读取和.txt文件执行shell code [英] Read and Execute Shellcode from a .txt File
问题描述
<一个href=\"http://stackoverflow.com/questions/17822771/testing-shell$c$c-from-c-bus-error-10?noredirect=1#comment26044536_17822771\">Testing壳牌code从C总线错误10
以上是我其中涉及从C程序中excuting壳code,当shell code是源里面previous问题。它是由卡尔Norum时解决,是由于内存保护。我有一个不同的问题,但类似。而不是在同一个文件壳code,我想读一个.txt文件外壳code和执行它。下面我试着打标内存PROT_EXEC一节并读取.txt文件的内容到它并执行。但它不会工作,我得到了同样的错误,KERN_PROTECTION_FAILURE,我尝试使用mprotect的MMAP和标记为PROT_EXEC内存部分。
的#include&LT;&stdio.h中GT;
#包括LT&; SYS / mman.h&GT;
#包括LT&;&string.h中GT;
#包括LT&;&stdlib.h中GT;INT(* RET)();无符号字符* BUF;诠释的main()
{
FILE *文件;
文件= FOPEN(的text.txt,RB); fseek的(文件,0,SEEK_END);
unsigned int类型LEN = FTELL(文件);
fseek的(文件,0,SEEK_SET); BUF = valloc(LEN);
FREAD(BUF,1,LEN,文件); FCLOSE(文件); 则mprotect(BUF,LEN,PROT_EXEC); //我也试过mmap的,但同样的错误。
/ *无效* PTR = MMAP(0,1024 PROT_EXEC,MAP_ANON | MAP_PRIVATE,-1,0); 如果(PTR == MAP_FAILED)
{
PERROR(MMAP);
出口(-1);
} 的memcpy(PTR,BUF,1024); * / RET = BUF; RET(); 返回0;
}
这是文件──test.txt文件,我读,它同样的hello world code,从我的previous问题:
<$p$p><$c$c>\\x55\\x48\\x89\\xe5\\xeb\\x33\\x48\\x31\\xff\\x66\\xbf\\x01\\x00\\x5e\\x48\\x31\\xd2\\xb2\\x0e\\x41\\xb0\\x02\\x49\\xc1\\xe0\\x18\\x49\\x83\\xc8\\x04\\x4c\\x89\\xc0\\x0f\\x05\\x31\\xff\\x41\\xb0\\x02\\x49\\xc1\\xe0\\x18\\x49\\x83\\xc8\\x01\\x4c\\x89\\xc0\\x0f\\x05\\x48\\x89\\xec\\x5d\\xe8\\xc8\\xff\\xff\\xff\\x48\\x65\\x6c\\x6c\\x6f\\x2c\\x20\\x57\\x6f\\x72\\x6c\\x64\\x21\\x0a由于我复制txt文件到内存PROC_EXEC的内容,我不明白为什么我得到KERN_PROTECTION_FAILURE。
在我回答你的previous问题大厦,这里有一个解决方案:
的#include&LT;&stdio.h中GT;
#包括LT&; SYS / mman.h&GT;
#包括LT&; SYS / stat.h&GT;
#包括LT&;&stdlib.h中GT;INT主要(无效)
{
FILE *文件=的fopen(的text.txt,R);
无符号字符* BUF;
INT长度= 0;
struct stat中ST;
INT伏; //获取文件的大小和分配。我们要转换成字节
//从文本,所以这种分配将是足够大的安全
FSTAT(的fileno(文件),放大器; ST);
BUF = valloc(st.st_size);
而(的fscanf(文件,\\\\ X%02X,&放大器;ⅴ)== 1)
{
BUF [长度++] = V;
} FCLOSE(文件); 则mprotect(BUF,长度,PROT_EXEC); INT(* RET)()=(INT(*)())的buf;
RET(); 返回0;
}
这必须从你的程序改变的唯一真实的东西是循环的ASCII文本转换成二进制数据。我用的fscanf
权宜之计,但是这是pretty脆弱。
Testing Shellcode From C Bus Error 10
Above was my previous question which involved excuting shellcode from within a c program, when the shell code is inside the source. It was solved by Carl Norum and was due to memory protection. I have a different problem but is similar. Instead of having the shell code in the same file, I want to read the shell code from a .txt file and execute it. Below I tried marking a section of memory as PROT_EXEC and read the contents of the .txt file into it and execute. But it won't work, I'm getting the same error, KERN_PROTECTION_FAILURE, I tried using mprotect and mmap to mark a section of memory as PROT_EXEC.
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*ret)();
unsigned char* buf;
int main()
{
FILE* file;
file = fopen("text.txt", "rb");
fseek(file, 0, SEEK_END);
unsigned int len = ftell(file);
fseek(file, 0, SEEK_SET);
buf = valloc(len);
fread(buf, 1, len, file);
fclose(file);
mprotect(buf, len, PROT_EXEC);
// I also tried mmap, but same error.
/* void *ptr = mmap(0, 1024, PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED)
{
perror("mmap");
exit(-1);
}
memcpy(ptr, buf, 1024);*/
ret = buf;
ret();
return 0;
}
This is the text.txt file I'm reading in, its the same hello world code, from my previous question:
\x55\x48\x89\xe5\xeb\x33\x48\x31\xff\x66\xbf\x01\x00\x5e\x48\x31\xd2\xb2\x0e\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x04\x4c\x89\xc0\x0f\x05\x31\xff\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x01\x4c\x89\xc0\x0f\x05\x48\x89\xec\x5d\xe8\xc8\xff\xff\xff\x48\x65\x6c\x6c\x6f\x2c\x20\x57\x6f\x72\x6c\x64\x21\x0a
Since I'm copying the contents of the txt file into PROC_EXEC memory, I don't understand why I'm getting KERN_PROTECTION_FAILURE.
Building on my answer to your previous question, here's a solution:
#include <stdio.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <stdlib.h>
int main(void)
{
FILE *file = fopen("text.txt", "r");
unsigned char *buf;
int length = 0;
struct stat st;
int v;
// get file size and allocate. We're going to convert to bytes
// from text, so this allocation will be safely large enough
fstat(fileno(file), &st);
buf = valloc(st.st_size);
while (fscanf(file, "\\x%02x", &v) == 1)
{
buf[length++] = v;
}
fclose(file);
mprotect(buf, length, PROT_EXEC);
int (*ret)() = (int (*)())buf;
ret();
return 0;
}
The only real thing that had to change from your program is the loop to convert the ASCII text into binary data. I used fscanf
for expediency, but that's pretty fragile.
这篇关于读取和.txt文件执行shell code的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!