执行指向 Shellcode 的函数指针
我试图通过覆盖 main 的返回地址来执行 exit(0) 调用的这个简单操作码。 问题是我遇到了分段错误。
#include <stdio.h>
char shellcode[]= "/0xbb/0x14/0x00/0x00/0x00"
"/0xb8/0x01/0x00/0x00/0x00"
"/0xcd/0x80";
void main()
{
int *ret;
ret = (int *)&ret + 2; // +2 to get to the return address on the stack
(*ret) = (int)shellcode;
}
执行结果出现分段错误。
[user1@fedo BOF]$ gcc -o ExitShellCode ExitShellCode.c
[user1@fedo BOF]$ ./ExitShellCode
Segmentation fault (core dumped)
shellcode.a 系统的 Objdump
[user1@fedo BOF]$ objdump -d exitShellcodeaAss
exitShellcodeaAss: file format elf32-i386
Disassembly of section .text:
08048054 <_start>:
8048054: bb 14 00 00 00 mov $0x14,%ebx
8048059: b8 01 00 00 00 mov $0x1,%eax
804805e: cd 80 int $0x80
这是我正在使用的
fedora Linux 3.1.2-1.fc16.i686
ASLR is disabled.
Debugging with GDB.
gcc version 4.6.2
I'm trying to execute this simple opcode for exit(0) call by overwriting the return address of main.
The problem is I'm getting segmentation fault.
#include <stdio.h>
char shellcode[]= "/0xbb/0x14/0x00/0x00/0x00"
"/0xb8/0x01/0x00/0x00/0x00"
"/0xcd/0x80";
void main()
{
int *ret;
ret = (int *)&ret + 2; // +2 to get to the return address on the stack
(*ret) = (int)shellcode;
}
Execution result in Segmentation error.
[user1@fedo BOF]$ gcc -o ExitShellCode ExitShellCode.c
[user1@fedo BOF]$ ./ExitShellCode
Segmentation fault (core dumped)
This is the Objdump of the shellcode.a
[user1@fedo BOF]$ objdump -d exitShellcodeaAss
exitShellcodeaAss: file format elf32-i386
Disassembly of section .text:
08048054 <_start>:
8048054: bb 14 00 00 00 mov $0x14,%ebx
8048059: b8 01 00 00 00 mov $0x1,%eax
804805e: cd 80 int $0x80
System I'm using
fedora Linux 3.1.2-1.fc16.i686
ASLR is disabled.
Debugging with GDB.
gcc version 4.6.2
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
嗯,也许现在回答这个问题已经太晚了,但它们可能是一个被动语法错误。看起来 shellcode 格式错误,我的意思是:
它不一样:
虽然这个修复不会帮助您解决这个问题,但是您是否尝试过禁用一些内核保护机制,例如:NX 位, 堆栈随机化等...?
mmm maybe it is to late to answer to this question, but they might be a passive syntax error. It seems like thet shellcode is malformed, I mean:
its not the same as:
although this fix won't help you solving this problem, but have you tried disabling some kernel protection mechanism like: NX bit, Stack Randomization, etc... ?
基于另外两个问题,即如何确定堆栈上的返回地址? 和 C:函数的返回地址(mac),我有信心你没有覆盖正确的地址。这基本上是由于您的假设造成的,即可以按照您的方式确定返回地址。但正如第一个问题 (1) 的答案所示,这必须事实并非如此。
因此:
Based on two other questions, namely How to determine return address on stack? and C: return address of function (mac), i'm confident that you are not overwriting the correct address. This is basically caused due to your assumption, that the return address can be determined in the way you did it. But as the answer to thefirst question (1) states, this must not be the case.
Therefore:
您还可以像在这种情况下一样执行 shellcode,通过将缓冲区转换为类似的函数
You can also execute shellcode like in this scenario, by casting the buffer to a function like
如果您希望 shellcode 在堆栈中执行,则必须在没有 NX(堆栈保护器)的情况下并具有正确的权限进行编译。
例如,
如果您想使用 gdb 对其进行调试:
在这个概念证明示例中,空字节并不重要。但是当你开发 shellcode 时,你应该记住并删除坏字符。
If you want the shellcode be executed in the stack you must compile without NX (stack protector) and with correct permissions.
E.g.
If you want to debug it with gdb:
In this proof of concept example is not important the null bytes. But when you are developing shellcodes you should keep in mind and remove the bad characters.
Shellcode 上不能有零。删除空字符。
Shellcode cannot have Zeros on it. Remove the null characters.