[Principle Analysis] Stack overflow case analysis under Linux-gdb debug drills [4]

Summary:

This series of 3 describes the existing Linux system to protect the stack, under the kind of stack protection, to modify the SIP (saved instruction pointer) is not possible, but the stack protection object is limited, the data in the program is not necessarily protected. In this paper, we discuss how to use the loophole to rewrite the data and achieve the purpose of control when there are memory operation vulnerabilities in the program.

Test Platform:

1. Ubuntu 9, gcc4.4.1, GDB 7.0

2. The Ubuntu system is installed on the VirtualBox 3.2.8 system;

Body:

First look at the following example code:

#include <stdio.h> #include <stdlib.h>int main () {printf ("Hello world\n"), sleep (+), return 0;}

The code mainly calls two standard library functions, the following is its disassembly code:

If we look closely, we find that the call to puts and sleep is not the entry to the function, but rather a jump through an additional jmp at the calling command, such as in JMP *0x804a004 when the command is called 0x8048320. The address at the end of the jump is stored in the 0x804a004. We can think of a program used in the Library function interface will correspond to a corresponding table, the table holds the corresponding library jump address, such as the following table structure:

0x8048a004: The jump address of the library interface 1;

0x8048a000: The jump address of the library interface 1;

0X8048FFFB: The jump address of the library interface 1;

After understanding the above principles, if you can modify the above library jump table address, then we can control the jump. Take a closer look at the following code:

#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #define SIZE 12# Define MAX  20typedef struct Node{char buf[size];void* next;} Node;void Hax () {execl ("/bin/echo", "echo", "Hello", NULL);} void ReadFile (char* file, char* buf) {File *FD = fopen (file, "R"), if (fd = = NULL) {printf ("open error\n"); exit (-1);} Fread (buf, 1, MAX, FD);p rintf ("Read Data2%s\n", buf); fclose (FD);} int main () {char Buf1[max+1];buf1[max] = ' + '; ReadFile ("Data1.dat", buf1); char Buf2[max+1];buf2[max] = ' readFile '; Data2.dat ", buf2); node data1, data2;data1.next = &data2;data2.next = &data1;memcpy (&data1, BUF1, MAX);//max Or SIZE, I think it should be size;memcpy (Data1.next, Buf2, SIZE); exit ( -1); return 0;}

The above code is mainly two data nodes, linked together in the form of a circular link. The main flaw in the code above is the first memcpy operation in the main function, where the assignment exceeds the size of buf. Exploiting this vulnerability, if we replace the next value in Data1.dat with the Data1.dat address value 0x0804a024 for the exit () function in the input file of the. The address of Hax () (the function we want to replace exit) is then written in the Data2.dat file, which is replaced by the second memcpy operation0x0804a024 The original value, and then the program runs to exit, it executes our hax function. Here is the address of Hax:

Here are the data in the two input files Data1.dat and Data2.dat:

Data1

Data2

The main setting in Data1 is that the previous 12 bytes hold the ' A ' data, and finally the table address of exit, while the first four bytes of data2 are the entry address of the Hax () function, and the four bytes after it are only the original values stored in the table address of the lower exit. After setting up these files, run the program and see that our settings really do work, Hax is called:

Conclusion:

This article shows how to modify the data to achieve the procedures of the control program implementation of the case. The case is primarily based on memory vulnerabilities, and the main cause of the vulnerability lies in the cross-border of memory copies.

Reference documents:

"Stack overflow attacks in modern Linux systems"

[Principle Analysis] Stack overflow case analysis under Linux-gdb debug drills [4]