Come trovare l'indirizzo di ritorno quando si esegue un overflow

1

per un compito sto cercando di trovare exploit in un programma c. Ne ho trovato uno in strcpy, che è vulnerabile agli attacchi di overflow. Il problema è che in realtà sto avendo problemi a distribuire lo shellcode attraverso gli argomenti. So che il comando corretto è [NOP Sled] + [Shellcode] + [Return Address], so che il NOP Sled + Shellcode lo inserisce nello spazio di Return Address, ma mi manca quanto a lungo dovrebbe essere lo Sled NOP e quale sarebbe l'indirizzo del mittente. Ecco il codice.

int main(int argc, char* argv[]){
        if (argc == 3) {
                filecopy(argv);
        } else {
                printf("Error: Two files needed!\n");
        }
}

void filecopy(char* argv[]) {
        char s1[64];
        char s2[64];
        FILE *fp1, *fp2;
        char temp;

        strcpy(s2,argv[2]);
        strcpy(s1,argv[1]);

        if (chk_Str_in_File(RESTRICTED, s2)) {
                printf("Error: Could not open the restricted file or match found in restricted file!\n");
                return;
        }
        if (chk_Str_in_File(RESTRICTED, s1)) {
                printf("Error: Could not open the restricted file or match found in restricted file!\n");
                return;
        }

        if(strcmp(s1, s2) == 0){
                printf("Error: Entered two strings are equal.\n");
                return;
        }

        fp1 = fopen(s1,"r");
        if (fp1 == NULL) {
                printf("Error: Could not open file1!\n");
                return;
        }

        fp2 = fopen(s2, "wb");
        if (fp2 == NULL) {
                printf("Error: Could not open file2!\n");
                return;
        } else {
                temp = fgetc(fp1);
                while (temp != EOF) {
                        fputc(temp, fp2);
                        temp = fgetc(fp1);
                }

                printf("Copy Complete!!!\n");

                fcloseall();
        }
}

E il dump dell'assembly

Dump of assembler code for function filecopy:
   0x0804863b <+0>:     push   %ebp
   0x0804863c <+1>:     mov    %esp,%ebp
   0x0804863e <+3>:     sub    $0x98,%esp
   0x08048644 <+9>:     mov    0x8(%ebp),%eax
   0x08048647 <+12>:    add    $0x8,%eax
   0x0804864a <+15>:    mov    (%eax),%eax
   0x0804864c <+17>:    sub    $0x8,%esp
   0x0804864f <+20>:    push   %eax
   0x08048650 <+21>:    lea    -0x94(%ebp),%eax
   0x08048656 <+27>:    push   %eax
   0x08048657 <+28>:    call   0x8048470 <strcpy@plt>
   0x0804865c <+33>:    add    $0x10,%esp
   0x0804865f <+36>:    mov    0x8(%ebp),%eax
   0x08048662 <+39>:    add    $0x4,%eax
   0x08048665 <+42>:    mov    (%eax),%eax
   0x08048667 <+44>:    sub    $0x8,%esp
   0x0804866a <+47>:    push   %eax
   0x0804866b <+48>:    lea    -0x54(%ebp),%eax
   0x0804866e <+51>:    push   %eax
   0x0804866f <+52>:    call   0x8048470 <strcpy@plt>
   0x08048674 <+57>:    add    $0x10,%esp
   0x08048677 <+60>:    sub    $0x8,%esp
   0x0804867a <+63>:    lea    -0x94(%ebp),%eax
   0x08048680 <+69>:    push   %eax
   0x08048681 <+70>:    push   $0x804893d
   0x08048686 <+75>:    call   0x80487bb <chk_Str_in_File>
   0x0804868b <+80>:    add    $0x10,%esp
   0x0804868e <+83>:    test   %eax,%eax
   0x08048690 <+85>:    je     0x80486a7 <filecopy+108>
   0x08048692 <+87>:    sub    $0xc,%esp
   0x08048695 <+90>:    push   $0x8048958
   0x0804869a <+95>:    call   0x8048480 <puts@plt>
   0x0804869f <+100>:   add    $0x10,%esp
   0x080486a2 <+103>:   jmp    0x80487b9 <filecopy+382>
   0x080486a7 <+108>:   sub    $0x8,%esp
   0x080486aa <+111>:   lea    -0x54(%ebp),%eax
   0x080486ad <+114>:   push   %eax
   0x080486ae <+115>:   push   $0x804893d
   0x080486b3 <+120>:   call   0x80487bb <chk_Str_in_File>
   0x080486b8 <+125>:   add    $0x10,%esp
   0x080486bb <+128>:   test   %eax,%eax
   0x080486bd <+130>:   je     0x80486d4 <filecopy+153>
   0x080486bf <+132>:   sub    $0xc,%esp
   0x080486c2 <+135>:   push   $0x8048958
   0x080486c7 <+140>:   call   0x8048480 <puts@plt>
   0x080486cc <+145>:   add    $0x10,%esp
   0x080486cf <+148>:   jmp    0x80487b9 <filecopy+382>
    
posta small502 03.10.2018 - 05:10
fonte

0 risposte

Leggi altre domande sui tag