本文介绍了执行指向Shellcode的函数指针的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试通过覆盖main的返回地址来为exit(0)调用执行此简单操作码。
问题是我遇到了分段错误。
I'm trying to execute this simple opcode for exit(0) call by overwriting the return address of main.The problem is I'm getting segmentation fault.
#include <stdio.h>
char shellcode[]= "/0xbb/0x14/0x00/0x00/0x00"
"/0xb8/0x01/0x00/0x00/0x00"
"/0xcd/0x80";
void main()
{
int *ret;
ret = (int *)&ret + 2; // +2 to get to the return address on the stack
(*ret) = (int)shellcode;
}
执行会导致细分错误。
[user1@fedo BOF]$ gcc -o ExitShellCode ExitShellCode.c
[user1@fedo BOF]$ ./ExitShellCode
Segmentation fault (core dumped)
这是shellcode的对象.a
This is the Objdump of the shellcode.a
[user1@fedo BOF]$ objdump -d exitShellcodeaAss
exitShellcodeaAss: file format elf32-i386
Disassembly of section .text:
08048054 <_start>:
8048054: bb 14 00 00 00 mov $0x14,%ebx
8048059: b8 01 00 00 00 mov $0x1,%eax
804805e: cd 80 int $0x80
我正在使用的系统
fedora Linux 3.1.2-1.fc16.i686
ASLR is disabled.
Debugging with GDB.
gcc version 4.6.2
推荐答案
嗯回答这个问题为时已晚,但是它们可能是被动语法错误。看来shell代码格式错误,我的意思是:
mmm maybe it is to late to answer to this question, but they might be a passive syntax error. It seems like thet shellcode is malformed, I mean:
char shellcode[]= "/0xbb/0x14/0x00/0x00/0x00"
"/0xb8/0x01/0x00/0x00/0x00"
"/0xcd/0x80";
与以下内容不同:
char shellcode[]= "\xbb\x14\x00\x00\x00"
"\xb8\x01\x00\x00\x00"
"\xcd\x80";
尽管此修补程序无法帮助您解决此问题,但是您是否尝试过禁用某些内核保护机制例如: NX位,堆栈随机化,等等...?
although this fix won't help you solving this problem, but have you tried disabling some kernel protection mechanism like: NX bit, Stack Randomization, etc... ?
这篇关于执行指向Shellcode的函数指针的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!