execve shellcode 写入分段错误

本文介绍了execve shellcode 写入分段错误的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我正在研究execve shellcode，

I am trying to study execve shellcode,

操作系统:Linux bt 2.6.39.4

OS : Linux bt 2.6.39.4

root@bt:~/exploit# cat gshell.s

.globl _start

_start:

    nop
    jmp MyString

    shell:

            popl %esi
            xorl %eax,%eax

            movl %al,9(%esi)
            movl %esi,10(%esi)
            movl %eax,14(%esi)

            movb $11,%al
            movl %esi, %ebx
            leal 0xa(%esi),%ecx
            leal 0xe(%esi),%edx
            int $0x80



            movl $1,%eax
            movl $0,%ebx
            int $0x80


    MyString:
            call shell
            shellvar:
                    .ascii "/bin/bashADDDDCCCC"

root@bt:~/exploit# as -gstabs -o gshell.o gshell.s

root@bt:~/exploit# ld -o gshell gshell.o

root@bt:~/exploit# ./gshell分段错误(核心转储)root@bt:~/exploit#

root@bt:~/exploit# ./gshellSegmentation fault (core dumped)root@bt:~/exploit#

(gdb) 中断 *_start0x8048054 处的断点 1:文件 gshell.s，第 6 行.

(gdb) break *_startBreakpoint 1 at 0x8048054: file gshell.s, line 6.

(gdb) r启动程序:/root/exploit/gshell

(gdb) rStarting program: /root/exploit/gshell

程序收到信号SIGSEGV，分段错误.shell () 在 gshell.s:1414 movb %al,9(%esi)

Program received signal SIGSEGV, Segmentation fault.shell () at gshell.s:1414 movb %al,9(%esi)

(gdb) 打印/x $esi$1 = 0x804807a(gdb) x/16cb $esi0x804807a : 47 '/' 98 'b' 105 'i' 110 'n' 47 '/' 98 'b' 97 'a' 115 's'0x8048082 : 104 'h' 65 'A' 68 'D' 68 'D' 68 'D' 68 'D' 67 'C' 67 'C'(gdb)

(gdb) print /x $esi$1 = 0x804807a(gdb) x/16cb $esi0x804807a : 47 '/' 98 'b' 105 'i' 110 'n' 47 '/' 98 'b' 97 'a' 115 's'0x8048082 : 104 'h' 65 'A' 68 'D' 68 'D' 68 'D' 68 'D' 67 'C' 67 'C'(gdb)

从上面的输出看来我已经成功地将/bin/sh 地址弹出到 ESI 寄存器中但是当我尝试将 0 移动到 9(%esi) --> 时，它会导致分段错误.甚至试图修改这个程序:movl $0 到 $esi.想知道是否限制写在0x804807a地址?哪个导致这个故障?以及我如何继续成功运行这个 shellcode

from above output it seems I have successfully pope'd /bin/sh address into ESI registerBut when I try to move 0 into 9(%esi) --> It causes segmentation fault.Even tried to modify this program : movl $0 to $esi.Want to know if it is restricted to write at 0x804807a address? which causing this fault?and how i can proceed with successfully running this shellcode

谢谢，小杰克

推荐答案

正如 Bo 在他的评论中所说，.text 部分在当前系统上默认是只读的.要使此代码工作，您必须使其可写.例如，您可以像这样在源文件中使用指令:

As Bo said in his comment, the .text section is read-only by default on current systems. To make this code work, you have to make it writable. You can for example use a directive in the source file like so:

.section wtext, "awx", @progbits

等效的 nasm 指令是:

section wtext exec write

或者，也可以将 -N 开关传递给链接器.

Alternatively, could also pass the -N switch to the linker.

请注意，此类 shell 代码通常用于堆栈执行，这是当前操作系统中通常禁用的另一项功能.如果您想在堆栈上尝试此操作，您可能需要 -z execstack 链接器选项.

Note that such shell code is normally intended for stack execution, which is yet another thing that's typically disabled in current operating systems. If you ever want to try this on the stack, you might need the -z execstack linker option.

这篇关于execve shellcode 写入分段错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！