[Analysis] advanced buffer overflow for non-secure programming demonstration

Advanced buffer overflow for non-secure programming demonstration

Created on:
Article attributes: original
Source: http://xfocus.org/
Article submission: alert7 (sztcww_at_sina.com)

Advanced buffer overflow for non-secure programming demonstration

Author: alert7 <mailto: alert7@netguard.com.cn>
Home: http://www.xfocus.org/http://www.whitecell.org/
Company: huatai Network Security Http://community.core-sdi.com /~ Gera/insecureprogramming/insecureprogramming.tar.gz

Time: 2001-11-9

Statement: Most of the demos in this article come from qera <gera@core-sdi.com>, thanks to qera
We carefully constructed these well-illustrated demo programs.

Some programs may have more than one method of exploitation, which is not mentioned in this article. If you have
Good idea, remember mailto: alert7@xfocus.org, not correct or inappropriate
Please make an axe.

★★I. Advanced Buffer Overflow

★1.1 demonstration 1-blind obedience (blind obedience)

The defined Buf is too small, and the data to be copied is insufficient to accommodate the Buf.

/* Abo1.c *
* Specially crafted to feed your brain by gera@core-sdi.com */

/* Dumb example to let you get introduced ...*/

Int main (INT argc, char ** argv ){
Char Buf [256];

Strcpy (BUF, argv [1]);
}

This is a good example program, which can explain the problem: the program will copy argv [1] to the Buf and use
The strcpy function does not perform any boundary check. This gives us a chance to pass on an ultra-long
Argv [1] to overwrite the data after the Buf in the stack. You need to use all the tools to view
What are the important things behind the Buf before they can be used to construct the patterns required by the exploit.

★1.2 DEMO 2-execution flow)

Let's take a look at this program.

/* Abo2.c *
* Specially crafted to feed your brain by gera@core-sdi.com */

/* This is a tricky example to make you think *
* And give you some help on the next one */

Int main (INT argv, char ** argc ){
Char Buf [256];

Strcpy (BUF, argc [1]);
Exit (1 );
}

As we can see, in this example, an exit () is added. is it different? General coverage
The method of the return address of main does not work anymore. In this example, an exception occurs when Windows is used.
The mechanism can successfully overflow this program, but this feature is not available in UNIX, and you do not know how to overflow
This program? Or it cannot be used at all. Welcome to the discussion, please mailto: alert7@xfocus.org

★1.3 demonstration 3 ---- overwrite the function pointer

/* Abo3.c *
* Specially crafted to feed your brain by gera@core-sdi.com */

/* This'll prepare you for the next step */

Int main (INT argv, char ** argc ){
Extern system, puts;
Void (* fN) (char *) = (void (*) (char *) & system;
Char Buf [256];

Fn = (void (*) (char *) & puts;
Strcpy (BUF, argc [1]);
FN (argc [2]);
Exit (1 );
}

Buffer overflow can be used to overwrite the FN function pointer for attack purposes.

★1.4 demonstration 4 ---- overwrite pointer, resulting in overwrite of any address

/* Abo4.c *
* Specially crafted to feed your brain by gera@core-sdi.com */

/* After this one, the next is just an Eureka! Away */

Extern system, puts;
Void (* fN) (char *) = (void (*) (char *) & system;

Int main (INT argv, char ** argc ){
Char * pbuf = malloc (strlen (argc [2]) + 1 );
Char Buf [256];

Fn = (void (*) (char *) & puts;
Strcpy (BUF, argc [1]);
Strcpy (pbuf, argc [2]);
FN (argc [3]);
While (1 );
}

When the first strcpy is used, the pbuf pointer can be overwritten, so that pbuf can point to the FN address. Therefore, the second time
Strcpy will overwrite the FN pointer, And you can execute any
Function call, such as system ();

★1.5 demo 5 ---- Ch-Changes

/* Abo5.c *
* Specially crafted to feed your brain by gera@core-sdi.com */

/* You take the blue pill, you wake up in your bed ,*
* And you believe what you want to believe *
* You take the red pill ,*
* And I'll show you how deep goes the rabbit hole */

Int main (INT argv, char ** argc ){
Char * pbuf = malloc (strlen (argc [2]) + 1 );
Char Buf [256];

Strcpy (BUF, argc [1]);
For (; * pbuf ++ = * (argc [2] ++ ););
Exit (1 );
}

In the first strcpy, The pbuf pointer can be overwritten, so that pbuf can point to the exit got or. dotrs address + 4,
This allows you to overwrite those parts to gain control.

★1.6 demonstration 6

/* Abo6.c *
/* Specially crafted to feed your brain by gera@core-sdi.com */

/* Wwwhat 'U talkin 'about? */

Int main (INT argv, char ** argc ){
Char * pbuf = malloc (strlen (argc [2]) + 1 );
Char Buf [256];

Strcpy (BUF, argc [1]);
Strcpy (pbuf, argc [2]);
While (1 );
}

When the first strcpy is used, the pbuf pointer can be overwritten to point pbuf to the return address of the second strcpy function,
So that the address can be overwritten, and the second strcpy can be controlled as soon as it is returned.

★1.7 demonstration 7

/* Abo7.c *
* Specially crafted to feed your brain by gera@core-sdi.com */

/* Sometimes you can ,*
* Sometimes you don't *
* That's what life's about */

Char Buf [256] = {1 };

Int main (INT argv, char ** argc ){
Strcpy (BUF, argc [1]);
}
[Alert7 @ RedHat] $ gcc-O test. C-G
[Alert7 @ RedHat] $ GDB test-Q
(GDB) L
1 char Buf [256] = {1 };
2
3 int main (INT argv, char ** argc ){
4 strcpy (BUF, argc [1]);
5}
(GDB) B 4
Breakpoint 1 at 0x80483cb: file test. C, line 4.
(GDB) R 1, 999
The program being debugged has been started already.
Start it from the beginning? (Y or N) y
Starting program:/home/alert7/test 999

Breakpoint 1, main (argv = 2, argc = 0xbffffbc4) at test. C: 4
4 strcpy (BUF, argc [1]);
(GDB) P & Buf
$1 = (char (*) [256]) 0x8049460

The Buf address is 0x8049460, that is to say, if 0x8049460 address is important, we
If we can get the control data, then we can overflow successfully.
Here:
[Alert7 @ RedHat] $ objdump-S-J. dtors Test

Test: File Format elf32-i386

Contents of section. dtors:
804956c ffffffff 00000000 ........
We can overwrite. dtors to gain control.

★1.8 demonstration 8

Don't stay static

/* Abo8.c *
* Specially crafted to feed your brain by gera@core-sdi.com */

/* Spot the difference */

Char Buf [256];

Int main (INT argv, char ** argc ){
Strcpy (BUF, argc [1]);
}

[Alert7 @ RedHat] $ gcc-O test. C-G
[Alert7 @ RedHat] $ objdump -- Dynamic-reloc Test

Test: File Format elf32-i386

Dynamic Relocation records
Offset type value
0804947c r_1__glob_dat _ gmon_start __
0804946c r_1__jump_slot _ register_frame_info
08049470 r_0000_jump_slot _ deregister_frame_info
08049474 r_cmd_jump_slot _ libc_start_main
08049478 r_0000_jump_slot strcpy
[Alert7 @ RedHat] $ GDB test-Q
(GDB) L
1
2 char Buf [256];
3
4 int main (INT argv, char ** argc ){
5 strcpy (BUF, argc [1]);
6}
7
(GDB) B 5
Breakpoint 1 at 0x80483cb: file test. C, line 5.
(GDB) r 11
Starting program:/home/alert7/test 11

Breakpoint 1, main (argv = 2, argc = 0xbffffbc4) at test. C: 5
5 strcpy (BUF, argc [1]);
(GDB) P & Buf
$1 = (char (*) [256]) 0x8049540
(GDB) q
The program is running. Exit anyway? (Y or N) y
[Alert7 @ RedHat] $ objdump-S-J. dtors Test

Test: File Format elf32-i386

Contents of section. dtors:
8049458 ffffffff 00000000 ........
[Alert7 @ RedHat] $ gcc-O test. C-g-static
[Alert7 @ RedHat] $ GDB test-Q
(GDB) L
1
2 char Buf [256];
3
4 int main (INT argv, char ** argc ){
5 strcpy (BUF, argc [1]);
6}
7
(GDB) B 5
Breakpoint 1 at 0x804819b: file test. C, line 5.
(GDB) r 11
Starting program:/home/alert7/test 11

Breakpoint 1, main (argv = 2, argc = 0xbffffc14) at test. C: 5
5 strcpy (BUF, argc [1]);
(GDB) P & Buf
$1 = (char (*) [1, 256]) 0x807bb60
(GDB) P _ exit_funcs
$2 = (struct exit_function_list *) 0x807b160
[Alert7 @ redhat62 alert7] $ objdump-S-J. dtors Test

Test: File Format elf32-i386

Contents of section. dtors:
807b100 ffffffff 00000000 ........
Buf addresses are larger than other addresses, so they cannot be overwritten.
This example does not know how to obtain control? Overwrite the main function with a super-long string
The return address is unrealistic and will be returned before it is overwritten by the return address of the main function.
Segmentation fault, because a non- ing address (Address
).
This demo program has made me depressed for a long time. On my Linux, I still cannot overflow this
Program, or qera again designed specifically for Windows !? (If you have a good idea,
Remember mailto: alert7@xfocus.org ). This demo program is successfully overflows in windows.
The order is correct.

★1.9 demonstration 9-two free technologies

/* Abo9.c *
* Specially crafted to feed your brain by gera@core-sdi.com */

/* Free (your mind )*/

/* I'm not sure in what operating systems it can be done */

Int main (INT argv, char ** argc ){
Char * pbuf1 = (char *) malloc (256 );
Char * pbuf2 = (char *) malloc (256 );

Gets (pbuf1 );
Free (pbuf2 );
Free (pbuf1 );
}
See <a new heap zone overflow technical analysis>
I already understand what I have mentioned in that article. I don't want to talk about it, but I don't want to do repetitive work :)

★1.10 demonstration 10 ---- one free technology

/* Abo10.c *
* Specially crafted to feed your brain by gera@core-sdi.com */

/* Deja-vu */

Char Buf [256];

Int main (INT argv, char ** argc ){
Char * pbuf = (char *) malloc (256 );

Gets (BUF );
Free (pbuf );
}
[Alert7 @ RedHat] $ gcc-O test. C-G
/Tmp/cco6gw96. O: In function 'main ':
/Home/alert7/test. C: 6: The 'gets' function is dangerous and shoshould not be used.
[Alert7 @ RedHat] $ GDB test-Q
(GDB) L
1 char Buf [256];
2
3 int main (INT argv, char ** argc ){
4 char * pbuf = (char *) malloc (256 );
5
6 gets (BUF );
7 free (pbuf );
8}
(GDB) B 6
Breakpoint 1 at 0x8048440: file test. C, line 6.
(GDB) r
Starting program:/home/alert7/test

Breakpoint 1, main (argv = 1, argc = 0xbffffbc4) at test. C: 6
6 gets (BUF );
(GDB) P & Buf
$1 = (char (*) [1, 256]) 0x80495c0
(GDB) P pbuf
$2 = 0x80496c8 ""
The chunk block of pbuf can be overwritten, And the return address of. dotrs and main can be overwritten by one free technology.
Both demonstration 9 and demonstration 10 are memory management function processing errors caused by buffer overflow, so as to use memory management
Write operations in the function overwrite any address space you want to overwrite.