我正在使用 bash。我已经在 Ubuntu 11.04 中使用关闭了 ASLR
#sysctl -w kernel.randomize_va_space=0
并且我已经使用从 shell 导出了一个变量
$ export MYSHELL=/bin/sh
我编写了一个 C 程序来获取 MYSHELL 的地址:
void main(){
char* shell = getenv("MYSHELL");
if (shell)
printf("0x%x\n", (unsigned int)shell);
}
它吐出了 0xbffffe82 。
当我使用它作为 ret-to-libc 攻击的一部分时,地址发生了变化(尽管偏移量非常小)。
为什么会发生这种情况?
另外,当我更改二进制文件的文件名并使用之前成功的地址时,它将不起作用,并且它已被重新定位到其他地址。为什么?换句话说,二进制名称和环境变量地址的关系是什么?这是 bash 的保护功能吗?我该如何关闭此功能?
注意:这不是家庭作业。
I am using bash. I have switched off ASLR in Ubuntu 11.04 using
#sysctl -w kernel.randomize_va_space=0
And I have exported a variable from the shell using
$ export MYSHELL=/bin/sh
I wrote a C program to get the address of the MYSHELL:
void main(){
char* shell = getenv("MYSHELL");
if (shell)
printf("0x%x\n", (unsigned int)shell);
}
It spat out 0xbffffe82.
When I used it as a part of my attack for ret-to-libc, the address changes (although by a very small offset).
Why does this happen?
Also when I change the filename of the binary and use the previously successful address, it won't work, and it has been relocated to a different address. Why? In other words, What is the relation of binary names and environment variable addresses? Is this a protection feature by bash? How do I switch this off?
Note: this is not homework.
发布评论
评论(1)
程序启动时的堆栈布局记录在此处。改变程序名称(实际上是长度)会改变布局的原因应该是显而易见的。
Stack layout at program startup is documented here. It should be obvious why changing the name of the program (length really) changes the layout.