读取和.txt文件执行shell code [英] Read and Execute Shellcode from a .txt File

问题描述

<一个href=\"http://stackoverflow.com/questions/17822771/testing-shell$c$c-from-c-bus-error-10?noredirect=1#comment26044536_17822771\">Testing壳牌code从C总线错误10

以上是我其中涉及从C程序中excuting壳code，当shell code是源里面previous问题。它是由卡尔Norum时解决，是由于内存保护。我有一个不同的问题，但类似。而不是在同一个文件壳code，我想读一个.txt文件外壳code和执行它。下面我试着打标内存PROT_EXEC一节并读取.txt文件的内容到它并执行。但它不会工作，我得到了同样的错误，KERN_PROTECTION_FAILURE，我尝试使用mprotect的MMAP和标记为PROT_EXEC内存部分。

 的#include＆LT;＆stdio.h中GT;
＃包括LT＆; SYS / mman.h＆GT;
＃包括LT＆;＆string.h中GT;
＃包括LT＆;＆stdlib.h中GT;INT（* RET）（）;无符号字符* BUF;诠释的main（）
{
    FILE *文件;
    文件= FOPEN（的text.txt，RB）;    fseek的（文件，0，SEEK_END）;
    unsigned int类型LEN = FTELL（文件）;
    fseek的（文件，0，SEEK_SET）;    BUF = valloc（LEN）;
    FREAD（BUF，1，LEN，文件）;    FCLOSE（文件）;    则mprotect（BUF，LEN，PROT_EXEC）;   //我也试过mmap的，但同样的错误。
   / *无效* PTR = MMAP（0，1024 PROT_EXEC，MAP_ANON | MAP_PRIVATE，-1,0）;    如果（PTR == MAP_FAILED）
    {
        PERROR（MMAP）;
        出口（-1）;
    }    的memcpy（PTR，BUF，1024）; * /    RET = BUF;    RET（）;    返回0;
}
 

这是文件──test.txt文件，我读，它同样的hello world code，从我的previous问题：

<$p$p><$c$c>\\x55\\x48\\x89\\xe5\\xeb\\x33\\x48\\x31\\xff\\x66\\xbf\\x01\\x00\\x5e\\x48\\x31\\xd2\\xb2\\x0e\\x41\\xb0\\x02\\x49\\xc1\\xe0\\x18\\x49\\x83\\xc8\\x04\\x4c\\x89\\xc0\\x0f\\x05\\x31\\xff\\x41\\xb0\\x02\\x49\\xc1\\xe0\\x18\\x49\\x83\\xc8\\x01\\x4c\\x89\\xc0\\x0f\\x05\\x48\\x89\\xec\\x5d\\xe8\\xc8\\xff\\xff\\xff\\x48\\x65\\x6c\\x6c\\x6f\\x2c\\x20\\x57\\x6f\\x72\\x6c\\x64\\x21\\x0a

由于我复制txt文件到内存PROC_EXEC的内容，我不明白为什么我得到KERN_PROTECTION_FAILURE。

解决方案

在我回答你的previous问题大厦，这里有一个解决方案：

 的#include＆LT;＆stdio.h中GT;
＃包括LT＆; SYS / mman.h＆GT;
＃包括LT＆; SYS / stat.h＆GT;
＃包括LT＆;＆stdlib.h中GT;INT主要（无效）
{
    FILE *文件=的fopen（的text.txt，R）;
    无符号字符* BUF;
    INT长度= 0;
    struct stat中ST;
    INT伏;    //获取文件的大小和分配。我们要转换成字节
    //从文本，所以这种分配将是足够大的安全
    FSTAT（的fileno（文件），放大器; ST）;
    BUF = valloc（st.st_size）;
    而（的fscanf（文件，\\\\ X％02X，＆放大器;ⅴ）== 1）
    {
        BUF [长度++] = V;
    }    FCLOSE（文件）;    则mprotect（BUF，长度，PROT_EXEC）;    INT（* RET）（）=（INT（*）（））的buf;
    RET（）;    返回0;
}
 

这必须从你的程序改变的唯一真实的东西是循环的ASCII文本转换成二进制数据。我用的fscanf 权宜之计，但是这是pretty脆弱。

Testing Shellcode From C Bus Error 10

Above was my previous question which involved excuting shellcode from within a c program, when the shell code is inside the source. It was solved by Carl Norum and was due to memory protection. I have a different problem but is similar. Instead of having the shell code in the same file, I want to read the shell code from a .txt file and execute it. Below I tried marking a section of memory as PROT_EXEC and read the contents of the .txt file into it and execute. But it won't work, I'm getting the same error, KERN_PROTECTION_FAILURE, I tried using mprotect and mmap to mark a section of memory as PROT_EXEC.

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

int (*ret)();

unsigned char* buf;

int main()
{
    FILE* file;
    file = fopen("text.txt", "rb");

    fseek(file, 0, SEEK_END);
    unsigned int len = ftell(file);
    fseek(file, 0, SEEK_SET);

    buf = valloc(len);
    fread(buf, 1, len, file);

    fclose(file);

    mprotect(buf, len, PROT_EXEC);

   // I also tried mmap, but same error.
   /* void *ptr = mmap(0, 1024, PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);

    if (ptr == MAP_FAILED)
    {
        perror("mmap");
        exit(-1);
    }

    memcpy(ptr, buf, 1024);*/

    ret = buf;

    ret();

    return 0;
}

This is the text.txt file I'm reading in, its the same hello world code, from my previous question:

\x55\x48\x89\xe5\xeb\x33\x48\x31\xff\x66\xbf\x01\x00\x5e\x48\x31\xd2\xb2\x0e\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x04\x4c\x89\xc0\x0f\x05\x31\xff\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x01\x4c\x89\xc0\x0f\x05\x48\x89\xec\x5d\xe8\xc8\xff\xff\xff\x48\x65\x6c\x6c\x6f\x2c\x20\x57\x6f\x72\x6c\x64\x21\x0a

Since I'm copying the contents of the txt file into PROC_EXEC memory, I don't understand why I'm getting KERN_PROTECTION_FAILURE.

解决方案

Building on my answer to your previous question, here's a solution:

#include <stdio.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <stdlib.h>

int main(void)
{
    FILE *file = fopen("text.txt", "r");
    unsigned char *buf;
    int length = 0;
    struct stat st;
    int v;

    // get file size and allocate. We're going to convert to bytes 
    // from text, so this allocation will be safely large enough
    fstat(fileno(file), &st);
    buf = valloc(st.st_size);
    while (fscanf(file, "\\x%02x", &v) == 1)
    {
        buf[length++] = v;
    }

    fclose(file);

    mprotect(buf, length, PROT_EXEC);

    int (*ret)() = (int (*)())buf;
    ret();

    return 0;
}

The only real thing that had to change from your program is the loop to convert the ASCII text into binary data. I used fscanf for expediency, but that's pretty fragile.

这篇关于读取和.txt文件执行shell code的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！