• Revista PROGRAMAR: Já está disponível a edição #53 da revista programar. Faz já o download aqui!

teckV

Remote Code Execution - smash the stack

1 mensagem neste tópico

excelente artigo sobre este maravilhoso mundo.. aqui podem encontrar as bases para os voos mais altos  :D

`smash the stack` [C programming] n. On many C implementations

it is possible to corrupt the execution stack by writing past

the end of an array declared auto in a routine.  Code that does

this is said to smash the stackand can cause return from the

routine to jump to a random address.  This can produce some of

the most insidious data-dependent bugs known to mankind.

Variants include trash the stackscribble the stackmangle

the stack; the term mung the stack is not usedas this is

never done intentionally. See spam; see also alias bug,

fandango on corememory leakprecedence lossageoverrun screw.

                                  Shell Code

                                  ~~~~~~~~~~

  So now that we know that we can modify the return address and the flow of

executionwhat program do we want to execute?  In most cases we'll simply

want the program to spawn a shell.  From the shell we can then issue other

commands as we wish.  But what if there is no such code in the program we

are trying to exploit?  How can we place arbitrary instruction into its

address space?  The answer is to place the code with are trying to execute in

the buffer we are overflowingand overwrite the return address so it points

back into the buffer.  Assuming the stack starts at address 0xFFand that S

stands for the code we want to execute the stack would then look like this:

The code to spawn a shell in C looks like:

shellcode.c

#include <stdio.h>

void main() {
   char *name[2];

   name[0] = "/bin/sh";
   name[1] = NULL;
   execve(name[0]nameNULL);
}

[aleph1]$ gcc -o shellcode -ggdb -static shellcode.c
[aleph1]$ gdb shellcode
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (i586-unknown-linux)Copyright 1995 Free Software FoundationInc...
(gdb) disassemble main
Dump of assembler code for function main:
0x8000130 <main>:       pushl  %ebp
0x8000131 <main+1>:     movl   %esp,%ebp
0x8000133 <main+3>:     subl   $0x8,%esp
0x8000136 <main+6>:     movl   $0x80027b8,0xfffffff8(%ebp)
0x800013d <main+13>:    movl   $0x0,0xfffffffc(%ebp)
0x8000144 <main+20>:    pushl  $0x0
0x8000146 <main+22>:    leal   0xfffffff8(%ebp),%eax
0x8000149 <main+25>:    pushl  %eax
0x800014a <main+26>:    movl   0xfffffff8(%ebp),%eax
0x800014d <main+29>:    pushl  %eax
0x800014e <main+30>:    call   0x80002bc <__execve>
0x8000153 <main+35>:    addl   $0xc,%esp
0x8000156 <main+38>:    movl   %ebp,%esp
0x8000158 <main+40>:    popl   %ebp
0x8000159 <main+41>:    ret
End of assembler dump.
(gdb) disassemble __execve
Dump of assembler code for function __execve:
0x80002bc <__execve>:   pushl  %ebp
0x80002bd <__execve+1>: movl   %esp,%ebp
0x80002bf <__execve+3>: pushl  %ebx
0x80002c0 <__execve+4>: movl   $0xb,%eax
0x80002c5 <__execve+9>: movl   0x8(%ebp),%ebx
0x80002c8 <__execve+12>:        movl   0xc(%ebp),%ecx
0x80002cb <__execve+15>:        movl   0x10(%ebp),%edx
0x80002ce <__execve+18>:        int    $0x80
0x80002d0 <__execve+20>:        movl   %eax,%edx
0x80002d2 <__execve+22>:        testl  %edx,%edx
0x80002d4 <__execve+24>:        jnl    0x80002e6 <__execve+42>
0x80002d6 <__execve+26>:        negl   %edx
0x80002d8 <__execve+28>:        pushl  %edx
0x80002d9 <__execve+29>:        call   0x8001a34 <__normal_errno_location>
0x80002de <__execve+34>:        popl   %edx
0x80002df <__execve+35>:        movl   %edx,(%eax)
0x80002e1 <__execve+37>:        movl   $0xffffffff,%eax
0x80002e6 <__execve+42>:        popl   %ebx
0x80002e7 <__execve+43>:        movl   %ebp,%esp
0x80002e9 <__execve+45>:        popl   %ebp
0x80002ea <__execve+46>:        ret
0x80002eb <__execve+47>:        nop
End of assembler dump.

leiam o artigo completo... muito fixe para quer saber mais...  ;)

http://www.insecure.org/stf/smashstack.txt

teckV

programing our luck

house of horus

0

Partilhar esta mensagem


Link para a mensagem
Partilhar noutros sites

Crie uma conta ou ligue-se para comentar

Só membros podem comentar

Criar nova conta

Registe para ter uma conta na nossa comunidade. É fácil!


Registar nova conta

Entra

Já tem conta? Inicie sessão aqui.


Entrar Agora