220
esp
0xbffffb0c0xbffffb0c
ebp
0xbffffb880xbffffb88
esi
0x804868f134514319
edi
0xbffffb3d-1073743043
eip
0x4207fa700x4207fa70
eflags
0x246582
cs
0x2335
ss
0x2b43
ds
0x2b43
es
0x2b43
fs
0x00
gs
0x00
fctrl
0x37f895
fstat
0x00
ftag
0xffff65535
fiseg
0x00
fioff
0x00
foseg
0x00
fooff
0x00
---Type
<return> to continue, or q <return> to quit---
fop
0x00
xmm0
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm1
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm2
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm3
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm4
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm5
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm6
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm7
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
mxcsr
0x00
orig_eax
0xffffffff-1
(gdb)
step
Single
stepping until exit from function strcmp,
which
has no line number information.
0x08048599
in main ()
(gdb)
iun info stack
#0
0x08048599 in main ()
#1
0x42017499 in __libc_start_main () from /lib/i686/libc.so.6
(gdb)
info reg
eax
0x11
ecx
0xffffffff-1
edx
0x8049988134519176
ebx
0x4213030c1108542220
esp
0xbffffb100xbffffb10
ebp
0xbffffb880xbffffb88
esi
0x804868f134514319
edi
0xbffffb3d-1073743043
eip
0x80485990x8048599
eflags
0x302770
cs
0x2335
ss
0x2b43
ds
0x2b43
es
0x2b43
fs
0x00
gs
0x00
fctrl
0x37f895
fstat
0x00
ftag
0xffff65535
fiseg
0x00
fioff
0x00
foseg
0x00
fooff
0x00
---Type
<return> to continue, or q <return> to quit---
fop
0x00
xmm0
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm1
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm2
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm3
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm4
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm5
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm6
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm7
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
mxcsr
0x00
orig_eax
0xffffffff-1
(gdb)
step
Single
stepping until exit from function main,
which
has no line number information.
Ʋ·È½À´Ï´Ù.
Program
exited with code 0377.
(gdb)
q
bash-2.05a$
gdb ./vuln
GNU
gdb Red Hat Linux (5.1.90CVS-5)
Copyright
2002 Free Software Foundation, Inc.
GDB
is free software, covered by the GNU General Public
License, and you are
welcome
to change it and/or distribute copies of it under certain
conditions.
Type
"show copying" to see the conditions.
There
is absolutely no warranty for GDB. Type "show warranty"
for details.
This
GDB was configured as "i386-redhat-linux"...
(gdb)
disas main
Dump
of assembler code for function main:
0x8048510
<main>:push %ebp
0x8048511
<main+1>:mov %esp,%ebp
0x8048513
<main+3>:push %edi
0x8048514
<main+4>:push %esi
0x8048515
<main+5>:sub $0x60,%esp
0x8048518
<main+8>:lea 0xffffffd8(%ebp),%edi
0x804851b
<main+11>:mov $0x8048658,%esi
0x8048520
<main+16>:cld
0x8048521
<main+17>:mov $0x15,%ecx
0x8048526
<main+22>:repz movsb %ds:(%esi),%es:(%edi)
0x8048528
<main+24>:movb $0x0,0xffffffed(%ebp)
0x804852c
<main+28>:lea 0xffffffb8(%ebp),%edi
0x804852f
<main+31>:mov $0x804866d,%esi
0x8048534
<main+36>:cld
0x8048535
<main+37>:mov $0x15,%ecx
0x804853a
<main+42>:repz movsb %ds:(%esi),%es:(%edi)
0x804853c
<main+44>:movb $0x0,0xffffffcd(%ebp)
0x8048540
<main+48>:lea 0xffffffa8(%ebp),%edi
0x8048543
<main+51>:mov $0x8048682,%esi
0x8048548
<main+56>:cld
0x8048549
<main+57>:mov $0xd,%ecx
0x804854e
<main+62>:repz movsb %ds:(%esi),%es:(%edi)
---Type
<return> to continue, or q <return> to quit---
0x8048550
<main+64>:sub $0x8,%esp
0x8048553
<main+67>:push $0x80485d4
0x8048558
<main+72>:push $0x3
0x804855a
<main+74>:call 0x8048394 <signal>
0x804855f
<main+79>:add $0x10,%esp
0x8048562
<main+82>:sub $0x8,%esp
0x8048565
<main+85>:push $0x80485d4
0x804856a
<main+90>:push $0x2
0x804856c
<main+92>:call 0x8048394 <signal>
0x8048571
<main+97>:add $0x10,%esp
0x8048574
<main+100>:sub $0xc,%esp
0x8048577
<main+103>:push $0x804868f
0x804857c
<main+108>:call 0x80483a4 <getpass>
0x8048581
<main+113>:add $0x10,%esp
0x8048584
<main+116>:mov %eax,0xffffffa4(%ebp)
0x8048587
<main+119>:sub $0x8,%esp
0x804858a
<main+122>:pushl 0xffffffa4(%ebp)
0x804858d
<main+125>:lea 0xffffffa8(%ebp),%eax
0x8048590
<main+128>:add $0x5,%eax
0x8048593
<main+131>:push %eax
0x8048594
<main+132>:call 0x8048384 <strcmp>
0x8048599
<main+137>:add $0x10,%esp
0x804859c
<main+140>:mov %eax,%eax
---Type
<return> to continue, or q <return> to quit---
0x804859e
<main+142>:test %eax,%eax
0x80485a0
<main+144>:je 0x80485bc <main+172>
0x80485a2
<main+146>:sub $0xc,%esp
0x80485a5
<main+149>:push $0x804869a
0x80485aa
<main+154>:call 0x80483e4 <printf>
0x80485af
<main+159>:add $0x10,%esp
0x80485b2
<main+162>:sub $0xc,%esp
0x80485b5
<main+165>:push $0xffffffff
0x80485b7
<main+167>:call 0x80483f4 <exit>
0x80485bc
<main+172>:sub $0xc,%esp
0x80485bf
<main+175>:push $0x80486a8
0x80485c4
<main+180>:call 0x80483e4 <printf>
0x80485c9
<main+185>:add $0x10,%esp
0x80485cc
<main+188>:lea 0xfffffff8(%ebp),%esp
0x80485cf
<main+191>:pop %esi
0x80485d0
<main+192>:pop %edi
0x80485d1
<main+193>:pop %ebp
0x80485d2
<main+194>:ret
0x80485d3
<main+195>:nop
End
of assembler dump.
(gdb)
disas strcmp
Dump
of assembler code for function strcmp:
0x8048384
<strcmp>:jmp *0x80497b4
0x804838a
<strcmp+6>:push $0x8
0x804838f
<strcmp+11>:jmp 0x8048364 <_init+24>
End
of assembler dump.
(gdb)
disas signal
Dump
of assembler code for function signal:
0x8048394
<signal>:jmp *0x80497b8
0x804839a
<signal+6>:push $0x10
0x804839f
<signal+11>:jmp 0x8048364 <_init+24>
End
of assembler dump.
(gdb)
b 0x804859e
Function
"0x804859e" not defined.
(gdb)
b *0x804859e
Breakpoint
1 at 0x804859e
(gdb)
r
Starting
program: /usr/sbin/crypt
Password:
Breakpoint
1, 0x0804859e in main ()
(gdb)
info reg
eax
0x11
ecx
0xffffffff-1
edx
0x8049988134519176
ebx
0x4213030c1108542220
esp
0xbffffb200xbffffb20
ebp
0xbffffb880xbffffb88
esi
0x804868f134514319
edi
0xbffffb3d-1073743043
eip
0x804859e0x804859e
eflags
0x282642
cs
0x2335
ss
0x2b43
ds
0x2b43
es
0x2b43
fs
0x00
gs
0x00
fctrl
0x37f895
fstat
0x00
ftag
0xffff65535
fiseg
0x00
fioff
0x00
foseg
0x00
fooff
0x00
---Type
<return> to continue, or q <return> to quit---
fop
0x00
xmm0
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm1
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm2
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm3
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm4
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm5
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm6
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm7
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
mxcsr
0x00
orig_eax
0xffffffff-1
(gdb)
step
Single
stepping until exit from function main,
which
has no line number information.
Ʋ·È½À´Ï´Ù.
Program
exited with code 0377.
(gdb)
r
Starting
program: /usr/sbin/crypt
Password:
Breakpoint
1, 0x0804859e in main ()
(gdb)
info reg
eax
0x1 1
ecx
0xffffffff -1
edx
0x8049988 134519176
ebx
0x4213030c 1108542220
esp
0xbffffb20 0xbffffb20
ebp
0xbffffb88 0xbffffb88
esi
0x804868f 134514319
edi
0xbffffb3d -1073743043
eip
0x804859e 0x804859e
eflags
0x282642
cs
0x2335
ss
0x2b43
ds
0x2b43
es
0x2b43
fs
0x00
gs
0x00
fctrl
0x37f895
fstat
0x00
ftag
0xffff65535
fiseg
0x00
fioff
0x00
foseg
0x00
fooff
0x00
---Type
<return> to continue, or q <return> to quit---
fop
0x00
xmm0
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm1
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm2
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm3
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm4
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm5
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm6
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
xmm7
{f = {0x0, 0x0, 0x0, 0x0}}{f = {0, 0, 0, 0}}
mxcsr
0x00
orig_eax
0xffffffff-1
(gdb)
set $eax=0
(gdb)
c
Continuing.
¼º°ø!!
Program
exited with code 010.
(gdb)
q
bash-2.05a$
exit
|