linux Paramiko未返回分割故障错误

pdkcd3nj  于 2023-01-25  发布在  Linux
关注(0)|答案(1)|浏览(131)

我试图使一个简单的模糊分割错误。

from pwn import *
import paramiko
import base64

#Setting Vars
#C Program
nameOfFileToExploit = "vuln"

hostname = '10.0.2.15'
port = 22
username = 'kali' 
password = 'kali'
command = 'ls'

context.update(arch='i386', os='linux')

# Connect to the server with SSH
client = paramiko.client.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(hostname, username=username, password=password)

# Find the point at which the program crashes
for i in range(1, 500):
    _stdin, _stdout,_stderr = client.exec_command('python -c "print( \'A\'*' + str(i) + ')" | /home/kali/Desktop/BufferOverflow/PracOne/vuln')
    stdout = _stdout.readlines()
    print(stdout)
    stderr = _stderr.readlines()
    print(stderr)
    
    if 'Segmentation' in str(stdout):
        # For some reason when sent through pwntools the buffer to crash was 1 length longer than
        # it should have been?
        print('Crash at %d characters' % (i - 1))
        print('Crash at value will be %s' % hex(i - 1))
        break

分段错误出现在31个以上字符处。
Please enter your name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA zsh: segmentation fault ./vuln
但是,尽管终端手动正确地报告了这一点,它**并没有出现在paramiko的stderr中,这意味着if语句永远都不正确:
输出示例:

['Please enter your name: Hi A\n']
[]
['Please enter your name: Hi AA\n']
[]
['Please enter your name: Hi AAA\n']
[]
['Please enter your name: Hi AAAA\n']
[]
['Please enter your name: Hi AAAAA\n']
[]
['Please enter your name: Hi AAAAAA\n']
[]
['Please enter your name: Hi AAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
['Please enter your name: Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n']
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]

Paramiko应该返回提到分段错误的stderr,为什么没有呢?

linux

1条答案

按热度按时间
11dmarpk

11dmarpk1#

但是,尽管终端手动正确地报告了这一点,但它并没有出现在paramiko的stderr中
这看起来像是zsh行为,并且可以在不涉及paramiko的情况下重现。这是我的测试设置。我有一个C程序,它segfaults:

#include "stdio.h"

int main() {
  char* c;
  sprintf(c, "hi world");
}

当我从终端运行这个程序时,我得到了以下结果(我使用的是OSX,所以对我来说这是一个"总线错误",但行为是相同的):

% ./t                                                                                                                                                                                                                                                                                      
zsh: bus error  ./t

下面是我在python中的调用:
一个二个一个一个
Paramiko应该返回提到分段错误的stderr,为什么没有呢?
因为以这种方式运行,zsh不提供paramiko要返回的消息,我不知道为什么zsh会这样(也许是因为输出不是终端?)
不过,我确实有一个建议,它将对您有用,将zsh从等式中去掉,并在通过paramiko发送的python命令中使用subprocess,您可以从subprocess的行为中获益:
负值-N表示子进程被信号N终止(仅POSIX)。
您的内部python程序可以检查进程的返回代码以查看它是否等于-1 * signal.SIGSEGV 2,而不是检查stdout

import subprocess, signal

n = 1
while True:
    res = subprocess.run(["./t"], input=bytes('A' * n, "utf-8"), capture_output=True)
    print(res)
    if res.returncode * -1 in [ signal.SIGBUS, signal.SIGSEGV ]:
        break
    n += 1

print(f"{n} As was too many")

这给了我

% python3 ./t.py                                                                                                                                                                                                                                                                          11736ms
CompletedProcess(args=['./t'], returncode=-10, stdout=b'', stderr=b'')
1 As was too many

这里最大的区别是我检查的是返回代码,而不是stderr。我不依赖于shell的行为,尽管shell会有相同的退出代码。因此,您可以在paramiko级别使用How can you get the SSH return code using Paramiko?执行相同的操作

赞(0)分享  回复(0)举报  2023-01-25
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com