linux(x86) exploit 开发系列3:off-by-one

What is off-by-one bug?

Copying source string into destination buffer could result in off-by-one when

  1. Source string length is equal to destination buffer length.

When source string length is equal to destination buffer length, a single NULL byte gets copied just above the destination buffer. Here since the destination buffer is located in stack, the single NULL byte could overwrite the least significant bit (LSB) of caller’s EBP stored in the stack and this could lead to arbitrary code execution.(在栈上,NULL覆盖了ebp的LSB)

How arbitrary code execution is achieved?

Arbitrary code execution is achieved using a technique called “EBP overwrite”. If callers’s EBP is located just above the destination buffer then after strcpy, a single NULL byte would have overwritten the LSB of caller’s EBP.

对齐

gcc -fno-stack-protector -z execstack –mpreferred -stack-boundary=2 -o vuln vuln.c

Test Step 1: Is EBP overwrite and thus return address overwrite possible?

Test Step 2: What is the offset from destination buffer.

用python的subprocess的call打开程序时和直接在终端运行程序时,栈地址是不一样的

子进程会导致    栈偏移

时间: 2024-10-13 22:30:06

linux(x86) exploit 开发系列3:off-by-one的相关文章

SploitFun Linux x86 Exploit 开发系列教程

原文:Linux (x86) Exploit Development Series 在线阅读 PDF格式 EPUB格式 MOBI格式 Github 译者 章节 译者 典型的基于堆栈的缓冲区溢出 hackyzh 整数溢出 hackyzh Off-By-One 漏洞(基于栈) hackyzh 使用 return-to-libc 绕过 NX bit hackyzh 使用链式 return-to-libc 绕过 NX bit hackyzh 绕过ASLR – 第一部分 hackyzh 绕过ASLR –

linux(x86) exploit 开发系列6:使用return-to-plt绕过ASLR

What is ASLR? Address space layout randomization (ASLR) is an exploit mitigation technique that randomizes Stack address. Heap address. Shared library address. #echo 2 > /proc/sys/kernel/randomize_va_space libc base address would get randomized. NOTE

linux(x86) exploit 开发系列4:使用return2libc绕过NX

What is NX Bit? Its an exploit mitigation technique which makes certain areas of memory non executable and makes an executable area, non writable. Example: Data, stack and heap segments are made non executable while text segment is made non writable.

linux(x86) exploit 开发系列5:使用ret2libc链绕过NX

A simple way to chain multiple libc functions is to place one libc function address after another in the stack, but its not possible because of function arguments. chaining seteuid, system and exit would allows us to exploit the vulnerable code 'vuln

linux(x86) exploit 开发系列2:整数溢出

What is Integer Overflow? Storing a value greater than maximum supported value is called integer overflow. Integer overflow on its own doesnt lead to arbitrary code execution, but an integer overflow might lead to stack overflow or heap overflow whic

Linux (x86) Exploit 开发系列教程之六(绕过ASLR - 第一部分)

原文地址:https://www.cnblogs.com/momoli/p/10869736.html

Linux (x86) Exploit系列之三 Off-By-One 漏洞 (基于栈)

Off-By-One 漏洞 (基于栈) 原文地址:https://bbs.pediy.com/thread-216954.htm 什么是off by one? 将源字符串复制到目标缓冲区可能会导致off by one 1.源字符串长度等于目标缓冲区长度. 当源字符串长度等于目标缓冲区长度时,单个NULL字节将被复制到目标缓冲区上方.这里由于目标缓冲区位于堆栈中,所以单个NULL字节可以覆盖存储在堆栈中的调用者的EBP的最低有效位(LSB),这可能导致任意的代码执行. 一如既往的充分的定义,让我们

linux下C++开发系列(六)——文件IO相关的系统调用

linux操作系统中,文件是最基本和最重要的抽象,linux遵循一切皆文件的理念.按照不同的属性,文件可以分为普通文件和特殊文件.特殊文件是以文件方式表示的内核对象,linux支持四种类型的特殊文件: 1.块设备文件 (例如硬盘设备) 2.字符设备文件(例如键盘设备) 3.命名管道 (主要是进程间通信使用) 4.Unix域套接字(主要是网络通信使用) linux系统对于文件的操作,提供了一系列的系统调用个,主要分为以下几类: 1.创建文件(creat) 2.打开文件(open) 3.读文件(re

【转】TI-Davinci开发系列之六CCS5.2调试Linux内核

上转博文<TI-Davinci开发系列之五CCS5.2使用gdbserver远程调试应用程序> 使用CCS5.2远程调试内核时,只需导入Linux内核源码,而不需要编译内核,也就不会用到交叉编译链,同时不需要使用gdbserver,但需要仿真器XDS560V2,所以Windows和Linux都可以完成,但考虑到Windows CCS5.2软件成熟,bug较少,且Windows易于操作,故本文推荐并主要介绍Windows版CCS5.2调试内核的方法.在介绍远程调试Linux之前,务必保证仿真器X