• 使用metasploit进行栈溢出攻击-3


    有了shellcode,就可以进行攻击了,但是要有漏洞才行,真实世界中的漏洞很复杂,并且很难发现,因此我专门做一个漏洞来进行攻击。

    具体来说就是做一个简单的tcp server,里面包含明显的栈溢出漏洞。

    具体如下:

     1 /* server.c */
     2 #include <stdio.h>
     3 #include <stdlib.h>
     4 #include <errno.h>
     5 #include <string.h>
     6 #include <sys/types.h>
     7 #include <netinet/in.h>
     8 #include <sys/socket.h>
     9 #include <sys/wait.h>
    10 #include <arpa/inet.h>
    11 void showClientInf(struct sockaddr_in client_addr) {
    12         printf("
    The IP of client is:%s",inet_ntoa(client_addr.sin_addr));
    13         printf("
    The Port of client is:%d
    ",ntohs(client_addr.sin_port));
    14 }
    15 unsigned long get_sp(void) 
    16 { 
    17 __asm__("movl %esp,%eax"); 
    18 } 
    19 void testf()
    20 {
    21     printf("ttttt
    ");
    22 }
    23 
    24 
    25 void recvastring(int new_fd)
    26 {
    27     unsigned char buff[100];
    28     int i=0;
    29     printf("sp=0x%x,addr=0x%x bytes.
    ",get_sp(),&buff);
    30     int numbytes = recv(new_fd,buff,1024,0);
    31     if(numbytes==-1)
    32     {
    33         perror("recv");
    34         exit(9);
    35     }
    36 }
    37 int main() {
    38     int sockfd,new_fd;
    39     struct sockaddr_in my_addr;
    40     struct sockaddr_in their_addr;
    41     int flag=1,len=sizeof(int); 
    42     int sin_size;
    43     char buff[100];
    44     int numbytes;
    45     printf("socket
    ");
    46     if((sockfd = socket(AF_INET,SOCK_STREAM,0))==-1) {
    47         perror("socket");
    48         exit(1);
    49     }
    50     my_addr.sin_family = AF_INET;
    51     my_addr.sin_port = htons(7777);
    52     my_addr.sin_addr.s_addr = INADDR_ANY;
    53     bzero(&(my_addr.sin_zero),8);
    54     printf("bind
    ");
    55     if( setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &flag, len) ==-1) 
    56     { 
    57         perror("setsockopt"); 
    58         exit(1); 
    59     }
    60     if(bind(sockfd,(struct sockaddr *)&my_addr,sizeof(struct sockaddr))==-1)
    61     {
    62         perror("bind");
    63         exit(1);
    64     }
    65     printf("listen
    ");
    66     if(listen(sockfd,10)==-1) {
    67         perror("listen");
    68         exit(1);
    69     }
    70     printf("server is run...
    ");
    71     while(1) {
    72         sin_size = sizeof(struct sockaddr_in);
    73         printf("accept
    ");
    74         if((new_fd = accept(sockfd,(struct sockaddr *)
    75         &their_addr,&sin_size))==-1)
    76         {
    77             perror("accept");
    78             exit(1);
    79         }
    80         showClientInf(their_addr);
    81         if(!fork()) {
    82             printf("recv
    ");
    83             recvastring(new_fd);
    84             printf("close-new_fd 1
    ");
    85             close(new_fd);
    86             exit(0);
    87         }
    88         printf("close-new_fd 2
    ");
    89         close(new_fd);
    90     }
    91     printf("close-sockfd
    ");
    92     close(sockfd);
    93 }

    这个核心就是我们关注的recvastring函数,包含明显的栈溢出漏洞。我们专门看一下:

     1 void recvastring(int new_fd)
     2 {
     3     unsigned char buff[100];
     4     int i=0;
     5     printf("sp=0x%x,addr=0x%x bytes.
    ",get_sp(),&buff);
     6     int numbytes = recv(new_fd,buff,1024,0);
     7     if(numbytes==-1)
     8     {
     9         perror("recv");
    10         exit(9);
    11     }
    12 }

    同样编译生成:

    bai@ubuntu:/mnt/hgfs/r/stack$ gcc -fno-stack-protector -z execstack -g -o server socketserver.c
    bai@ubuntu:/mnt/hgfs/r/stack$ ./server
    socket
    bind
    listen
    server is run...
    accept
  • 相关阅读:
    让UIButton在按下时没有高亮效果
    如何让View一直沿z轴旋转
    App 应用通过网页打开 App Store
    Xcode/iOS: 如何判断代码运行在DEBUG还是RELEASE模式下?
    freemyapps 推荐链接
    [转]Git使用基础篇
    [转]anchorPoint 锚点解析
    Mac下如何看Swf文件
    Xcode 5: 将新项目同步到Svn上
    Shell 启动java程序
  • 原文地址:https://www.cnblogs.com/baizx/p/4114789.html
Copyright © 2020-2023  润新知