per un compito sto cercando di trovare exploit in un programma c. Ne ho trovato uno in strcpy, che è vulnerabile agli attacchi di overflow. Il problema è che in realtà sto avendo problemi a distribuire lo shellcode attraverso gli argomenti. So che il comando corretto è [NOP Sled] + [Shellcode] + [Return Address], so che il NOP Sled + Shellcode lo inserisce nello spazio di Return Address, ma mi manca quanto a lungo dovrebbe essere lo Sled NOP e quale sarebbe l'indirizzo del mittente. Ecco il codice.
int main(int argc, char* argv[]){
if (argc == 3) {
filecopy(argv);
} else {
printf("Error: Two files needed!\n");
}
}
void filecopy(char* argv[]) {
char s1[64];
char s2[64];
FILE *fp1, *fp2;
char temp;
strcpy(s2,argv[2]);
strcpy(s1,argv[1]);
if (chk_Str_in_File(RESTRICTED, s2)) {
printf("Error: Could not open the restricted file or match found in restricted file!\n");
return;
}
if (chk_Str_in_File(RESTRICTED, s1)) {
printf("Error: Could not open the restricted file or match found in restricted file!\n");
return;
}
if(strcmp(s1, s2) == 0){
printf("Error: Entered two strings are equal.\n");
return;
}
fp1 = fopen(s1,"r");
if (fp1 == NULL) {
printf("Error: Could not open file1!\n");
return;
}
fp2 = fopen(s2, "wb");
if (fp2 == NULL) {
printf("Error: Could not open file2!\n");
return;
} else {
temp = fgetc(fp1);
while (temp != EOF) {
fputc(temp, fp2);
temp = fgetc(fp1);
}
printf("Copy Complete!!!\n");
fcloseall();
}
}
E il dump dell'assembly
Dump of assembler code for function filecopy:
0x0804863b <+0>: push %ebp
0x0804863c <+1>: mov %esp,%ebp
0x0804863e <+3>: sub $0x98,%esp
0x08048644 <+9>: mov 0x8(%ebp),%eax
0x08048647 <+12>: add $0x8,%eax
0x0804864a <+15>: mov (%eax),%eax
0x0804864c <+17>: sub $0x8,%esp
0x0804864f <+20>: push %eax
0x08048650 <+21>: lea -0x94(%ebp),%eax
0x08048656 <+27>: push %eax
0x08048657 <+28>: call 0x8048470 <strcpy@plt>
0x0804865c <+33>: add $0x10,%esp
0x0804865f <+36>: mov 0x8(%ebp),%eax
0x08048662 <+39>: add $0x4,%eax
0x08048665 <+42>: mov (%eax),%eax
0x08048667 <+44>: sub $0x8,%esp
0x0804866a <+47>: push %eax
0x0804866b <+48>: lea -0x54(%ebp),%eax
0x0804866e <+51>: push %eax
0x0804866f <+52>: call 0x8048470 <strcpy@plt>
0x08048674 <+57>: add $0x10,%esp
0x08048677 <+60>: sub $0x8,%esp
0x0804867a <+63>: lea -0x94(%ebp),%eax
0x08048680 <+69>: push %eax
0x08048681 <+70>: push $0x804893d
0x08048686 <+75>: call 0x80487bb <chk_Str_in_File>
0x0804868b <+80>: add $0x10,%esp
0x0804868e <+83>: test %eax,%eax
0x08048690 <+85>: je 0x80486a7 <filecopy+108>
0x08048692 <+87>: sub $0xc,%esp
0x08048695 <+90>: push $0x8048958
0x0804869a <+95>: call 0x8048480 <puts@plt>
0x0804869f <+100>: add $0x10,%esp
0x080486a2 <+103>: jmp 0x80487b9 <filecopy+382>
0x080486a7 <+108>: sub $0x8,%esp
0x080486aa <+111>: lea -0x54(%ebp),%eax
0x080486ad <+114>: push %eax
0x080486ae <+115>: push $0x804893d
0x080486b3 <+120>: call 0x80487bb <chk_Str_in_File>
0x080486b8 <+125>: add $0x10,%esp
0x080486bb <+128>: test %eax,%eax
0x080486bd <+130>: je 0x80486d4 <filecopy+153>
0x080486bf <+132>: sub $0xc,%esp
0x080486c2 <+135>: push $0x8048958
0x080486c7 <+140>: call 0x8048480 <puts@plt>
0x080486cc <+145>: add $0x10,%esp
0x080486cf <+148>: jmp 0x80487b9 <filecopy+382>