写缓冲区溢出漏洞-如何找出shellcode的地址? [英] Write buffer overflow exploit -- how to figure out the address of the shellcode?

问题描述

在编写缓冲区溢出漏洞利用程序时，我了解到我需要输入一个长度为数组的地址(address_of_return_address-address_of_buffer).并且该数组需要用shellcode的地址填充.这样，当我的输入数组溢出时，它将用shellcode的地址覆盖保存的返回地址.

When writing buffer overflow exploit, I understand that I'll need to input an array of length (address_of_return_address - address_of_buffer). And the array needs to be filled with the address of the shellcode. So that when my input array overflows, it overwrites the saved return address with the address of the shellcode.

我认为由于shellcode将存储在堆栈上保存的返回地址上方，因此其地址应为address_of_return_address +到shellcode开头的距离.

I think since the shellcode will be stored above the saved return address on the stack, its address should be address_of_return_address + the distance to the beginning of the shellcode.

我在正确的轨道上吗?如果是这样，我应该如何使用GDB找出保存的返回地址与shellcode开头之间的距离?

Am I on the right track? If so, how should I figure out the distance between the saved return address and the distance to the beginning of the shellcode using GDB?

推荐答案

您通常不需要弄清楚" shellcode的地址.您使用设置的字符串溢出缓冲区并计算出偏移量.说

You usually don't need to "figure out" the address of the shellcode. You overflow the buffer with a set string and work out the offset. Say

AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC

BBBB 会覆盖EIP(下一条指令地址)，而 CCCC 会落入ESP寄存器指向的位置.

where BBBB overwrites EIP (the next instruction address) and CCCC drops in where the ESP register is pointing.

您需要找到一条将在shellcode上继续执行的指令，您可以在 CCCC 开始的位置插入该指令.例如 JMP ESP 指令.这必须是静态的(例如，没有ASLR)，并且地址中不应包含任何坏"字符，例如 \ x00 可能会终止缓冲区.

You need to find an instruction that would continue execution at the shellcode, which you can insert where CCCC begins. Such as the JMP ESP instruction. This needs to be static (e.g. no ASLR) and the address should not contain any "bad" characters, such as \x00 which may terminate the buffer.

所以过程是:

1. 缓冲区溢出了 A .
2. EIP现在指向您找到的 JMP ESP 指令.
3. JMP ESP 由处理器执行-当 ESP 指向您的shellcode时，此处继续执行.

1. Buffer is overflowed with A's.
2. EIP is now pointing at your located JMP ESP instruction.
3. JMP ESP is executed by the processor - as ESP is pointing at your shellcode, execution continues here.

例如，您可能需要在shellcode上添加一些额外的填充，例如NOP( \ x90 )允许您在使用编码的有效载荷的情况下进行解码扩展.但是，某些AV和IDS会一起检测许多NOP的签名，因此最好让处理器忙于工作而不是防止检测.

You may need some extra padding on your shellcode at the start with e.g. NOPs (\x90) to allow for any expansion from decoding if you are using an encoded payload. However, some AVs and IDS's will detect the signature of many NOPs together so it might be better for the processor to do busy work instead to prevent detection.

这是通常的方法，尽管这完全取决于有效载荷是否有空间以及是否以与上述类似的方式找到它.诸如 NOP雪橇之类的技术可用于简化有效载荷的定位，以防您需要编写他们在其他地方.

That is the usual method, although it all depends if there is space for your payload and if you manage to locate it in a similar manner to the above. Techniques such as NOP sleds can be used to make locating payloads easier in case you need to write them elsewhere.

这篇关于写缓冲区溢出漏洞-如何找出shellcode的地址?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！