学生缓冲区溢出图解(linux,C)
我的朋友是一年级计算机科学学生的老师。我们想向他们展示缓冲区溢出利用。但现代发行版受到保护,免受简单缓冲区溢出的影响:
HOME=`perl -e "print 'A'x269"` one_widely_used_utility_is_here --help
在 debian 上(归咎于它)
Caught signal 11,
在现代商业 Redhat 上,
*** buffer overflow detected ***: /usr/bin/one_widely_used_utility_is_here terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xc321c1]
/lib/libc.so.6(__strcpy_chk+0x43)[0xc315e3]
/usr/bin/one_widely_used_utility_is_here[0x805xxxc]
/usr/bin/one_widely_used_utility_is_here[0x804xxxc]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb61e9c]
/usr/bin/one_widely_used_utility_is_here[0x804xxx1]
======= Memory map: ========
00336000-00341000 r-xp 00000000 08:02
2751047 /lib/libgcc_s-4.1.2-20080825.so.1
00341000-00342000 rwxp 0000a000 08:02
2751047 /lib/libgcc_s-4.1.2-20080825.so.1
008f3000-008f4000 r-xp 008f3000 00:00 0 [vdso]
相同的检测器无法获取来自互联网的更多合成示例。
我们如何用现代非 GPL 发行版演示缓冲区溢出(类中没有 debian)
我们如何
- 禁用堆栈中的金丝雀字检查?
- 禁用检查 strcpy/strcat 的变体?
- 写一个工作缓冲区溢出的示例(用纯 C 语言)?
My friend is teacher of first-year CS students. We want to show them buffer overflow exploitation. But modern distribs are protected from simples buffer overflows:
HOME=`perl -e "print 'A'x269"` one_widely_used_utility_is_here --help
on debian (blame it)
Caught signal 11,
on modern commercial redhat
*** buffer overflow detected ***: /usr/bin/one_widely_used_utility_is_here terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xc321c1]
/lib/libc.so.6(__strcpy_chk+0x43)[0xc315e3]
/usr/bin/one_widely_used_utility_is_here[0x805xxxc]
/usr/bin/one_widely_used_utility_is_here[0x804xxxc]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb61e9c]
/usr/bin/one_widely_used_utility_is_here[0x804xxx1]
======= Memory map: ========
00336000-00341000 r-xp 00000000 08:02
2751047 /lib/libgcc_s-4.1.2-20080825.so.1
00341000-00342000 rwxp 0000a000 08:02
2751047 /lib/libgcc_s-4.1.2-20080825.so.1
008f3000-008f4000 r-xp 008f3000 00:00 0 [vdso]
The same detector fails for more synthetic examples from the internet.
How can we demonstrate buffer overflow with modern non-GPL distribs (there is no debian in classes)
How can we
- DISABLE canary word checking in stack ?
- DISABLE checking variants of strcpy/strcat ?
- write an example (in plain C) with working buffer overrun ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
要禁用检查 glibc 中的字符串函数,您应该更改您的可利用示例。将所有对
strcpy和其他带有检查变体的函数的调用从 更改为
这将神奇地禁用检查宏。
要关闭 gcc 保护,请使用选项
要关闭非执行堆栈,请使用
或 作为 gcc-linker 选项
To disable checking strings functions form glibc you should change your exploitable example. Change all calls to
strcpyand other functions with checking variants fromto
This will magically disable checking macroses.
To turn off gcc protection, use options
To turn off non-exec stack, use
or as gcc-linker option
在我的安全和隐私课程中,他们使用的虚拟机包含使用不带金丝雀的旧版本 GCC 编译的易受攻击的程序。您还可以使用较新版本的 GCC 并使用命令行开关来禁用堆栈粉碎检测等安全功能。
无论哪种方式,如果您使用的是现代 Linux 发行版,您都需要重新编译程序。
In my security and privacy class, they used virtual machines that had vulnerable programs compiled with an older version of GCC that did not have canaries. You can also use newer versions of GCC and use command-line switches to disable security features like stack-smashing detection.
Either way, you'll need to recompile the programs if you're on a modern Linux distribution.
在 strcpy() 之后,您在 x 中有来自该字符串的一些 ascii,但是如果该字符串太长,则覆盖 ESP 地址并且程序会失败以防止此问题以及更好的说明缓冲区溢出,您必须在声明 x 之前声明一些大缓冲区以保护您的 esp 地址溢出。 (在 x 之前,因为变量是在堆栈排列的内存中声明的)。
编辑:你可以用 StackOverflow Logo 来说明它!!
After strcpy(), you have in x some ascii from this string, but if this string is too long, overvride ESP adres and program fail for protect from this and better ilustration buffer overrun, you must before declaration of x, declarate some big buffer to protect you overflow from esp address. (before x because variables is declarating on memory in stack arrange).
Edit: You can ilustrate it from StackOverflow Logo!!