1
嘗試緩衝區溢出以覆蓋堆棧上的返回地址以用於以下程序。我想打電話給接受的strcmp的兩個案例()緩衝區溢出 - 無法覆蓋返回地址
void accept()
{
printf ("\nAccess Granted!\n");
return;
}
void deny()
{
printf ("\nAccess Denied!\n");
return;
}
int main()
{
char pwd[16]={0};
printf ("Enter Password: ");
gets (pwd);
if(strcmp(pwd, "pwd1"))
deny();
else
accept();
return 0;
}
雖然解體主,它是瞭解20個字節分配給變量在0x080484fb <+14>: sub $0x14,%esp 轉儲彙編代碼的功能主要:
0x080484ed <+0>: lea 0x4(%esp),%ecx
0x080484f1 <+4>: and $0xfffffff0,%esp
0x080484f4 <+7>: pushl -0x4(%ecx)
0x080484f7 <+10>: push %ebp
0x080484f8 <+11>: mov %esp,%ebp
0x080484fa <+13>: push %ecx
0x080484fb <+14>: sub $0x14,%esp
0x080484fe <+17>: movl $0x0,-0x18(%ebp)
0x08048505 <+24>: movl $0x0,-0x14(%ebp)
0x0804850c <+31>: movl $0x0,-0x10(%ebp)
0x08048513 <+38>: movl $0x0,-0xc(%ebp)
0x0804851a <+45>: sub $0xc,%esp
0x0804851d <+48>: push $0x8048611
0x08048522 <+53>: call 0x8048370 <[email protected]>
0x08048527 <+58>: add $0x10,%esp
0x0804852a <+61>: sub $0xc,%esp
0x0804852d <+64>: lea -0x18(%ebp),%eax
0x08048530 <+67>: push %eax
0x08048531 <+68>: call 0x8048380 <[email protected]>
0x08048536 <+73>: add $0x10,%esp
0x08048539 <+76>: sub $0x8,%esp
0x0804853c <+79>: push $0x8048622
0x08048541 <+84>: lea -0x18(%ebp),%eax
0x08048544 <+87>: push %eax
0x08048545 <+88>: call 0x8048360 <[email protected]>
0x0804854a <+93>: add $0x10,%esp
0x0804854d <+96>: test %eax,%eax
0x0804854f <+98>: je 0x8048558 <main+107>
0x08048551 <+100>: call 0x80484d4 <deny>
0x08048556 <+105>: jmp 0x804855d <main+112>
0x08048558 <+107>: call 0x80484bb <accept>
0x0804855d <+112>: mov $0x0,%eax
0x08048562 <+117>: mov -0x4(%ebp),%ecx
0x08048565 <+120>: leave
0x08048566 <+121>: lea -0x4(%ecx),%esp
0x08048569 <+124>: ret
當我嘗試輸入字符串AAAAA要進行模糊測試...我發現在緩衝區中的覆蓋是部分
Backtrace stopped: Cannot access memory at address 0x41413d
(gdb) R
The program being debugged has been started already.
Start it from the beginning? (y or n) Y
Starting program: BufferOverflow.x
\Enter Password: AAAAAAAAAAAAAAAAAAAAAAAA
Access Denied!
Program received signal SIGSEGV, Segmentation fault.
0x08048569 in main()
(gdb) BT
#0 0x08048569 in main()
Backtrace stopped: Cannot access memory at address 0x4141413d
(gdb) R
The program being debugged has been started already.
Start it from the beginning? (y or n) Y
Starting program: BufferOverflow.x
Enter Password: AAAAAAAAAAAAAAAAAAAAAAAAA
Access Denied!
Program received signal SIGSEGV, Segmentation fault.
0x08048569 in main()
(gdb) BT
#0 0x08048569 in main()
Backtrace stopped: Cannot access memory at address 0x4141413d
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: BufferOverflow.x
Enter Password: AAAAAAAAAAAAAAAAAAAAAAAAAA
Access Denied!
Program received signal SIGSEGV, Segmentation fault.
0x08048569 in main()
(gdb) bt
#0 0x08048569 in main()
Backtrace stopped: Cannot access memory at address 0x4141413d
如果你觀察仔細,返回地址沒有被完全溢出,但部分地實現0x4141413d,如果記下地址與3d也會結束,即使是100 A秒 - 0x4141413d
我開始
cat /proc/sys/kernel/randomize_va_space
0
前禁用和已編譯的返回地址相同如:
gcc BufferOverflow.c -o BufferOverflow.x -m32 -fno-stack-protector
上午使用gcc
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
任何幫助確定爲什麼緩衝區沒有適當溢出將不勝感激。
感謝