逆向工程 - 有人可以帮助我识别漏洞 - 吾爱随笔录

有人可以帮助我识别漏洞

逆向工程缓冲区溢出漏洞分析

2021-06-27 10:36:18

我得到了这个代码，但我找不到漏洞。我认为这段代码可能容易受到缓冲区溢出的影响。我如何证明？

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>

typedef struct _AC_DATA
{   
    int the;
    int fan;
    bool rec;
} AC_DATA, *PAC_DATA;

typedef struct _RADIO_DATA
{
    char speakers_volume[4];
    int station;
} RADIO_DATA, *PRADION_DATA;

typedef struct _GLOBAL_DATA
{
    AC_DATA ac_data;
    RADIO_DATA radio_data;
}GLOBAL_DATA, *PGLOBAL_DATA;

void good()
{
    printf("Good!\n");
}

int update_volume(PGLOBAL_DATA pglobal_data, int index, int new_volume)
{
    char arr[100];

    if(index > 4)
    {
        printf("error invalid speaker.\n");
        return -1;
    }
    printf("updating the speaker %d to volume %d\n", index, new_volume);
    pglobal_data -> radio_data.speakers_volume[index] = new_volume;
}

void hacked()
{
    printf("Hacked!\n");
}


int main () {

    GLOBAL_DATA global_data = {0};
    int index;
    int new_volume;
    printf("address of main: 0x%X.\n", main);
    printf("enter volume index:");
    scanf("%d", &index);
    printf("enter new volume:");
    scanf("%d", &new_volume);
    update_volume(&global_data, index, new_volume);

    return 0;
}

1个回答

错误在update_volume.

pglobal_data -> radio_data.speakers_volume[index] = new_volume;

index是一个整数，它也可以取负值。理想情况下，您不应该访问数组中的 -ve 索引，因为它可以让您读取/写入数组之前的内存区域。在这里，我们只是检查将其最大值限制为 4，但您可以使用负整数到 INT_MIN 并覆盖一个字节。

对于漏洞利用，global_data属于 main 的堆栈框架。访问负索引，您可以覆盖update_volume堆栈上（main 中某处）的返回地址中的一个字节。这为您提供了跳转到可能hacked或good功能的原语。

资源：使用ASAN验证您的声明，同时对输入进行模糊测试。

这是本案例的 ASAN 转储。

ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-6.0/bin/llvm-symbolizer ./test
address of main: 0xCA77FE6F.
enter volume index:-36
enter new volume:65
updating the speaker -36 to volume 65
=================================================================
==27759==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffebfb3ff98 at pc 0x55f1ca77fe6f bp 0x7ffebfb3fed0 sp 0x7ffebfb3fec0
WRITE of size 1 at 0x7ffebfb3ff98 thread T0
    #0 0x55f1ca77fe6e in update_volume /tmp/re.c:39
    #1 0x55f1ca78004b in main /tmp/re.c:57
    #2 0x7f237a433b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #3 0x55f1ca77fcf9 in _start (/tmp/test+0xcf9)

Address 0x7ffebfb3ff98 is located in stack of thread T0 at offset 136 in frame
    #0 0x55f1ca77fe7e in main /tmp/re.c:47

  This frame has 3 object(s):
    [32, 36) 'index'
    [96, 100) 'new_volume'
    [160, 180) 'global_data' <== Memory access at offset 136 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /tmp/re.c:39 in update_volume
Shadow bytes around the buggy address:
  0x100057f5ffa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100057f5ffb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100057f5ffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100057f5ffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100057f5ffe0: 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 04 f2
=>0x100057f5fff0: f2 f2 f2[f2]f2 f2 00 00 04 f2 00 00 00 00 00 00
  0x100057f60000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100057f60010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100057f60020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100057f60030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100057f60040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27759==ABORTING

如果这是作业问题，请在发布时说明。我们很乐意为您提供帮助，但如果您没有像评论中提到的@SYS_V 那样显示取得的任何进展/所做的研究，我们将不会为您完成所有工作。

其它你可能感兴趣的问题

上一篇COFF 数据目录的名称是否固定？下一篇如何使用 Linux 从旧手机中转储固件？