导致缓冲区溢出,段错误
[英]Causing a buffer overflow, segfault
问题描述
I'm trying to cause a buffer overflow in the following, very simple, program: 
我试图在以下非常简单的程序中导致缓冲区溢出:
#include <stdio.h>
#include <stdint.h>
void badf(int n, char c, char* buffer)
{
char mycode[] = {
0xeb, 0x0f, 0xb8, 0x0b,
0x00, 0x00, 0x00, 0x8b,
0x1c, 0x24, 0x8d, 0x0c,
0x24, 0x31, 0xd2, 0xcd,
0x80, 0xe8, 0xec, 0xff,
0xff, 0xff, 0x2f, 0x62,
0x69, 0x6e, 0x2f, 0x6c,
0x73, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00
}; // 37 bytes
// Overwrite Base Pointer
//mycode[37] = 0x29;
//mycode[38] = 0xf4;
//mycode[39] = 0xff;
//mycode[40] = 0xbf;
// Overwrite Instruction Pointer
// Using debugger, found mycode[] to be loaded in: 0xbffff42d
mycode[41] = 0x2d;
mycode[42] = 0xf4;
mycode[43] = 0xff;
mycode[44] = 0xbf;
}
void f(int n, char c)
{
char buffer[37];
badf(n,c,buffer);
}
void test()
{
printf("test");
}
int main()
{
f(37,0x00);
return 0;
}
(I've successfully managed to execute test() from the buffer overflow before) Now I'm trying to execute mycode[] by overwriting the instruction pointer with the start of mycode in the stack. (我已成功设法从缓冲区溢出执行test()之前)现在我正在尝试通过在堆栈中使用mycode的开头覆盖指令指针来执行mycode []。
This only half works, the program jumps to the right address, where I can see the correct machine code in the debugger, but then crashes with a segmentation fault, instead of executing the following instructions (see screenshot). 这只有一半工作,程序跳转到正确的地址,我可以在调试器中看到正确的机器代码,但随后崩溃时出现分段错误,而不是执行以下指令(参见屏幕截图)。
I'm trying to figure out why he crashes before executing the contents of the "injected" code. 我试图弄清楚为什么他在执行“注入”代码的内容之前崩溃了。 I'm relatively new to this sort of stuff, I understand segmentation fault means I'm attempting to access memory the OS doesn't want me to? 我对这类东西比较新,我理解分段错误意味着我试图访问操作系统不希望我的内存?
(PS: 32bit Linux machine, compiling with -fno-stack-protector so I can play with this stuff) (PS:32位Linux机器,用-fno-stack-protector编译,所以我可以玩这个东西)
(If any more info is needed I will gladly update the post) (如果需要更多信息,我很乐意更新帖子)
2 个解决方案
解决方案1
3 2013-11-18 18:23:39
This sort of exciting trick doesn't work nowadays anymore, sadly. 可悲的是,这种令人兴奋的技巧现在不再适用了。 Blame the virus people. 怪病毒的人。
Data segments are marked with the NX (no execute) bit -- which is what triggers the segfault. 数据段用NX(无执行)位标记 - 这是触发段错误的原因。 CPU sees PC in a no-execute region. CPU将PC视为无执行区域。
Why don't you try overwriting the code of a "real" function pointer (take the address of an existing function) and see what happens (this will possibly fail because self-modifying code is also frowned upon by the compiler / linker / OS, also due to above-mentioned virus people) 为什么不尝试覆盖“真实”函数指针的代码(获取现有函数的地址)并查看会发生什么(这可能会失败,因为编译器/链接器/操作系统也不赞同自修改代码,也是由于上述病毒人)
解决方案2
3 2013-11-18 18:32:57
If it's Linux, you can probably make it work by downloading and installing execstack, and follow the instructions here . 如果它是Linux,您可以通过下载和安装execstack来使其工作,并按照此处的说明进行操作。 The segmentation fault is probably a result from your elf binaries by default setting the nx bit, which exectstack selectively undoes. 分段错误可能是你的elf二进制文件默认设置nx位的结果,exxstack选择性地撤消。 If this doesn't work, you might trigger additional protections, which you may or may not be able to disable. 如果这不起作用,您可能会触发其他保护,您可能会或可能无法禁用这些保护。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.