黑客挑战 - 定位代码中的漏洞 [英] Hacking Challenge - locating vulnerability in the code
问题描述
我的朋友最近完成了一项黑客挑战并将其发送给我(二进制和源代码).我想在问他提示之前先在这里问一下,因为我想自己做:)
My Friend recently completed a hacking challenge and sent it to me (binary and source). I wanted to ask here before I asked him for tips as I want to do it myself :)
我一直在经历它,但我正在努力寻找漏洞.
I've been going through it but I am struggling to find the vulnerability.
#include <alloca.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
static void usage(const char *argv0) {
printf("Build your own string!
");
printf("
");
printf("Usage:
");
printf(" %s length command...
", argv0);
printf("
");
printf("Each command consist of a single character followed by it's index.
");
printf("
");
printf("Example:
");
printf(" %s 11 h0 e1 l2 l3 o4 w6 o7 r8 l9 d10
", argv0);
exit(1);
}
int main(int argc, char **argv) {
char *buffer;
unsigned short buffersize, i, index, length;
if (argc < 2) usage(argv[0]);
length = atoi(argv[1]);
if (length <= 0) {
fprintf(stderr, "bad length
");
return 1;
}
buffersize = length + 1;
buffer = alloca(buffersize);
memset(buffer, ' ', buffersize);
buffer[buffersize - 1] = 0;
for (i = 2; i < argc; i++) {
if (strlen(argv[i]) < 2) {
fprintf(stderr, "bad command "%s"
", argv[i]);
return 1;
}
index = atoi(argv[i] + 1);
if (index >= length) {
fprintf(stderr, "bad index in command "%s"
", argv[i]);
return 1;
}
buffer[index] = argv[i][0];
}
printf("%s
", buffer);
return 0;
}
我认为漏洞在于short int,以及alloca的使用.
I think the vulnerability lies within the short int, and the use of alloca.
输入 ./app 65535 65535
可能会导致段错误,但我实际上无法覆盖任何内容,因为缓冲区只会设置为最大 65535 或循环.这让我觉得我不能覆盖 EIP 来注入 shellcode.
Entering ./app 65535 65535
can cause a segfault but I can't actually override anything since buffer will only ever be set to max 65535 or it loops around. This makes me think I can't override the EIP to inject shellcode.
谁能帮我看看在哪里看?
Can anyone help me with where to look at?
谢谢!
推荐答案
实际上,漏洞在于你可以将字符存储在使用 alloca
分配的缓冲区中的任意偏移量,但是测试是在 length
而不是 size
上完成的.传递 65535
和 a1
的参数会调用未定义的行为:size
as value 0
因为算术环绕 if unsigned short
有 16 位.
Actually, the vulnerability lies in the fact that you can store a character at any offset in the buffer allocated with alloca
, but the test is done on length
rather than size
. passing arguments of 65535
and a1
invokes undefined behavior: size
as value 0
because of arithmetic wraparound if unsigned short
has 16 bits.
您可以尝试传递 65535 的第一个参数和具有增加偏移量的后续参数,这将戳出 buffer
末尾的值,可能会覆盖 main
的返回地址并导致崩溃:
You can try passing a first argument of 65535 and subsequent arguments with increasing offsets, that will poke values beyond the end of buffer
, possibly overwriting the return address of main
and causing a crash:
myprog 65535 a3 a7 a15 a19 a23 a27 a31 a35 a39 a43 a47 a51 a55 a59 a63 ...
根据实际的局部变量布局,需要的偏移量可能大于17
,但应小于80
.
Depending on the actual local variable layout, the required offset may be larger than 17
, but should be smaller than 80
.
这篇关于黑客挑战 - 定位代码中的漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!