james foster写的缓冲区溢出区攻击一书中s-proc.c为何运行不了
在James C foster的书buffer overflow attacks -detect, exploit, prevent当中第三章中有个例子s-proc.c,书中它是能执行的,并且有正确的执行结果,书中的代码及执行结果如下面两个段代码所示。但是我在运行书上面的例子时,出现段错误,我认为调用fread(code, 1, flen, fp)时,是把代码(write.s编译后生产的)写入数据段,数据段是不可执行的,所以会出现段错误。
为什么写书的作者能运行下面的代码,我却实现不了??????
我在ML2上运行的。
[*]Example 3.1[*]#include <stdio.h>[*]#include <stdlib.h>[*]#include <sys/types.h>[*]#include <sys/stat.h>[*]#include <unistd.h>[*]#include <errno.h>[*][*]/*[*]* Print message function[*]*/[*]static void croak(const char *msg) {[*] fprintf(stderr, "%s\n", msg);[*] fflush(stderr);[*]}[*]/*[*]* Usage function[*]*/[*]static void usage(const char *prgnam) {[*] fprintf(stderr, "\nExecute code : %s -e <file-containingshellcode>\n", prgnam);[*] fprintf(stderr, "Convert code : %s -p <file-containing-shellcode>\n\n", prgnam);[*] fflush(stderr);[*] exit(1);[*]}[*]/*[*]* Signal error and bail out.[*]*/[*]static void barf(const char *msg) {[*] perror(msg);[*] exit(1);[*]}[*][*]/*[*]* Main code starts here[*]*/[*][*]int main(int argc, char **argv) {[*]FILE *fp;[*]void *code;[*]int arg;[*]int i;[*]int l;[*]int m = 15; /* max # of bytes to print on one line */[*][*]struct stat sbuf;[*]long flen; /* Note: assume files are < ** bytes long;-) */[*]void (*fptr)(void);[*][*]if(argc < 3)[*] usage(argv);[*]if(stat(argv[], &sbuf))[*] barf("failed to stat file");[*]flen = (long) sbuf.st_size;[*]if(!(code = malloc(flen)))[*] barf("failed to grab required memory");[*]if(!(fp = fopen(argv, "rb")))[*] barf("failed to open file");[*]if(fread(code, 1, flen, fp) != flen)[*] barf("failed to slurp file");[*]if(fclose(fp))[*] barf("failed to close file");[*][*]while ((arg = getopt (argc, argv, "e:p:")) != -1){[*] switch (arg){[*] case 'e':[*] croak("Calling code ...");[*] fptr = (void (*)(void)) code;[*] (*fptr)();[*] break;[*] case 'p':[*] printf("\n/* The following shellcode is %d bytes long:*/\n",flen);[*] printf("\nchar shellcode[] =\n");[*] l = m;[*] for(i = 0; i < flen; ++i) {[*] if(l >= m) {[*] if(i) printf("\"\n");[*] printf( "\t\"");[*] l = 0;[*] }[*] ++l;[*] printf("\\x%0x", ((unsigned char *)code));[*] }[*] printf("\";\n\n\n");[*] break;[*] default :[*] usage(argv);[*] }[*]}[*]return 0;[*]}
下面一行编译上面的代码:
gcc –o s-proc s-proc.c [*]Example 3.3 Linux Shellcode for Hello, World![*]xor eax,eax[*]xor ebx,ebx[*]xor ecx,ecx[*]xor edx,edx[*]jmp short string[*]code:[*]pop ecx[*]mov bl,1[*]mov dl,13[*]mov al,4[*]int 0x80[*]dec bl[*]mov al,1[*]int 0x80[*]string:[*]call code[*]db 'Hello, world!'
下面编译上面的代码,及执行的情况:
# nasm -o write write.S
# s-proc -e write
Calling code ...
Hello, world!
[ 本帖最后由 zhaojt 于 2011-1-14 08:50 编辑 ] 这种漏洞攻击要看系统版本的
页:
[1]