ret2reg缓冲区溢出攻击

最新推荐文章于 2024-12-08 21:47:44 发布

原创

最新推荐文章于 2024-12-08 21:47:44 发布 · 2.1k 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#perl #linux #signal #function #input #c

本文详细介绍了ret2reg缓冲区溢出攻击，通过分析被溢出程序源码，利用gdb调试，发现eax寄存器在溢出时指向shellcode地址。借助程序中存在的'jmp *%eax'指令，构造溢出代码实现ret2reg，最终成功获取shell。

转载请注明出处：http://blog.youkuaiyun.com/wangxiaolong_china

被溢出程序源码如下：

root@linux:~/pentest# cat vulnerable.c 
#include <stdio.h>
#include <string.h>

void evilfunction(char *input) {

    char buffer[1000];
    strcpy(buffer, input);
}

int main(int argc, char **argv) {

    evilfunction(argv[1]);

    return 0;
}

编译，并用gdb反汇编代码如下：

root@linux:~/pentest# gcc -fno-stack-protector -z execstack -g -o vulnerable vulnerable.c


root@linux:~/pentest# gdb vulnerable
GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/pentest/vulnerable...done.
(gdb) disass main
Dump of assembler code for function main:
   0x080483e4 <+0>:    push   %ebp
   0x080483e5 <+1>:    mov    %esp,%ebp
   0x080483e7 <+3>:    and    {1}xfffffff0,%esp
   0x080483ea <+6>:    sub    {1}x10,%esp
   0x080483ed <+9>:    mov    0xc(%ebp),%eax
   0x080483f0 <+12>:    add    {1}x4,%eax
   0x080483f3 <+15>:    mov    (%eax),%eax
   0x080483f5 <+17>:   mov    %eax,(%esp)
   0x080483f8 <+20>:    call   0x80483c4 <evilfunction>
   0x080483fd <+25>:    mov    {1}x0,%eax
   0x08048402 <+30>:    leave  
   0x08048403 <+31>:    ret    
End of assembler dump.
(gdb) disass evilfunction
Dump of assembler code for function evilfunction:
   0x080483c4 <+0>:    push   %ebp
   0x080483c5 <+1>:    mov    %esp,%ebp
   0x080483c7 <+3>:    sub    {1}x408,%esp
   0x080483cd <+9>:    mov    0x8(%ebp),%eax
   0x080483d0 <+12>:    mov    %eax,0x4(%esp)
   0x080483d4 <+16>:    lea    -0x3f0(%ebp),%eax
   0x080483da <+22>:    mov    %eax,(%esp)
   0x080483dd <+25>:    call   0x80482f4 <strcpy@plt>
   0x080483e2 <+30>:    leave  
   0x080483e3 <+31>:    ret    
End of assembler dump.
(gdb)