黑客挑战 - 定位代码中的漏洞 [英] Hacking Challenge - locating vulnerability in the code

问题描述

我的朋友最近完成了一项黑客挑战并将其发送给我(二进制和源代码).我想在问他提示之前先在这里问一下，因为我想自己做:)

My Friend recently completed a hacking challenge and sent it to me (binary and source). I wanted to ask here before I asked him for tips as I want to do it myself :)

我一直在经历它，但我正在努力寻找漏洞.

I've been going through it but I am struggling to find the vulnerability.

#include <alloca.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

static void usage(const char *argv0) {
    printf("Build your own string!
");
    printf("
");
    printf("Usage:
");
    printf("  %s length command...
", argv0);
    printf("
");
    printf("Each command consist of a single character followed by it's index.
");
    printf("
");
    printf("Example:
");
    printf("  %s 11 h0 e1 l2 l3 o4 w6 o7 r8 l9 d10
", argv0);
    exit(1);
}

int main(int argc, char **argv) {
    char *buffer;
    unsigned short buffersize, i, index, length;

    if (argc < 2) usage(argv[0]);

    length = atoi(argv[1]);
    if (length <= 0) {
            fprintf(stderr, "bad length
");
            return 1;
    }

    buffersize = length + 1;
    buffer = alloca(buffersize);
    memset(buffer, ' ', buffersize);
    buffer[buffersize - 1] = 0;

    for (i = 2; i < argc; i++) {
            if (strlen(argv[i]) < 2) {
                    fprintf(stderr, "bad command "%s"
", argv[i]);
                    return 1;
            }

            index = atoi(argv[i] + 1);
            if (index >= length) {
                    fprintf(stderr, "bad index in command "%s"
", argv[i]);
                    return 1;
            }

            buffer[index] = argv[i][0];
    }

    printf("%s
", buffer);
    return 0;
}

我认为漏洞在于short int，以及alloca的使用.

I think the vulnerability lies within the short int, and the use of alloca.

输入 ./app 65535 65535 可能会导致段错误，但我实际上无法覆盖任何内容，因为缓冲区只会设置为最大 65535 或循环.这让我觉得我不能覆盖 EIP 来注入 shellcode.

Entering ./app 65535 65535 can cause a segfault but I can't actually override anything since buffer will only ever be set to max 65535 or it loops around. This makes me think I can't override the EIP to inject shellcode.

谁能帮我看看在哪里看?

Can anyone help me with where to look at?

谢谢！

推荐答案

实际上，漏洞在于你可以将字符存储在使用 alloca 分配的缓冲区中的任意偏移量，但是测试是在 length 而不是 size 上完成的.传递 65535 和 a1 的参数会调用未定义的行为:size as value 0 因为算术环绕 if unsigned short 有 16 位.

Actually, the vulnerability lies in the fact that you can store a character at any offset in the buffer allocated with alloca, but the test is done on length rather than size. passing arguments of 65535 and a1 invokes undefined behavior: size as value 0 because of arithmetic wraparound if unsigned short has 16 bits.

您可以尝试传递 65535 的第一个参数和具有增加偏移量的后续参数，这将戳出 buffer 末尾的值，可能会覆盖 main 的返回地址并导致崩溃:

You can try passing a first argument of 65535 and subsequent arguments with increasing offsets, that will poke values beyond the end of buffer, possibly overwriting the return address of main and causing a crash:

myprog 65535 a3 a7 a15 a19 a23 a27 a31 a35 a39 a43 a47 a51 a55 a59 a63 ...

根据实际的局部变量布局，需要的偏移量可能大于17，但应小于80.

Depending on the actual local variable layout, the required offset may be larger than 17, but should be smaller than 80.

这篇关于黑客挑战 - 定位代码中的漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！