使用metasploit进行栈溢出攻击-3

有了shellcode，就可以进行攻击了，但是要有漏洞才行，真实世界中的漏洞很复杂，并且很难发现，因此我专门做一个漏洞来进行攻击。

具体来说就是做一个简单的tcp server，里面包含明显的栈溢出漏洞。

具体如下：

 /* server.c */
 #include <stdio.h>
 #include <stdlib.h>
 #include <errno.h>
 #include <string.h>
 #include <sys/types.h>
 #include <netinet/in.h>
 #include <sys/socket.h>
 #include <sys/wait.h>
 #include <arpa/inet.h>
 void showClientInf(struct sockaddr_in client_addr) {
         printf("\nThe IP of client is:%s",inet_ntoa(client_addr.sin_addr));
         printf("\nThe Port of client is:%d\n",ntohs(client_addr.sin_port));
 }
 unsigned long get_sp(void)
 {
 __asm__("movl %esp,%eax");
 }
 void testf()
 {
     printf("ttttt\n");
 } void recvastring(int new_fd)
 {
     unsigned char buff[];
     int i=;
     printf("sp=0x%x,addr=0x%x bytes.\n",get_sp(),&buff);
     int numbytes = recv(new_fd,buff,,);
     if(numbytes==-)
     {
         perror("recv");
         exit();
     }
 }
 int main() {
     int sockfd,new_fd;
     struct sockaddr_in my_addr;
     struct sockaddr_in their_addr;
     int flag=,len=sizeof(int);
     int sin_size;
     char buff[];
     int numbytes;
     printf("socket\n");
     if((sockfd = socket(AF_INET,SOCK_STREAM,))==-) {
         perror("socket");
         exit();
     }
     my_addr.sin_family = AF_INET;
     my_addr.sin_port = htons();
     my_addr.sin_addr.s_addr = INADDR_ANY;
     bzero(&(my_addr.sin_zero),);
     printf("bind\n");
     if( setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &flag, len) ==-)
     {
         perror("setsockopt");
         exit();
     }
     if(bind(sockfd,(struct sockaddr *)&my_addr,sizeof(struct sockaddr))==-)
     {
         perror("bind");
         exit();
     }
     printf("listen\n");
     if(listen(sockfd,)==-) {
         perror("listen");
         exit();
     }
     printf("server is run...\n");
     while() {
         sin_size = sizeof(struct sockaddr_in);
         printf("accept\n");
         if((new_fd = accept(sockfd,(struct sockaddr *)
         &their_addr,&sin_size))==-)
         {
             perror("accept");
             exit();
         }
         showClientInf(their_addr);
         if(!fork()) {
             printf("recv\n");
             recvastring(new_fd);
             printf("close-new_fd 1\n");
             close(new_fd);
             exit();
         }
         printf("close-new_fd 2\n");
         close(new_fd);
     }
     printf("close-sockfd\n");
     close(sockfd);
 }

这个核心就是我们关注的recvastring函数，包含明显的栈溢出漏洞。我们专门看一下：

 void recvastring(int new_fd)
 {
     unsigned char buff[];
     int i=;
     printf("sp=0x%x,addr=0x%x bytes.\n",get_sp(),&buff);
     int numbytes = recv(new_fd,buff,,);
     if(numbytes==-)
     {
         perror("recv");
         exit();
     }
 }

同样编译生成：

bai@ubuntu:/mnt/hgfs/r/stack$ gcc -fno-stack-protector -z execstack -g -o server socketserver.c
bai@ubuntu:/mnt/hgfs/r/stack$ ./server
socket
bind
listen
server is run...
accept