堆栈内存溢出
  简体   繁体   English

为什么我的C程序在二进制文件中没有jmp esp指令?

[英]Why doesn't my C program have a jmp esp instruction in the binary?

 原文  2019-06-05 16:19:31       c/ assembly/ gdb/ exploit/ objdump

问题描述

Why can you find jmp esp only in big applications? 为什么只能在大型应用程序中找到jmp esp

In this little program you cant find jmp esp . 在这个小程序中,您找不到jmp esp But why? 但为什么? This is the source code: 这是源代码: 

#include <stdio.h>

int main(int argc, char **argv)
{
    char buffer[64];

    printf("Type in something: ");
    gets(buffer);
    return 0;
}

1 个解决方案

解决方案1
 1  2019-06-06 00:55:09

AT&T jmp *%esp / Intel jmp esp has machine code ff e4 . AT&T jmp *%esp / Intel jmp esp机器代码为ff e4 You should be looking for that byte sequence at any offset. 您应该在任何偏移量处寻找该字节序列。
(I assembled a .s with that instruction and used objdump -d to get the machine code.) (我用该指令汇编了一个.s,并使用objdump -d获取机器代码。)

There is a lot of discussion in comments from people who thought you were talking about 以为您在谈论的人的评论中有很多讨论
jmp *(%esp) as a ret without pop. jmp *(%esp)作为没有弹出的ret For future readers, see Why JMP ESP instead of directly jumping into the stack on security.SE for more about this ret2reg technique to defeat stack ASLR when trying to return to your executable payload. 对于未来的读者,请参阅为什么使用JMP ESP而不是直接在security.SE上跳入堆栈 ,以获取有关此ret2reg技术的更多信息,以便在尝试返回可执行有效负载时克服堆栈ASLR。 (But not defeating non-executable stacks, so this is rarely useful on its own in modern systems.) It's a special case of a ROP gadget. (但是不能击败不可执行的堆栈,因此在现代系统中单独使用它很少有用。)这是ROP小工具的特例。

Compilers are never going to use that instruction intentionally, so you'll only ever find it as part of the bytes for another instruction, or in a non-code section. 编译器永远不会故意使用该指令,因此,您只会在其他指令的字节部分或非代码段中找到它。 Or not at all if no data happens to include it. 如果没有数据碰巧包括在内,则根本不这样做。

Also, your search method could miss it if it did occur. 另外,如果您的搜索方法确实发生了,可能会错过它。

objdump | grep 'jmp.*esp' objdump | grep 'jmp.*esp' is not good here. objdump | grep 'jmp.*esp'在这里不好。 That will miss ff e4 as part of mov eax, 0x1234e4ff for example. 这将丢失ff e4作为mov eax, 0x1234e4ff一部分,例如mov eax, 0x1234e4ff And disassembly of data sections similarly will only "check" bytes where objdump decides that an instruction starts. 同样,反汇编数据段将仅“检查” objdump确定指令开始的字节。 (It doesn't do overlapping disassembly starting from every possible byte address; it gets to the end of one instruction and assumes the next instruction starts there.) (它不会从每个可能的字节地址开始进行重叠反汇编;它会到达一条指令的末尾并假定下一条指令从此处开始。)

But even so, I compiled your code with gcc8.2 with optimization disabled ( gcc -m32 foo.c ) and searched for e4 bytes in the output of hexdump -C . 但是即使如此,我还是使用禁用优化的gcc8.2编译了您的代码( gcc -m32 foo.c ),并在hexdump -C的输出中搜索e4字节。 None of them were preceded by an ff byte. 在它们之前都没有ff字节。 (I tried again with gcc -m32 -no-pie -fno-pie foo.c , still no ff e4) (我再次尝试使用gcc -m32 -no-pie -fno-pie foo.c ,仍然没有ff e4)

There's no reason to expect that to appear in a tiny executable . 没有理由期望它会出现在微小的可执行文件中

You could introduce one with a global const unsigned char jmp_esp[] = { 0xff, 0xe4 }; 您可以引入一个带有全局const unsigned char jmp_esp[] = { 0xff, 0xe4 };

But note that modern toolchains (like late 2018 / 2019) put even the .rodata section in a non-executable segment. 但是请注意,现代工具链(例如2018/2019年底)甚至将.rodata节都置于不可执行的段中。 So you'd need to compile with -zexecstack for byte sequences in non-code sections to be useful as gadgets. 因此,您需要使用-zexecstack编译非代码段中的字节序列,才能用作小工具。

But you probably need -z execstack or something else to make the stack itself executable, for your payload itself to be in an executable page, not just a jmp esp in a const array. 但是您可能需要-z execstack或其他使堆栈本身可执行的功能,才能使有效负载本身位于可执行页中,而不仅仅是const数组中的jmp esp

If you disabled library ASLR, then you could use an ff e4 at a known address somewhere in libc. 如果禁用了库ASLR,则可以在libc中某个位置的已知地址处使用ff e4 But with normal randomization of library mapping addresses, it's probably just as easy to try to guess the stack address of your buffer directly, +- some bytes you fill with a NOP slide. 但是,通过对库映射地址进行常规随机化,可以很容易地直接猜测出缓冲区的堆栈地址,+-用NOP幻灯片填充一些字节。 (Unless you can get the program you're attacking to leak a library address, defeating ASLR). (除非您能获得要攻击的程序以泄漏库地址,从而击败ASLR)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ATmega8不支持JMP指令 - ATmega8 doesn't support JMP instruction 为什么 C 没有二进制文字? - Why doesn't C have binary literals? GDB为什么不识别我的C程序的语言? - Why doesn't GDB recognize the language of my C program? 为什么我的 C 程序不等待扫描输入? - Why doesn't my C program wait to scan input? 为什么我使用 C 的矩阵乘法程序不起作用? - Why my program of Matrix multiplication using C doesn't work? 为什么我的PRO * C程序的控制没有进入if部分? - Why the control of my PRO*C program doesn't go to the if section? 函数指针指向c中的jmp指令 - pointer to function points the jmp instruction in c 如果我在此C程序中输入了大于16383的值,该值将十进制转换为二进制,则它将不起作用。 为什么? - If i enter a value above 16383 in this C program that converts decimal to binary, it doesn't work. Why? 为什么我的 C 程序无法在 VSCode 中运行? 终端没有报错但是没有 output - Why Doesn't my C Program Run in VSCode? The terminal doesn't give an error but there's no output 为什么当我按0时程序没有停止? C程序 - Why doesn't my program stop when I press 0? C program
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM