Advanced buffer overflow of non-secure programming demonstration
Creation time: 2001-11-09
Article attribute: original
Article Source:
Http://xfocus.org/
Article submission:
Alert7 (sztcww_at_sina.com)
Advanced buffer overflow of non-secure programming demonstration
Author: alert7
Home:
http://www.xfocus.org/ http://www.whitecell.org/
Company: Huatai Net Anne
http://www.netguard.com.cn>
original:
http://community.core-sdi.com/~gera/insecureprogramming/insecureprogramming.tar.gz
Time: 2001-11-9
Disclaimer: Most demonstrations in the article come from QERA
We carefully constructed these highly explained demonstration procedures.
Some programs may have not only one way of use, and there is no mention. If you have
Good idea, remember mailto: alert7@xfocus.org, not correct or improper
Try the ax.
★★ A advanced buffer overflow
★ 1.1 demonstration one --- Blind obedience (Blind Obedience)
The defined buf is too small, and the data that needs COPY is not enough to accommodate.
/ * ABO1.C *
* specially crafted to feed your brey by gera@core-sdi.com * /
/ * DUMB EXAMPLE TO Let You Get Introduces ... * /
INT main (int Argc, char ** argv) {
Char BUF [256];
STRCPY (BUF, Argv [1]);
}
This is a very good example, very much to explain the problem: the program will copy Argv [1] to BUF, use
The STRCPY function does not do any boundary check. This gives us a chance to pass a long
Argv [1] goes in and covers data behind the BUF in the stack. You need to use all the tools to view
What is the important thing behind the buf, and then you can construct the touchpad needed for Exploit.
★ 1.2 Demo 2 ---- Execution Flow
Take a look at this program
/ * ABO2.C *
* specially crafted to feed your brey by gera@core-sdi.com * /
/ * This is a tricky example to make you think *
* And Give You some help on the next one * /
INT Main (int Argv, char ** argc) {
Char BUF [256];
STRCPY (BUF, Argc [1]);
Exit (1);
}
As we see, in this example, add an exit (). Did you find it out? General utilization
The method of returning the address of Main has not been passed. In this example, Windows uses Windows exceptions.
The mechanism can successfully overflow this program, and there is no such feature under UNIX, and I don't know how to overflow this program for the time being. Or you can't take it at all. Welcome to discuss, please mailto: alert7@xfocus.org :)
★ 1.3 Demo three ---- overlay function pointer
/ * ABO3.C *
* specially crafted to feed your brey by gera@core-sdi.com * /
/ * This'll prepare you for the next step * /
INT Main (int Argv, char ** argc) {
Extern system, PUTS;
Void (* fn) (char *) = (Void (*) (char *)) & system;
Char BUF [256];
Fn = (void (*) (char *)) & puts;
STRCPY (BUF, Argc [1]);
Fn (Argc [2]);
Exit (1);
}
The buffer overflows overrides the FN function pointer to achieve the purpose of attack.
★ 1.4 Demonstrate four ---- cover the pointer, causing the coverage of any address
/ * ABO4.C *
* specially crafted to feed your brey by gera@core-sdi.com * /
/ * After this one, The next is just an EUREKA! AWAY * /
Extern system, PUTS;
Void (* fn) (char *) = (Void (*) (char *)) & system;
INT Main (int Argv, char ** argc) {
Char * pbuf = malloc (Strlen (Argc [2]) 1);
Char BUF [256];
Fn = (void (*) (char *)) & puts;
STRCPY (BUF, Argc [1]);
STRCPY (PBUF, Argc [2]);
Fn (Argc [3]);
While (1);
}
When the first STRCPY, it can be overwritten to the PBUF pointer, which allows the PBUF to point to the FN address, so the second time
When STRCPY is overridden to the FN pointer, you can perform any time when running the Fn () function.
Function call, such as system ();
★ 1.5 demo five ---- ch-ch-ch-change
/ * ABO5.C *
* specially crafted to feed your brey by gera@core-sdi.com * /
/ * You Take the blue pill, you wake up in your bed, *
* And you believe what you want to be beleve *
* You take the red pill, *
* And I'll show you how deep goes the Rabbit Hole * /
INT Main (int Argv, char ** argc) {
Char * pbuf = malloc (Strlen (Argc [2]) 1);
Char BUF [256];
STRCPY (BUF, Argc [1]); for (; * PBUF = * (Argc [2] ););
Exit (1);
}
When the first STRCPY, it can be overwritten to the PBUF pointer, which allows PBUF to point to the GOT or .DOTRS address 4,
Thereby, it can be covered to those parts to obtain control.
★ 1.6 demonstration six
/ * ABO6.C *
/ * specially crafted to feed your brengu by gera@core-sdi.com * /
/ * wwwhat'u talkin 'About? * /
INT Main (int Argv, char ** argc) {
Char * pbuf = malloc (Strlen (Argc [2]) 1);
Char BUF [256];
STRCPY (BUF, Argc [1]);
STRCPY (PBUF, Argc [2]);
While (1);
}
When the first STRCPY, it can be overwritten to the PBUF pointer, which allows the PBUF to point to the return address of the second STRCPY function.
Thereby, it can be overwritten to the address, and the second STRCPY can be obtained to obtain control.
★ 1.7 demonstration seven
/ * ABO7.C *
* specially crafted to feed your brey by gera@core-sdi.com * /
/ * Sometimes you can, *
* sometimes you don't *
* That's what life's about * /
CHAR BUF [256] = {1};
INT Main (int Argv, char ** argc) {
STRCPY (BUF, Argc [1]);
}
[alert7 @ redhat] $ gcc -o test test.c -g
[alert7 @ redhat] $ GDB TEST -Q
(GDB) L
1 char buf [256] = {1};
2
3 int Main (int Argv, char ** argc) {
4 STRCPY (BUF, Argc [1]);
5}
(GDB) B 4
BreakPoint 1 AT 0x80483cb: File Test.c, line 4.
(GDB) R 999
The Program Being Debugged Has Been Started ALREADY.
START IT from the beginning? (Y or n) y
Starting Program: / Home / Alert7 / Test 999
Breakpoint 1, Main (argv = 2, argc = 0xBffffbc4) at test.c: 4
4 STRCPY (BUF, Argc [1]);
(GDB) P & BUF
$ 1 = (char (*) [256]) 0x8049460
The address of the BUF is 0x8049460, that is, if there is any important thing if the 0x8049460 address is there,
If you can get the right data, then we can overflow success.
it's here:
[Alert7 @ redhat] $ objdump -s -j .dttors test
TEST: File Format ELF32-I386
CONTENTS OF Section .dtors:
804956c fffffff 00000000 ........ We can cover .dtors to achieve the purpose of obtaining control.
★ 1.8 demo eight
Don't stay static
/ * ABO8.C *
* specially crafted to feed your brey by gera@core-sdi.com * /
/ * Spot the Difference * /
Char BUF [256];
INT Main (int Argv, char ** argc) {
STRCPY (BUF, Argc [1]);
}
[alert7 @ redhat] $ gcc -o test test.c -g
[Alert7 @ redhat] $ objdump - Dynamic-Reloc TEST
TEST: File Format ELF32-I386
Dynamic RELOCATION RECORDS
Offset Type Value
0804947c r_386_glob_dat __gmon_start__
0804946c r_386_jump_slot __register_frame_info
08049470 r_386_jump_slot __deregister_frame_info
08049474 r_386_jump_slot __libc_start_main
08049478 r_386_jump_slot strcpy
[alert7 @ redhat] $ GDB TEST -Q
(GDB) L
1
2 char buf [256];
3
4 int Main (int Argv, char ** argc) {
5 strcpy (buf, argc [1]);
6}
Seduce
(GDB) B 5
BreakPoint 1 at 0x80483cb: File Test.c, Line 5.
(GDB) R 11
Starting Program: / Home / Alert7 / Test 11
Breakpoint 1, Main (Argv = 2, Argc = 0xBffffBC4) at test.c: 5
5 strcpy (buf, argc [1]);
(GDB) P & BUF
$ 1 = (char (*) [256]) 0x8049540
(GDB) Q
The Program Is Running. EXIT Anyway? (Y OR N) Y
[Alert7 @ redhat] $ objdump -s -j .dttors test
TEST: File Format ELF32-I386
CONTENTS OF Section .dtors:
8049458 fffffff10 000000 ........
[alert7 @ redhat] $ gcc -o test test.c -g -static
[alert7 @ redhat] $ GDB TEST -Q
(GDB) L
1
2 char buf [256];
3
4 int Main (int Argv, char ** argc) {
5 strcpy (buf, argc [1]);
6}
Seduce
(GDB) B 5
Breakpoint 1 at 0x804819b: File Test.c, Line 5.
(GDB) R 11
Starting Program: / Home / Alert7 / Test 11breakpoint 1, Main (Argv = 2, Argc = 0xBffffc14) At Test.c: 5
5 strcpy (buf, argc [1]);
(GDB) P & BUF
$ 1 = (char (*) [256]) 0x807BB60
(GDB) P __exit_funcs
$ 2 = (Struct EXIT_FUNCTION_LIST * 0X807B160
[alert7 @ redhat62 alert7] $ objdump -s -j .dttors test
TEST: File Format ELF32-I386
CONTENTS OF Section .dtors:
807b100 fffffff 00000000 ........
BUF's address is larger than other addresses, so it is covered by them.
This example still doesn't know how to get control? Cover the main function with a long string
The return address is unrealistic, and it will be before it has not been overwritten to the main function.
Segmentation Fault, the reason is to access an address without mapping (address
The mapping is discontinuous).
This demonstration makes me depressed for a long time, and I really can't succeed in this in my Linux.
Procedure, or QERA is also designed for Windows again! ? (If you have good idea,
Remember Mailto: alert7@xfocus.org). Successfully overflow this performance in Windows
There is no problem with the order.
★ 1.9 demo nine ---- Two free technology
/ * ABO9.C *
* specially crafted to feed your brey by gera@core-sdi.com * /
/ * free (your mind) * /
/ * I'm not Sure In What Operating Systems It Can Be Done * /
INT Main (int Argv, char ** argc) {
Char * pbuf1 = (char *) Malloc (256);
Char * pbuf2 = (char *) Malloc (256);
Gets (PBUF1);
Free (PBUF2);
Free (PBUF1);
}
Please refer to Waring3 << a new HEAP area overflow technology analysis >>
That article has already understood it, don't want to say more, don't want to do repetitive labor :)
★ 1.10 demo ten ---- once free technology
/ * ABO10.C *
* specially crafted to feed your brey by gera@core-sdi.com * /
/ * Deja-vu * /
Char BUF [256];
INT Main (int Argv, char ** argc) {
Char * pbuf = (char *) Malloc (256);
Gets (buf);
Free (PBUF);
}
[alert7 @ redhat] $ gcc -o test test.c -g
/TMP/cco6GW96.O: in function `main ':
/Home/alert7/test.c:6: The `gets' function is dangerous and shouth not be used.
[alert7 @ redhat] $ GDB TEST -Q
(GDB) L
1 char buf [256];
2
3 int Main (int Argv, char ** argc) {
4 char * pbuf = (char *) Malloc (256);
5
6 gets (buf);
7 free (PBUF);
8 }
(GDB) B 6
Breakpoint 1 at 0x8048440: File Test.c, line 6.
(GDB) R
Starting Program: / Home / Alert7 / Test
Breakpoint 1, Main (argv = 1, argc = 0xBffffbc4) At test.c: 6
6 gets (buf);
(GDB) P & BUF
$ 1 = (char (*) [256]) 0x80495c0
(GDB) P PBUF
$ 2 = 0x80496C8 "" "
The CHUNK blocks of PBUF can be covered, and the free technology can also be covered to .DOTRS, Main return address, and the like.
Demonstrate Nine and Demonstrations are all due to buffer overflows to handle errors, thus utilizing memory management
The write operation in the function overrides any address space you want to overwrite.
