C缓冲区溢出攻击
[英]C Buffer Overflow Attack
问题描述
I have a project in my CS course that is centered around buffer overflow attacks. 
我的CS课程中有一个围绕缓冲区溢出攻击的项目。
I'm having a difficult time fully comprehending the topic. 我很难理解这个话题。
Say I have the following function: 说我有以下功能:
08048cc5 <getbuf>:
8048cc5: 55 push %ebp
8048cc6: 89 e5 mov %esp,%ebp
8048cc8: 83 ec 38 sub $0x38,%esp
8048ccb: 8d 45 d8 lea -0x28(%ebp),%eax
8048cce: 89 04 24 mov %eax,(%esp)
8048cd1: e8 32 01 00 00 call 8048e08 <Gets>
8048cd6: b8 01 00 00 00 mov $0x1,%eax
8048cdb: c9 leave
8048cdc: c3 ret
Currently it returns to this function: 当前,它返回到此函数:
08048c53 <test>:
8048c53: 55 push %ebp
8048c54: 89 e5 mov %esp,%ebp
8048c56: 83 ec 28 sub $0x28,%esp
8048c59: e8 63 04 00 00 call 80490c1 <uniqueval>
8048c5e: 89 45 f0 mov %eax,-0x10(%ebp)
8048c61: e8 5f 00 00 00 call 8048cc5 <getbuf>
8048c66: 89 45 f4 mov %eax,-0xc(%ebp)
8048c69: e8 53 04 00 00 call 80490c1 <uniqueval>
8048c6e: 8b 55 f0 mov -0x10(%ebp),%edx
8048c71: 39 d0 cmp %edx,%eax
8048c73: 74 0e je 8048c83 <test+0x30>
8048c75: c7 04 24 f0 a3 04 08 movl $0x804a3f0,(%esp)
8048c7c: e8 9f fc ff ff call 8048920 <puts@plt>
8048c81: eb 40 jmp 8048cc3 <test+0x70>
8048c83: 8b 55 f4 mov -0xc(%ebp),%edx
8048c86: a1 20 e1 04 08 mov 0x804e120,%eax
8048c8b: 39 c2 cmp %eax,%edx
8048c8d: 75 21 jne 8048cb0 <test+0x5d>
8048c8f: 8b 45 f4 mov -0xc(%ebp),%eax
8048c92: 89 44 24 04 mov %eax,0x4(%esp)
8048c96: c7 04 24 19 a4 04 08 movl $0x804a419,(%esp)
8048c9d: e8 ae fb ff ff call 8048850 <printf@plt>
8048ca2: c7 04 24 03 00 00 00 movl $0x3,(%esp)
8048ca9: e8 a0 07 00 00 call 804944e <validate>
8048cae: eb 13 jmp 8048cc3 <test+0x70>
8048cb0: 8b 45 f4 mov -0xc(%ebp),%eax
8048cb3: 89 44 24 04 mov %eax,0x4(%esp)
8048cb7: c7 04 24 36 a4 04 08 movl $0x804a436,(%esp)
8048cbe: e8 8d fb ff ff call 8048850 <printf@plt>
8048cc3: c9 leave
8048cc4: c3 ret
Instead of returning to test() I want to cause a buffer overflow that causes getbuf() to return to the following function: 我不想返回test()而是导致缓冲区溢出,导致getbuf()返回以下函数:
08048b7d <smoke>:
8048b7d: 55 push %ebp
8048b7e: 89 e5 mov %esp,%ebp
8048b80: 83 ec 18 sub $0x18,%esp
8048b83: c7 04 24 50 a3 04 08 movl $0x804a350,(%esp)
8048b8a: e8 91 fd ff ff call 8048920 <puts@plt>
8048b8f: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048b96: e8 b3 08 00 00 call 804944e <validate>
8048b9b: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048ba2: e8 99 fd ff ff call 8048940 <exit@plt>
So we have another program called HEX2RAW that converts a HEX value into a raw string that we will input into the program (and into the buffer). 因此,我们还有另一个名为HEX2RAW的程序,它将HEX值转换为原始字符串,然后将其输入到程序(以及缓冲区)中。
Does that mean the HEX value needs to include a ret instruction and the address of smoke()? 这是否意味着HEX值需要包含ret指令和smoke()的地址? Or just solely the return address? 还是仅仅是寄信人地址?
How do I know the size of the buffer that I will be overflowing? 我如何知道将要溢出的缓冲区的大小? How do I know how far I need to overflow to reach the return instruction on the stack? 我怎么知道我需要溢出多少才能到达堆栈上的返回指令?
You can see my thoughts are slightly scrambled on the topic, so any clarification would be awesome! 您可以看到我对该主题的想法有些混乱,因此任何澄清都将非常棒!
1 个解决方案
解决方案1
5 已采纳 2015-10-11 15:30:43
You can see that the address passed to gets is -0x28(%ebp) . 您可以看到传递给gets的地址是-0x28(%ebp) 。 Since the return address is at 4(%ebp) you need to input 44 bytes of padding followed by the required address. 由于返回地址为4(%ebp)您需要输入44个字节的填充,后跟所需的地址。 The ret instruction of course should not be entered, since that does not go onto the stack and is already in the code. 当然,不应输入ret指令,因为该指令不会进入堆栈,并且已经在代码中。 That's what is going to pop the overwritten return address. 这就是弹出覆盖的寄信人地址的原因。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.