目录
编写CS架构(Server将Client的请求反转并发回)
//Server.c
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define PORT 5555
#define MaxDataSize 200
char sendBuf[180] = {'0'};
void Test(char *send,char *recvBuf){
int i,len;
len = strlen(recvBuf);
for(int i=0;i<len;i++)
send[i] = recvBuf[len-i-1];
strcpy(sendBuf,send);
}
void Turn(char *recvBuf){
char send[180] = {'0'};
//printf("send addr is %p\n",send);
Test(send,recvBuf);
}
int main(int argc, char *argv[])
{
int fd, new_fd, struct_len, numbytes,i;
struct sockaddr_in server_addr;
struct sockaddr_in client_addr;
char recvBuf[MaxDataSize];
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(PORT);
server_addr.sin_addr.s_addr = INADDR_ANY;
bzero(&(server_addr.sin_zero), 8);
struct_len = sizeof(struct sockaddr_in);
fd = socket(AF_INET, SOCK_STREAM, 0);
bind(fd, (struct sockaddr *)&server_addr, struct_len);
listen(fd, 10);
printf("Start to listen......\n");
while(1){
new_fd = accept(fd, (struct sockaddr *)&client_addr, &struct_len);
printf("One client connect...\n");
recv(new_fd, recvBuf, MaxDataSize, 0);
printf("%s\n",recvBuf);
Turn(recvBuf);
printf("%s\n",sendBuf);
send(new_fd,sendBuf,strlen(sendBuf)+1,0);
close(new_fd);
}
close(fd);
return 0;
}
//Client.c
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#define PORT 5555
#define MaxDataSize 200
stat
本文详细介绍了如何进行一次远程缓冲区溢出攻击实验,包括关闭ASLR、禁用堆栈保护、构造Payload和ShellCode、GDB动态调试以确定溢出点和内存地址差异。实验中,通过编写CS架构的Server和Client,利用Send数组溢出覆盖Turn函数的返回地址,最终实现远程Shellcode的执行和反弹Shell。
最低0.47元/天 解锁文章
扫一扫
2063
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
