无论缓冲区大小如何,都无法访问 $eip - gdb
[英]Cannot access $eip no matter the size of the buffer - gdb
问题描述
I have the following C file, vuln.c, and I am trying to carry on a buffer overflow attack.
我有以下 C 文件 vuln.c,我正在尝试进行缓冲区溢出攻击。 My aim is set the $eip to the address of the function read_secret.我的目标是将$eip设置为函数 read_secret 的地址。
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
void read_secret() {
FILE *fptr = fopen("/task2/secret.txt", "r");
char secret[1024];
fscanf(fptr, "%512s", secret);
printf("Well done!\nThere you go, a wee reward: %s\n", secret);
exit(0);
}
int fib(int n)
{
if ( n == 0 )
return 0;
else if ( n == 1 )
return 1;
else
return ( fib(n-1) + fib(n-2) );
}
void vuln(char *name)
{
int n = 20;
char buf[1024];
int f[n];
int i;
for (i=0; i<n; i++) {
f[i] = fib(i);
}
strcpy(buf, name);
printf("Welcome %s!\n", buf);
for (i=0; i<20; i++) {
printf("By the way, the %dth Fibonacci number might be %d\n", i, f[i]);
}
}
int main(int argc, char *argv[])
{
if (argc < 2) {
printf("Provide your name\n");
return 0;
}
vuln(argv[1]);
return 0;
}
So far, using gdb, I can get a segmentation fault when I push the size of the input to 1026. That is, run $(python -c "print('A'*1026)") .到目前为止,使用 gdb,当我将输入的大小推送到 1026 时,我会遇到分段错误。也就是说, run $(python -c "print('A'*1026)") 。
However, no matter how much I increase the 1026, the $eip is always 0x8049323 .但是,无论我将 1026 增加多少, $eip始终是0x8049323 。 I have looked long and hard online for any similar problem, but I have failed to find any.我在网上找了很长时间来寻找任何类似的问题,但我没有找到任何问题。
I am aware there's a similar question with similar code, but the answer doesn't address my problem.我知道有类似代码的类似问题,但答案并没有解决我的问题。
EDIT: For reference, yes, the x41's do reach in, they just never make it all the way to $eip.编辑:作为参考,是的,x41 确实可以使用,但它们从未一直到达 $eip。
Also, these are the info reg's before and after the input is strcpy-ed in.此外,这些是输入被 strcpy 输入之前和之后的信息注册。
Before :之前:
After后
And the address of the buf variable is 0xffffd230 before and after.而buf变量的地址前后都是0xffffd230。 And the address of read_secret() is 0x80491c2.而 read_secret() 的地址是 0x80491c2。
1 个解决方案
解决方案1
1 2020-03-12 19:01:38
The problem was that inside the program there comes a point where the program attempts to print f[i]'s.问题是在程序内部出现了一个程序试图打印 f[i] 的地方。 These are overwritten by the buffer to illegal addresses (ie 0x41414141).这些被缓冲区覆盖到非法地址(即 0x41414141)。
What I instead did is that I picked an address from 'info reg' (the $ebp) worked for me, and inserted that address multiple times until I hit the $eip.相反,我所做的是我从“info reg”($ebp)中选择了一个为我工作的地址,并多次插入该地址,直到我点击了 $eip。 Essentially, you want to pick a LEGAL address here.本质上,您想在这里选择一个合法地址。
Then, I'd reduce the number of times the address I picked is repeated and put a 'AAAA' instead to see where the $eip is.然后,我会减少我选择的地址重复的次数,并添加一个“AAAA”来查看 $eip 的位置。 Once I find the $eip, I put the address of the function I want to execute there instead.找到 $eip 后,我将要执行的函数的地址放在那里。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.