Python Ctype分割錯誤

Question

這是使用ctype運行shellcode的代碼。 shellcode在64位linux上運行「whoami」。但是這個程序給了我一個「分段錯誤」。但我無法找出它的錯誤。代碼的結構是從： ctypes: Cast string to function?

#!/usr/bin/python 

from ctypes import * 

# /usr/bin/whoami 
shellcode_data = ("\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53" 
"\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x10\x00" 
"\x00\x00\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61" 
"\x6d\x69\x00\x56\x57\x48\x89\xe6\x0f\x05"); 

shellcode = c_char_p(shellcode_data) 
function = cast(shellcode, CFUNCTYPE(None)) 
function() 

對於32位體系結構，這將是殼代碼：

shellcode_data = ("\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68" 
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x10\x00\x00\x00\x2f" 
"\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69\x00" 
"\x57\x53\x89\xe1\xcd\x80"); 

Answer 1

NX Bit的防止在現代處理器和操作系統正在執行的隨機數據。爲了解決它，請致電mprotect。您還應該將shellcode定義爲二進制而不是字符串，如下所示：

#!/usr/bin/python 
import ctypes 
shellcode_data = (b"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53" 
    b"\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x10\x00" 
    b"\x00\x00\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61" 
    b"\x6d\x69\x00\x56\x57\x48\x89\xe6\x0f\x05") 

shellcode = ctypes.create_string_buffer(shellcode_data) 
function = ctypes.cast(shellcode, ctypes.CFUNCTYPE(None)) 

addr = ctypes.cast(function, ctypes.c_void_p).value 
libc = ctypes.CDLL('libc.so.6') 
pagesize = libc.getpagesize() 
addr_page = (addr // pagesize) * pagesize 
for page_start in range(addr_page, addr + len(shellcode_data), pagesize): 
    assert libc.mprotect(page_start, pagesize, 0x7) == 0 

function()