execve 缓冲区溢出成功完成后的 CPU 执行流程? ..int 0x80 成功完成后?
[英]CPU execution flow after execve buffer overflow completes successfully? ..after int 0x80 completes successfully?
问题描述
I'm learning about buffer overflow shellcode methods under Linux.
我正在学习 Linux 下的缓冲区溢出 shellcode 方法。 https://seedsecuritylabs.org/Labs_16.04/Software/Buffer_Overflow/ https://seedsecuritylabs.org/Labs_16.04/Software/Buffer_Overflow/
The shellcode I've used ends with movb $0x0b, %a1 and then int $0x80.我使用的 shellcode 以 movb $0x0b、%a1 和 int $0x80 结尾。 The shellcode executes and I get my command prompt. shellcode 执行,我得到我的命令提示符。 I've read many places that execve and int 0x80 "do not return".我读过很多地方说 execve 和 int 0x80 “不返回”。 Well.. okay, but where ~does~ program execution flow go when execve process succeeds and exits (aka I enter "exit" on the command line prompt)?好吧.. 好的,但是当 execve 进程成功并退出时~程序执行流程去哪里了(也就是我在命令行提示符下输入“exit”)?
I thought the calling program has its stack frame replaced with the new execve code's information.我认为调用程序的堆栈帧已替换为新的 execve 代码信息。 Does the new execve code preserve the return address of the overwritten process and return to that address as if it were its own?新的 execve 代码是否保留了被覆盖进程的返回地址并返回到该地址,就好像它是它自己的一样? (So it does sort of return .. to a borrowed address?) As far as int $0x80 goes, doesn't execution continue at the next byte after the int 0x80 instruction? (所以它确实返回 .. 到借用的地址?)就 int $0x80 而言,在 int 0x80 指令之后的下一个字节是否继续执行? If not, what next byte?如果不是,下一个字节是什么?
In context of the buffer overflow problem and int 0x80, say (for example) a 517 byte hack overwrites a 24 byte buffer.在缓冲区溢出问题和 int 0x80 的上下文中,比如说(例如)517 字节的黑客覆盖了 24 字节的缓冲区。 Bytes will replace values at stack memory addresses beyond the buffer, including return address pointing to its own executable code higher up in the stack.字节将替换缓冲区之外的堆栈内存地址处的值,包括指向堆栈中更高位置的自己的可执行代码的返回地址。 But the intentional code stomps on 100s of other stack bytes higher in memory, destroying stack frames of unrelated outer-scope processes.但是故意的代码会踩踏内存中更高的 100 个其他堆栈字节,从而破坏无关的外部作用域进程的堆栈帧。 With these destroyed stack frames, what happens when...有了这些被破坏的堆栈帧,当...
1) when the shell returns from the int 0x80 and executed more stack data that is not part of the hack. 1)当shell从int 0x80返回并执行更多不属于hack的堆栈数据时。 What's there is now unspecified bytes that are probably invalid CPU opcodes.现在有什么未指定的字节可能是无效的 CPU 操作码。
2) context of outer stack frames have been destroyed, so how does the system gracefully continue after I enter "exit" at my shell command prompt? 2) 外部堆栈帧的上下文已被破坏,那么在我的 shell 命令提示符下输入“exit”后,系统如何优雅地继续运行?
Any help appreciated!任何帮助表示赞赏!
1 个解决方案
解决方案1
0 2019-11-12 06:36:53
I think you'll understand what is going on if we discuss what execve is and how it works.我想如果我们讨论execve是什么以及它是如何工作的,你就会明白发生了什么。
I've read many places that execve and int 0x80 "do not return".
The following is from execve 's manpage.以下来自execve的联机帮助页。
execve() executes the program pointed to by filename. filename must be
either a binary executable, or a script starting with a line of the
form:
#! interpreter [optional-arg]
execve is a system call which executes a specified program. execve是执行指定程序的系统调用。
Continuing,继续,
execve() does not return on success, and the text, data, bss, and stack
of the calling process are overwritten by that of the program loaded.
This statement deals with your question.本声明涉及您的问题。
Every process has it's own memory layout.每个进程都有自己的内存布局。 Memory layout consists of text segment, data segment, stack, heap, dependent libraries etc., Refer to /proc/PID/maps of any process to get a clear picture of memory layout.内存布局由文本段、数据段、堆栈、堆、依赖库等组成,可以参考任意进程的/proc/PID/maps ,可以清楚地了解内存布局。
When execve is executed and it succeeds, the complete memory layout is erased (contents of the caller process is lost forever) and contents of the new process is loaded into memory.当execve执行并成功时,整个内存布局将被擦除(调用者进程的内容将永远丢失)并将新进程的内容加载到内存中。 New text segment, new data segment, new stack, new heap, everything new.新文本段、新数据段、新堆栈、新堆,一切都是新的。
So, when you try to exit on your command-line, you'll just terminate /bin/sh which you had run using execve.因此,当您尝试在命令行上exit时,您只需终止使用 execve 运行的/bin/sh 。 There are no seg-faults, no errors.没有段错误,没有错误。
Does the new execve code preserve the return address of the overwritten process and return to that address as if it were its own?
No. This doesn't happen.不,这不会发生。 The new process launched by execve has no clue about the old process. execve 启动的新进程对旧进程一无所知。
As far as int $0x80 goes, doesn't execution continue at the next byte after the int 0x80 instruction?
int 0x80 instruction is present to request the OS to execute a specified system call. int 0x80指令用于请求操作系统执行指定的系统调用。 So, whether execution continues later once int 0x80 returns totally depends on what the system call is .因此,一旦int 0x80返回,是否继续执行完全取决于系统调用是什么。
Generally, read, write, open, creat etc., all execute and return back.一般来说,读、写、打开、创建等,都执行并返回。 But, the exec class of functions(go to man exec ) are different.但是,函数的exec类(转到man exec )是不同的。 Each of those functions never return on success.这些函数中的每一个都不会在成功时返回。 They return only on failure.他们只会在失败时返回。
The last part of the question, because the memory layout has been erased and new contents are loaded, there is no sign of buffer-overflow here, no memory corruption.问题的最后一部分,因为内存布局已经被擦除并加载了新内容,所以这里没有缓冲区溢出的迹象,没有内存损坏。
I hope this answers your questions.我希望这回答了你的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.