{"id":556,"date":"2020-03-14T05:00:10","date_gmt":"2020-03-13T20:00:10","guid":{"rendered":"http:\/\/ipwn.kr\/?p=556"},"modified":"2022-09-18T01:51:00","modified_gmt":"2022-09-17T16:51:00","slug":"pwnable-with-c-string-object_structure","status":"publish","type":"post","link":"http:\/\/ipwn.kr\/index.php\/2020\/03\/14\/pwnable-with-c-string-object_structure\/","title":{"rendered":"[pwnable with C++] string \uac1d\uccb4\uc758 \uad6c\uc870"},"content":{"rendered":"<h1>string \uba54\ubaa8\ub9ac \uad6c\uc870<\/h1>\n<hr>\n<pre><code class=\"language-cpp \">\/*nothing*\/\n#include &lt;string&gt;\n#include &lt;iostream&gt;\n\nusing namespace std;\n\nint main() {\n    string* test = new string();\n    getline(cin, *test);\n    return 0;\n}\n<\/code><\/pre>\n<p>\ucf54\ub4dc\ub294 \uc774\ub807\uac8c \uc9dc\ub193\uace0 \ub300\ucda9 \uba54\ubaa8\ub9ac \uad6c\uc870\ub9cc \ubd24\ub2e4.<\/p>\n<p>\uc774 \uc0c1\ud0dc\uc5d0\uc11c \ucc98\uc74c\uc5d4 \uac12\uc744 0x10\uc774\ud558\uc758 \uae38\uc774\ub85c \uc8fc\uace0 \ud799\uc744 \ud55c \ubc88 \ubd24\uc74c.<br \/>\n<code>(input : ipwnipwn\\n)<\/code><\/p>\n<pre><code class=\"language-Nothing \">pwndbg&gt; x\/24gx 0x613c10\n0x613c10:   0x0000000000000000  0x0000000000000031\n0x613c20:   0x0000000000613c30  0x0000000000000008\n0x613c30:   0x6e7770696e777069  0x0000000000000000\n0x613c40:   0x0000000000000000  0x0000000000000411\n0x613c50:   0x6e7770696e777069  0x000000000000000a\n0x613c60:   0x0000000000000000  0x0000000000000000\n0x613c70:   0x0000000000000000  0x0000000000000000\n0x613c80:   0x0000000000000000  0x0000000000000000\n0x613c90:   0x0000000000000000  0x0000000000000000\n0x613ca0:   0x0000000000000000  0x0000000000000000\n0x613cb0:   0x0000000000000000  0x0000000000000000\n0x613cc0:   0x0000000000000000  0x0000000000000000\n<\/code><\/pre>\n<p>\uc774\uac83\ub9cc \ubd10\ub3c4 \ub9ce\uc740 \uac78 \uc54c \uc218 \uc788\uc74c<\/p>\n<pre><code class=\"language-C \">\/*nothing*\/\nstruct string {\n    char *str;\n    __int64 size;\n    char buf[0x10];\n}\n<\/code><\/pre>\n<p>\ub300\ucda9 \uc774\ub7f0 \uad6c\uc870\ub85c \uc774\ub904\uc838 \uc788\uc74c. (\uac1d\uccb4\uc758 \uba54\ubaa8\ub9ac \uad6c\uc870\ub97c \ub530\ub77c\uc11c <code>struct<\/code>\ub85c \ud45c\ud604\ud55c \uac83)<br \/>\n\uadf8\ub9ac\uace0 <code>str<\/code>\uc740 <code>buf<\/code>\uc758 \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0a8\ub2e4\ub294 \uac83\ub3c4 \uc54c \uc218 \uc788\uc74c.<\/p>\n<p>\ub610 \ubc84\ud37c\ub9c1 \ud558\uae30 \uc704\ud574\uc11c \uc785\ub825\ubc1b\uc740 \uac12\ub3c4 \ud799 \ud560\ub2f9\ud574\uc11c \uac70\uae30\uc5d0 \ubc1b\ub294\ub2e4\ub294 \uac83\ub3c4 \uc54c \uc218 \uc788\uc74c. (\ub4a4\uc5d0 \uc774\uc5b4\ubd99\uc5ec\uc9c4 \ud799\uc744 \ubcf4\uba74 \uc54c \uc218 \uc788\ub2e4.)<\/p>\n<p>\uc774\uc81c 0x10\ubcf4\ub2e4 \ub354 \uae34 \uac12\uc744 \ub123\uc5b4\uc918\ubcf4\uaca0\uc74c.<\/p>\n<p>\ub2f9\uc5f0\ud788 \uc6d0\ub798 \uc81c \uc704\uce58(<code>buf<\/code>)\uc5d0 0x10\ubcf4\ub2e4 \uae34 \uac12\uc744 \ub123\uc73c\uba74 <code>bof<\/code>\uac00 \ubc1c\uc0dd\ud558\ub2c8\uae4c \uadf8\ub807\uac8c \uad6c\ud604\ud558\uc9c4 \uc54a\uaca0\uc9c0?<\/p>\n<p><code>(input : AAAAAAAAAAAAAAAAAAAAAAA...)<\/code> \ub300\ucda9 \ub54c\ub824\ubc15\uc74c<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/ipwn.kr\/wp-content\/uploads\/2020\/03\/string_1-1.png\" alt=\"\" \/><\/p>\n<p>\uac11\uc790\uae30 \uc65c md \ubb38\ubc95\uc73c\ub85c \uba54\ubaa8\ub9ac \ubcf4\uc5ec\uc8fc\ub2e4\uac00 \uc0ac\uc9c4\uc744 \uc4f0\ub0d0\uba74 <code>parseheap<\/code> \uae30\ub2a5 \ub55c\uc5d0 \uae00\uc790\uac00 \uc548 \uc774\uc058\uac8c \uc9e4\ub824\uc11c \uadf8\ub807\ub2e4.<\/p>\n<p>\uc5ec\ud2bc <code>parseheap<\/code> \uae30\ub2a5\uc73c\ub85c \ud799\uc744 \ubcf4\uba74 \ubc8c\uc368\ubd80\ud130 \ud799\uc774 \ub354\ub7fd\ub2e4. \uadf8 \ub9d0\uc740 \uc989 \uc774\ub798\uc800\ub798 \uc5ec\ub7ec \uc791\uc5c5\ub4e4\uc744 \uac70\uce5c\ub2e4\ub294 \uac78 \uc54c \uc218 \uc788\uc74c.<\/p>\n<p>\uc774\uac74 <code>getline<\/code> \ud568\uc218 \ub0b4\ubd80 \uad6c\ud604\uc744 \ubd10\uc57c\ud558\ub294 \uac70\ub77c \uadc0\ucc2e\uc73c\ubbc0\ub85c \ud328\uc2a4. \ub098\uc911\uc5d0 \ubcf4\uc790.<\/p>\n<p>\ubcf4\uba74 <code>size<\/code>\ub294 \uc785\ub825\ubc1b\uc740 \ud06c\uae30\ub9cc\ud07c \uc81c\ub300\ub85c \ubcc0\uacbd \ub418\uc5b4\uc788\ub294 \uac78 \uc54c \uc218 \uc788\uace0, <code>str<\/code>\uc740 \uc785\ub825\ubc1b\uc740 \uac12\uc774 \ubcf5\uc0ac\ub41c \uadf8 \uc8fc\uc18c\uac00 \ubc15\ud78c\ub2e4.<\/p>\n<p>\uadf8\ub9ac\uace0 <code>buf + 8<\/code>\ucabd\uc744 \ubcf4\uba74 \uc77c\ub2e8 <code>buf<\/code>\uc5d0 \uc785\ub825\uac12\uc744 \uc4f0\ub294 \uac83 \uac19\uae34 \ud55c\ub370, \uc77c\ub828\uc758 \uc791\uc5c5\uc744 \uac70\uccd0\uc11c <code>buf<\/code>\ucabd\uc5d0\ub9cc \uac12\uc744 \uc5b4\ub5a4 \uac12\uc73c\ub85c \ucd08\uae30\ud654 \ud574\uc8fc\ub294 \uac83 \uac19\ub2e4.<\/p>\n<p>\ub057<\/p>\n<h2>\uacb0\ub860<\/h2>\n<hr>\n<pre><code class=\"language-C \">\/*nothing*\/\nstruct string {\n    char *str;\n    __int64 size;\n    union{\n        something...;\n        char buf[0x10];\n    }\n}\n<\/code><\/pre>\n<p>\uc704\uc758 \ud615\ud0dc\ub85c \uad6c\ud604\ub418\uc5b4 \uc788\ub294\ub4ef~!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>string \uba54\ubaa8\ub9ac \uad6c\uc870 \/*nothing*\/ #include &lt;string&gt; #include &lt;iostream&gt; using namespace std; int main() { string* test = new string(); getline(cin, *test); return 0; } \ucf54\ub4dc\ub294 \uc774\ub807\uac8c \uc9dc\ub193\uace0 \ub300\ucda9 \uba54\ubaa8\ub9ac \uad6c\uc870\ub9cc \ubd24\ub2e4. \uc774 \uc0c1\ud0dc\uc5d0\uc11c \ucc98\uc74c\uc5d4 \uac12\uc744 0x10\uc774\ud558\uc758 \uae38\uc774\ub85c \uc8fc\uace0 \ud799\uc744 \ud55c \ubc88 \ubd24\uc74c. (input : ipwnipwn\\n) pwndbg&gt; x\/24gx 0x613c10 0x613c10: 0x0000000000000000 0x0000000000000031 0x613c20: 0x0000000000613c30 0x0000000000000008 0x613c30:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14,6],"tags":[],"class_list":["post-556","post","type-post","status-publish","format-standard","hentry","category-c","category-http-ipwn-kr-blog-pwnable"],"_links":{"self":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/556"}],"collection":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/comments?post=556"}],"version-history":[{"count":25,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/556\/revisions"}],"predecessor-version":[{"id":928,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/556\/revisions\/928"}],"wp:attachment":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/media?parent=556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/categories?post=556"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/tags?post=556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}