[英]Get the address of a function in libc (execve) without gdb
I'm trying to automate a return-to-libc attack based on the exploitation of a buffer overflow vulnerabulity (on a x86-32 linux machine). 我正在尝试基于对缓冲区溢出漏洞的利用(在x86-32 linux计算机上)自动执行libc返回攻击。 I need a way to find the address of execve function in libc without using gdb:
我需要一种无需使用gdb即可在libc中找到execve函数的地址的方法:
(gdb) p execve (gdb)p执行
$1 = {} 0xf7ec1b30 $ 1 = {} 0xf7ec1b30
The ASLR protection is disabled so as to allow this technique. ASLR保护被禁用,以允许使用此技术。
Is there a way to get the address of a function in libc as execve? 有没有办法以execve的形式获取libc中函数的地址? With a program or any other automatable way?
使用程序或任何其他自动方式? (no gdb because isn't automatable in a bash script or a C program).
(没有gdb,因为它无法在bash脚本或C程序中自动执行)。
Any advice is welcome. 欢迎任何建议。
Is this a trick question or does something like this not work: 这是一个技巧性的问题,还是无法执行以下操作:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int
main (int argc, char **argv)
{
void *a = execv;
printf ("execv is at %p\n", a);
exit (0);
}
Works here. 在这里工作。
If you are trying to get this information for a script, perhaps the nm utility would help? 如果您尝试获取脚本的此信息,也许nm实用程序会有所帮助吗?
example: nm {libraryPath} | 示例:nm {libraryPath} | grep execve
grep执行
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.