1

我最近阅读了 Aleph One 的为了乐趣和利润而粉碎堆栈,并且一直在看“The Shellcoder's Hanbook”。我正在玩弄以下汇编代码:

section .text
    global _start

_start:
    jmp short GotoCall

shellcode:
    pop ebx
    xor eax, eax
    mov [ebx + 7], al
    mov [ebx + 8], ebx
    mov [ebx + 12], eax
    mov al, 0x0b
    lea ecx, [ebx + 8]
    lea edx, [ebx + 12]
    int 80h

    xor eax, eax
    mov al, 0x01
    int 80h

GotoCall:
    Call shellcode
    db '/bin/shJAAAAKKKK'

当我使用 GDB 时,每次尝试写入时都会出现段错误:

mov [ebx + 7], al

但是,当我运行它时,我可以弹出一个根 shell 而不会出现段错误:

section .text
    global _start

_start:
    xor eax, eax
    push eax
    push 0x68732f2f
    push 0x6e69622f
    mov  ebx, esp
    push eax
    push ebx
    mov  ecx, esp
    xor  edx,edx
    mov  al, 0xb
    int  80h

本质上他们在做同样的事情(是的,我知道他们不是真的,但我试图在两者中弹出一个 root shell)。我在 OpenSuse11.4 上运行,并且出于学习目的而关闭了堆栈随机化 (ASLR)。有任何想法吗?

4

1 回答 1

4

您已将db '/bin/shJAAAAKKKK'字符串放入.text通常不可写的部分中。

If you put it into .data, the crash would go away, but you'll have to get the address of the string in some other way: it would no longer immediately follow the CALL in GotoCall.

于 2011-11-14T04:12:18.400 回答