gera提供的一组不安全编程实例

nt4 · 发表于 2015-8-14 20:42:35

gera提供的一组不安全编程实例

http://community.corest.com/~gera/InsecureProgramming/

Insecure Programming by example

Here you can find a collection of exercises that will help you teach yourself the art of insecure programs exploitation. It's not complete, but it's minted to open your mind. The idea is NOT to use any human help. In case you doubt it, we could exploit all but two of them, stay calm and good luck.
get them all
a friend's site with tons of info
pages pointing here
WARMING UP on STACK:
Stack #1:
/* stack1.c                                  *
* specially crafted to feed your brain by gera */

int main() {
      int cookie;
      char buf[80];

      printf("buf: %08x cookie: %08x\n", &buf, &cookie);
      gets(buf);

      if (cookie == 0x41424344)
            printf("you win!\n");
}
Stack #2:
/* stack2.c                                  *
* specially crafted to feed your brain by gera */

int main() {
      int cookie;
      char buf[80];

      printf("buf: %08x cookie: %08x\n", &buf, &cookie);
      gets(buf);

      if (cookie == 0x01020305)
            printf("you win!\n");
}
Stack #3:
/* stack3.c                                  *
* specially crafted to feed your brain by gera */

int main() {
      int cookie;
      char buf[80];

      printf("buf: %08x cookie: %08x\n", &buf, &cookie);
      gets(buf);

      if (cookie == 0x01020005)
            printf("you win!\n");
}
Stack #4:
/* stack4.c                                  *
* specially crafted to feed your brain by gera */

int main() {
      int cookie;
      char buf[80];

      printf("buf: %08x cookie: %08x\n", &buf, &cookie);
      gets(buf);

      if (cookie == 0x000a0d00)
            printf("you win!\n");
}
Stack #5:
/* stack5.c                                  *
* specially crafted to feed your brain by gera */

int main() {
      int cookie;
      char buf[80];

      printf("buf: %08x cookie: %08x\n", &buf, &cookie);
      gets(buf);

      if (cookie == 0x000a0d00)
            printf("you lose!\n");
}
ADVANCED BUFFER OVERFLOWS
Advanced Buffer Overflow #1:
blind obedience
What would happen if you store 512 characters where there is only space for 256? You may claim that you can't, and you'll be right, but still, there are situations that, unconsciously, you tell the micro to do so, and he can only but obey you... and he'll do his best without thinking of side effects. Now is when we get technical, fasten your seat belts, this turbulence will last forever.

What defines a buffer overflow is the copy of a memory region into another region not big enough to contain it.
/* abo1.c                                     *
* specially crafted to feed your brain by gera */

/* Dumb example to let you get introduced... */

int main(int argv,char **argc) {
      char buf[256];

      strcpy(buf,argc[1]);
}
This is a good and simple abo: on execution this program will copy the contents of argc[1]1, whatever it is, into the reserved 256 bytes named buf, strcpy() will not do any checks of any kind, it will just copy bytes from source to destination, from argc[1] to buf, until it finds a zero. Here, a chance is given for us to supply a longer-than-expected argc[1] to write in memory past the end of the reserved space named buf. Why is this a security problem? becouse we can change data that we shouldn't be able to, and usually, this data we can change has a very special meaning for the micro, and by exploiting this meaning, we can confuse the micro and make it do what we want. That's the secret, go get a debugger, a compiler, and all the tools you think you'll need, and find out what's the data after buf and why it's so important to be able to modify it.

1 - argc and argv are just names for main's arguments, they just name chunks of bits in memory, their names are not meaningful by their own but for their context.

Advanced Buffer Overflow #2:
execution flow
Did you get the previous abo? Is the key to it overwriting sensible data or something else? Again, it is important to know who will read the data, and how will it be interpreted.
/* abo2.c                                     *
* specially crafted to feed your brain by gera */

/* This is a tricky example to make you think *
* and give you some help on the next one    */

int main(int argv,char **argc) {
      char buf[256];

      strcpy(buf,argc[1]);
      exit(1);
}
In this new abo, as you can see, we added an exit(). Go and find out what's the difference, what new possibilities this exit() adds, or what constrains it puts on the exploitation of the buffer overflow... good luck, take your time, and keep thinking until you are absolutly sure of what you think...

Advanced Buffer Overflow #3:
microprocessor ownership
How to make the microprocessor make what you want? Who owns the Instruction Pointer, owns the execution flow, and that's what we need. All bytes are composed of bits, but some of them are just numbers, and some of them are addresses to code. Jump! Geronimoooooooooo...
/* abo3.c                                     *
* specially crafted to feed your brain by gera */

/* This'll prepare you for The Next Step       */

int main(int argv,char **argc) {
      extern system,puts;
      void (*fn)(char*)=(void(*)(char*))&system;
      char buf[256];

      fn=(void(*)(char*))&puts;
      strcpy(buf,argc[1]);
      fn(argc[2]);
      exit(1);
}
buf is in the stack, and after it are some bits you can change, that you've learnt in abo1.

In case you wonder why we put that there, is so the linker doesn't remove it.

Advanced Buffer Overflow #4:
oh pointers, pointers!
Do you remember when you had problems with * and &? everybody has that kind of problems at least once when learning C, what about poiners to pointers? let's see...
/* abo4.c                                        *
* specially crafted to feed your brain by gera    */

/* After this one, the next is just an Eureka! away */

extern system,puts;
void (*fn)(char*)=(void(*)(char*))&system;

int main(int argv,char **argc) {
      char *pbuf=malloc(strlen(argc[2])+1);
      char buf[256];

      fn=(void(*)(char*))&puts;
      strcpy(buf,argc[1]);
      strcpy(pbuf,argc[2]);
      fn(argc[3]);
      while(1);
}
Advanced Buffer Overflow #5:
ch-ch-ch-changes
/* abo5.c                                     *
* specially crafted to feed your brain by gera */

/* You take the blue pill, you wake up in your bed, *
*    and you believe what you want to believe       *
* You take the red pill,                            *
*    and I'll show you how deep goes the rabbit hole */

int main(int argv,char **argc) {
      char *pbuf=malloc(strlen(argc[2])+1);
      char buf[256];

      strcpy(buf,argc[1]);
      for (;*pbuf++=*(argc[2]++););
      exit(1);
}
Use your sixth sense, will you be able to gain control given the possibility of writing wherever you wish in memory?

Advanced Buffer Overflow #6:
/* abo6.c                                     *
/* specially crafted to feed your brain by gera */

/* wwwhat'u talkin' about? */

int main(int argv,char **argc) {
      char *pbuf=malloc(strlen(argc[2])+1);
      char buf[256];

      strcpy(buf,argc[1]);
      strcpy(pbuf,argc[2]);
      while(1);
}
Advanced Buffer Overflow #7:
/* abo7.c                                     *
* specially crafted to feed your brain by gera */

/* sometimes you can,    *
* sometimes you don't    *
* that's what life's about */

char buf[256]={1};

int main(int argv,char **argc) {
      strcpy(buf,argc[1]);
}
Advanced Buffer Overflow #8:
Don't stay static
/* abo8.c                                     *
* specially crafted to feed your brain by gera */

/* spot the difference */

char buf[256];

int main(int argv,char **argc) {
      strcpy(buf,argc[1]);
}
From the top of your head, what do you think is generally more safe, a program dynamically linked to its libraries or one statically linked to them? Now go and try it out!

Advanced Buffer Overflow #9:
/* abo9.c                                     *
* specially crafted to feed your brain by gera */

/* free(your mind) */

/* I'm not sure in what operating systems it can be done */

int main(int argv,char **argc) {
      char *pbuf1=(char*)malloc(256);
      char *pbuf2=(char*)malloc(256);

      gets(pbuf1);
      free(pbuf2);
      free(pbuf1);
}
Advanced Buffer Overflow #10:
/* abo10.c                                     *
* specially crafted to feed your brain by gera */

/* Deja-vu*/

char buf[256];

int main(int argv,char **argc) {
      char *pbuf=(char*)malloc(256);

      gets(buf);
      free(pbuf);
}

FORMAT STRINGS
Format Strings #1:

/* fs1.c *
* specially crafted to feed your brain by gera */
/* Don't forget, *
* more is less, *
* here's a proof */
int main(int argv,char **argc) {
short int zero=0;
int *plen=(int*)malloc(sizeof(int));
char buf[256];
strcpy(buf,argc[1]);
printf("%s%hn\n",buf,plen);
while(zero);
}

复制代码

nt4 · 发表于 2015-8-14 20:43:26

Format Strings #2:

/* fs2.c *
* specially crafted to feed your brain by gera */
/* Can you tell me what's above the edge? */
int main(int argv,char **argc) {
char buf[256];
snprintf(buf,sizeof buf,"%s%c%c%hn",argc[1]);
snprintf(buf,sizeof buf,"%s%c%c%hn",argc[2]);
}

复制代码

Format Strings #3:

/* fs3.c *
* specially crafted to feed your brain by riq */
/* Not enough resources? */
int main(int argv,char **argc) {
char buf[256];
snprintf(buf,sizeof buf,"%s%c%c%hn",argc[1]);
}

复制代码

Format Strings #4:

/* fs4.c *
* specially crafted to feed your brain by gera */
/* Have you ever heard about code reusability? */
int main(int argv,char **argc) {
char buf[256];
snprintf(buf,sizeof buf,"%s%6$hn",argc[1]);
printf(buf);
}

复制代码

Format Strings #5:

/* fs5.c *
* specially crafted to feed your brain by gera */
/* go, go, go! */
int main(int argv,char **argc) {
char buf[256];
snprintf(buf,sizeof buf,argc[1]);
/* this line'll make your life easier */
// printf("%s\n",buf);
}

复制代码

SIGNALS
Signals #1:

/* s1.c *
* specially crafted to feed your brain by gera */
/* now I've got it! */
int main(int argv,char **argc) {
char *pbuf=(char*)malloc(strlen(argc[2])+1);
char buf[256];
signal(10,main);
strcpy(buf,argc[1]);
for (;*pbuf++=*(argc[2]++););
while(1);
}

复制代码

Signals #2:

/* s2.c *
* specially crafted to feed your brain by gera */
/* do you resign? */
int main(int argv,char **argc) {
char *pbuf=(char*)malloc(strlen(argc[2])+1);
char buf[256];
signal(10,10);
strcpy(buf,argc[1]);
for (;*pbuf++=*(argc[2]++););
while(1);
}

复制代码

Signals #3:

/* s3.c *
* specially crafted to feed your brain by gera */
/* Give me a sign!!!! */
int main(int argv,char **argc) {
char *pbuf=(char*)malloc(strlen(argc[2])+1);
char buf[256];
alarm(1);
strcpy(buf,argc[1]);
for (;*pbuf++=*(argc[2]++););
while(1);
}

复制代码

Signals #4:

/* s4.c *
* specially crafted to feed your brain by gera */
/* recurring nightmare */
int main(int argv,char **argc) {
char *pbuf=(char*)malloc(strlen(argc[2])+1);
char buf[256];
strcpy(buf,argc[1]);
for (;*pbuf++=*(argc[2]++););
while(1);
}

复制代码

ESOTERIC
Esoteric #1:

/* e1.c *
/* specially crafted to feed your brain by gera */
/* jumpy vfprintf, Batman! */
int main(int argv,char **argc) {
/* Can you do it changing the stack? */
/* Can you do it without changing it? */
printf(argc[1]);
while(1);
}

复制代码

Esoteric #2:

/* e2.c *
/* specially crafted to feed your brain by gera */
/* Now, your misson is to make abo1 act like this other program:
*
char buf[100];
while (1) {
scanf("%100s",buf);
system(buf);
}
* But, you cannot execute code in stack.
*/
int main(int argv,char **argc) {
char buf[256];
strcpy(buf,argc[1]);
}

复制代码

Esoteric #3:

/* e3.c *
* specially crafted to feed your brain by gera */
/* are you an enviromental threat */
char buf[256];
int main(int argv,char **argc) {
strcpy(buf,argc[1]);
setenv("ABO",argc[2],1);
while(1);
}

复制代码

Esoteric #4:

/* e4.c *
* specially crafted to feed your brain by gera */
/* %what the hell? */
char buf[256];
int main(int argv,char **argc) {
strcpy(buf,argc[1]);
printf("live at 100%!");
while(1);
}

复制代码

Esoteric #5:

/* e5.c *
* specially crafted to feed your brain by gera */
/* is this possible? */
char buf[256];
int main(int argv,char **argc) {
strcpy(buf,argc[1]);
perror(argc[2]);
while(1);
}

复制代码

StackGuarded
StackGuarded #1:

/* sg1.c *
* specially crafted to feed your brain by gera */
int func(char *msg) {
char buf[80];
strcpy(buf,msg);
// toupper(buf); // here just to give func() "some" sence
strcpy(msg,buf);
exit(1);
}
int main(int argv, char** argc) {
func(argc[1]);
}

复制代码

StackGuarded #2:

/* sg2.c *
* specially crafted to feed your brain by gera */
void func(char *msg) {
char buf[80];
strcpy(buf,msg);
}
int main(int argv, char** argc) {
func(argc[1]);
}

复制代码

StackGuarded #3:

/* sg3.c *
* specially crafted to feed your brain by gera */
char *read_it(char *msg) {
char buf[128];
int count;
buf[read(0,buf,sizeof buf)]=0;
return strdup(buf);
}
int main(int argv, char **argc) {
char *msg = malloc(1000);
snprintf(msg,1000,"User: %s",read_it(msg));
}

复制代码

StackGuarded #4:

/* sg4.c *
* specially crafted to feed your brain by gera */
// XXX: Add real encryption here
#define decrypt(dest,src) strcpy(dest,src)
int check(char *user) {
char temp[80];
decrypt(temp,user);
// XXX: add some real checks in the future
return !strcmp(temp,"gera");
}
// XXX: Add real support for internationalization
#define LANG_MSG(dest,pattern) strcpy(dest,pattern);
int main(int argv, char **argc) {
char msg[100];
LANG_MSG(msg,"Get out of here!\n");
if (!check(argc[1])) {
printf(msg);
exit(1);
}
exit(0);
}

复制代码

StackGuarded #5:

/* sg5.c *
* specially crafted to feed your brain by gera */
int need_to_check = 1; // XXX: Add global configuration
// XXX: Add real encryption here
#define decrypt(dest,src) strcpy(dest,src)
int check(char *user) {
char temp[80];
decrypt(temp,user);
// XXX: add some real checks in the future
return !strcmp(temp,"gera");
}
int main(int argv, char **argc) {
int user_ok;
user_ok = check(argc[1]);
if (!user_ok && need_to_check) exit(1);
exit(0);
}

复制代码

StackGuarded #6:

/* sg6.c *
* specially crafted to feed your brain by gera */
// XXX: Add real encryption here
#define decrypt(dest,src) strcpy(dest,src)
int get_username(char *user) {
char temp[80];
decrypt(temp,user);
return strdup(temp);
}
int main(int argv, char **argc) {
char *user_name;
user_name = get_username(argc[1]);
printf("User name is '%s'\n",user_name);
return 0;
}

复制代码

Numeric
Numeric #1:

/* n1.c *
* specially crafted to feed your brain by gera */
#include
#include
#include
#define MAX_SIZE 80
unsigned int atoul(char *str) {
unsigned int answer=0;
for (;*str && isdigit(*str);
answer *= 10, answer += *str++-'0');
return answer;
}
int main(int argv, char **argc) {
char buf[MAX_SIZE],*pbuf=buf;
int count = atoul(argc[1]);
if (count >= MAX_SIZE) count = MAX_SIZE-1;
while (count--) *pbuf++=getchar();
*pbuf=0;
}

复制代码

Numeric #2:

/* n2.c *
* specially crafted to feed your brain by gera */
#include
#include
#include
#define MAX_SIZE 80
unsigned int atoul(char *str) {
unsigned int answer=0;
for (;*str && isdigit(*str);
answer *= 10, answer += *str++-'0');
return answer;
}
int main(int argv, char **argc) {
char *pbuf,buf[MAX_SIZE];
int count = atoul(argc[1]);
if (count >= MAX_SIZE) count = MAX_SIZE-1;
pbuf=buf;
while (count--) *pbuf++=getchar();
*pbuf=0;
}

复制代码

Numeric #3:

/* n3.c *
* specially crafted to feed your brain by gera */
#include
#include
unsigned int count;
char **args;
int main(int argv, char **argc) {
char buf[80];
fscanf(stdin, "%u", &count);
args = alloca(count*sizeof(char*));
while (count--) {
if (!fgets(buf,sizeof buf,stdin)) break;
*args++=strdup(buf);
}
}

复制代码

Numeric #4:

/* n4.c *
* specially crafted to feed your brain by gera */
#include
#include
unsigned int count;
int main(int argv, char **argc) {
char buf[80],**args;
fscanf(stdin, "%u", &count);
args = alloca(count*sizeof(char*));
while (count--) {
if (!fgets(buf,sizeof buf,stdin)) break;
*args++=strdup(buf);
}
}

复制代码

Numeric #5:

/* n5.c *
* specially crafted to feed your brain by gera */
#include
int main(int argv, char **argc) {
char **args,buf[80];
unsigned int index,count;
fscanf(stdin, "%u", &count);
args = malloc(count*sizeof(char*));
while (1) {
fscanf(stdin,"%u %80s", &index, buf);
if (index<count) args[index] = strdup(buf);
else break;
}
}

复制代码

		自动登录	找回密码
密码			注册新用户(newuser)