我目前正致力于研究内存损坏技术,尤其是ROP和ret2libc。我已多次读过,为了实现system()调用,堆栈上需要/bin/sh(或等效)字符串的地址。我设法在处理环境变量时得到它,但我想知道libc中是否存在该字符串:
$ strings libc-2.22.so | grep -i /bin/sh
/bin/sh
好的,但是当开始进程搜索字符串时,我看到了一些奇怪的行为:
user@protostar:/opt/protostar/bin$ gdb -q ./stack6
Reading symbols from /opt/protostar/bin/stack6...done.
(gdb) start
Temporary breakpoint 1 at 0x8048500: file stack6/stack6.c, line 27.
Starting program: /opt/protostar/bin/stack6
Temporary breakpoint 1, main (argc=1, argv=0xbffff854) at stack6/stack6.c:27
27 stack6/stack6.c: No such file or directory.
in stack6/stack6.c
(gdb) find __libc_start_main,+999999,"/bin/sh"
Pattern not found.
(gdb) find __libc_start_main,+99999999,"/bin/sh"
0xb7fba23f
warning: Unable to access target memory at 0xb7fd9647, halting search.
1 pattern found.
(gdb) x/1s 0xb7fba23f
0xb7fba23f: "KIND in __gen_tempname\""
只是搜索“sh”模式时更奇怪:
(gdb) find __libc_start_main,+99999999,"sh"
0xb7fb7a95
0xb7fb821d
warning: Unable to access target memory at 0xb7fdb4a0, halting search.
2 patterns found.
(gdb) x/1s 0xb7fb7a95
0xb7fb7a95: "getpwuid_r"
(gdb) x/1s 0xb7fb821d
0xb7fb821d: "sh"
在某种程度上,我使用位于0xb7fb821d的字符串成功进行了ret2libc攻击,但这是我的问题:
/bin/sh模式?我对这些东西都很陌生,即使我发现了很多与二进制利用相关的技巧,我认为我在这里遗漏了一些东西。