黑客挑战 - 在code定位漏洞 [英] Hacking Challenge - locating vulnerability in the code

问题描述

我的朋友最近完成了黑客的挑战，并把它交给我（二进制和源代码）。我想问这里之前我问他小费，因为我想自己做：）

My Friend recently completed a hacking challenge and sent it to me (binary and source). I wanted to ask here before I asked him for tips as I want to do it myself :)

我已经经历，但我在努力寻找漏洞。

I've been going through it but I am struggling to find the vulnerability.

#include <alloca.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

static void usage(const char *argv0) {
    printf("Build your own string!\n");
    printf("\n");
    printf("Usage:\n");
    printf("  %s length command...\n", argv0);
    printf("\n");
    printf("Each command consist of a single character followed by it's index.\n");
    printf("\n");
    printf("Example:\n");
    printf("  %s 11 h0 e1 l2 l3 o4 w6 o7 r8 l9 d10\n", argv0);
    exit(1);
}

int main(int argc, char **argv) {
    char *buffer;
    unsigned short buffersize, i, index, length;

    if (argc < 2) usage(argv[0]);

    length = atoi(argv[1]);
    if (length <= 0) {
            fprintf(stderr, "bad length\n");
            return 1;
    }

    buffersize = length + 1;
    buffer = alloca(buffersize);
    memset(buffer, ' ', buffersize);
    buffer[buffersize - 1] = 0;

    for (i = 2; i < argc; i++) {
            if (strlen(argv[i]) < 2) {
                    fprintf(stderr, "bad command \"%s\"\n", argv[i]);
                    return 1;
            }

            index = atoi(argv[i] + 1);
            if (index >= length) {
                    fprintf(stderr, "bad index in command \"%s\"\n", argv[i]);
                    return 1;
            }

            buffer[index] = argv[i][0];
    }

    printf("%s\n", buffer);
    return 0;
}

我觉得漏洞位于短整型内，并用，alloca的。

I think the vulnerability lies within the short int, and the use of alloca.

输入 ./应用65535 65535 可引起段错误，但我实际上并不能覆盖任何东西，因为缓冲区将永远只能被设置为最大值65535或绕一圈。这让我觉得我不能覆盖EIP注入壳code。

Entering ./app 65535 65535 can cause a segfault but I can't actually override anything since buffer will only ever be set to max 65535 or it loops around. This makes me think I can't override the EIP to inject shellcode.

谁能帮我在哪里看？

谢谢！

推荐答案

其实，漏洞就在于，你可以在任何与分配的缓冲区偏移存储一个字符的alloca ，但试验在做长度，而不是尺寸。传递的参数 65535 和 A1 调用未定义行为：尺寸作为价值 0 因为算术概括，如果无符号短有16位。

Actually, the vulnerability lies in the fact that you can store a character at any offset in the buffer allocated with alloca, but the test is done on length rather than size. passing arguments of 65535 and a1 invokes undefined behavior: size as value 0 because of arithmetic wraparound if unsigned short has 16 bits.

您可以尝试通过65535及以后的参数第一个参数随偏移，这将捅价值超过缓存，有可能覆盖<返回地址的末端code>主，并导致飞机坠毁：

You can try passing a first argument of 65535 and subsequent arguments with increasing offsets, that will poke values beyond the end of buffer, possibly overwriting the return address of main and causing a crash:

myprog 65535 a3 a7 a15 a19 a23 a27 a31 a35 a39 a43 a47 a51 a55 a59 a63 ...

根据当地实际变量的布局，所需偏移可能比 17 较大，但应小于 80 。

这篇关于黑客挑战 - 在code定位漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！