从 Python 传递 shellcode 作为命令行参数
我目前正在为我的同学准备一个关于计算机安全的小型演示。为了让他们至少有点兴奋,我想演示如何利用 strcpy 函数 inc C 的错误使用。 这是易受攻击的程序的代码:
#include<string.h>
#include<stdio.h>
void function(char *buffer1)
{
char buffer2[5];
strcpy(buffer2,buffer1);
}
int main (int argc, char **argv)
{
function(argv[1]);
return 0;
}
只需使用命令行,我就可以通过调用它来崩溃应用程序,
test.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ
这给了我 EIP 的正确 0x4D4C4B4A (MLKJ)。如果我从 Python 调用它,它也可以工作:
os.system("test.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ")
但是,如果我想放置一个地址而不是 JKLM,如下所示:
os.system("test.exe ABCDEFGHI\x75\x9a\x21\x1bNOPQRSTUVWXYZ")
它在堆栈上的 ESP 附近提供了以下输出:
0028cca0 e4 21 d7 41 42 43 44 45-46 47 48 49 75 c2 9a 21 .!.ABCDEFGHIu..!
0028ccb0 1b 4e 4f 50 51 52 53 54-55 56 57 58 59 5a 00 00 .NOPQRSTUVWXYZ..
这里 75 c2 9a 21 很重要,因为它几乎是我预计,除了 0x1B(ESCAPE 的 ASCII 字符)被 0xC2 替换之外。 当我更改地址的顺序时,它看起来像这样:\x21\x1b\x75\x9a,9a 被相同的神秘 C2 取代。 有谁知道代码出了什么问题吗?我是否遗漏了一些基本点,或者是针对基于堆栈的缓冲区溢出的某种保护?
谢谢,
I am currently preparing a small presentation about computer security among my fellow students. To get them at least a bit excited I wanted to demonstrate how the wrong use of the strcpy-function inc C can be exploited.
This is the code of the vulnerable program:
#include<string.h>
#include<stdio.h>
void function(char *buffer1)
{
char buffer2[5];
strcpy(buffer2,buffer1);
}
int main (int argc, char **argv)
{
function(argv[1]);
return 0;
}
Just using the command line I was able to crash the application by calling it with
test.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ
Which gave me the correct 0x4D4C4B4A (MLKJ) for the EIP. It also works if I call it from Python:
os.system("test.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ")
However, if I want to put an address instead of JKLM, like this:
os.system("test.exe ABCDEFGHI\x75\x9a\x21\x1bNOPQRSTUVWXYZ")
It gives me following output near the ESP on the Stack:
0028cca0 e4 21 d7 41 42 43 44 45-46 47 48 49 75 c2 9a 21 .!.ABCDEFGHIu..!
0028ccb0 1b 4e 4f 50 51 52 53 54-55 56 57 58 59 5a 00 00 .NOPQRSTUVWXYZ..
Here the 75 c2 9a 21 matters because it is almost what I expected, except the 0x1B, which is the ASCII Character for ESCAPE, is replaced by 0xC2.
When I change the order of the address, so it looks like this: \x21\x1b\x75\x9a, the 9a gets replaced by the same mysterious C2.
Does anyone know whats the matter with the code? Am I missing some basic point or is it some kind of protection against stack based buffer overflows?
Thanks,
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您的文本似乎正在进行 UTF-8 转换。请注意,您的原始 bytes:
被替换为
我突出显示的 UTF-8 编码字节。如果您使用的是 Python 3,请尝试:
b""表示数据是 字节 序列,并且不应从 Unicode 转换为默认编码 (在你的情况下似乎是UTF-8)。It looks like your text is undergoing UTF-8 conversion. Note that your original bytes:
are replaced by
I've highlighted the UTF-8 encoded byte. If you're using Python 3, try:
The
b""indicates that the data is a byte sequence, and shouldn't be converted from Unicode to the default encoding (which in your case seems to be UTF-8).