[英]Buffer Overflow strcpy()
我想知道我們必須溢出多少字節才能運行 shellcode?
int fun (char data[256]){
int i;
char *tmp;
strcpy(tmp,data);
}
眾所周知:
如果字符串鏈 *data 大於 *tmp 那么就會溢出。
否則不會有緩沖區溢出。
為編譯器提供通用方法。 這是計算機碩士的考試。 我們必須解釋兩種情況:
-when *tmp[200] 例如和
-當 *tmp[300] 即一個 case 或 *tmp 大於 *data(無溢出)和 *tmp 小於 *data(溢出)
如何知道代碼執行時不堪重負的字節數?
*tmp
未初始化,因此您通常會出現分段錯誤。
一個更好的例子是改變char *tmp;
類似於char tmp[64];
並將數據中的內容(在這種情況下超過 64 字節的內容)復制到 tmp。 要從那時起回答您的問題,您需要在更改代碼后啟動像 gdb 這樣的調試器,然后查看在覆蓋 RIP 之前可以寫出多遠。 在我的系統上是 78 個字節。
marshall@marshall-debian-testbed:~$ cat bof.c
int fun (char data[256]) {
int i;
char tmp[64];
strcpy(tmp,data);
}
int main (int argc, char *argv[]) {
fun(argv[1]);
return(0);
}
marshall@marshall-debian-testbed:~$ gcc bof.c -o bof
bof.c: In function ‘fun’:
bof.c:4:1: warning: implicit declaration of function ‘strcpy’ [-Wimplicit-function-declaration]
strcpy(tmp,data);
^~~~~~
bof.c:4:1: warning: incompatible implicit declaration of built-in function ‘strcpy’
bof.c:4:1: note: include ‘<string.h>’ or provide a declaration of ‘strcpy’
marshall@marshall-debian-testbed:~$ ./bof AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault
marshall@marshall-debian-testbed:~$ gdb ./bof
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./bof...(no debugging symbols found)...done.
(gdb) disas main
Dump of assembler code for function main:
0x00000000000006d2 <+0>: push %rbp
0x00000000000006d3 <+1>: mov %rsp,%rbp
0x00000000000006d6 <+4>: sub $0x10,%rsp
0x00000000000006da <+8>: mov %edi,-0x4(%rbp)
0x00000000000006dd <+11>: mov %rsi,-0x10(%rbp)
0x00000000000006e1 <+15>: mov -0x10(%rbp),%rax
0x00000000000006e5 <+19>: add $0x8,%rax
0x00000000000006e9 <+23>: mov (%rax),%rax
0x00000000000006ec <+26>: mov %rax,%rdi
0x00000000000006ef <+29>: callq 0x6b0 <fun>
0x00000000000006f4 <+34>: mov $0x0,%eax
0x00000000000006f9 <+39>: leaveq
0x00000000000006fa <+40>: retq
End of assembler dump.
(gdb) disas fun
Dump of assembler code for function fun:
0x00000000000006b0 <+0>: push %rbp
0x00000000000006b1 <+1>: mov %rsp,%rbp
0x00000000000006b4 <+4>: sub $0x50,%rsp
0x00000000000006b8 <+8>: mov %rdi,-0x48(%rbp)
0x00000000000006bc <+12>: mov -0x48(%rbp),%rdx
0x00000000000006c0 <+16>: lea -0x40(%rbp),%rax
0x00000000000006c4 <+20>: mov %rdx,%rsi
0x00000000000006c7 <+23>: mov %rax,%rdi
0x00000000000006ca <+26>: callq 0x560 <strcpy@plt>
0x00000000000006cf <+31>: nop
0x00000000000006d0 <+32>: leaveq
0x00000000000006d1 <+33>: retq
End of assembler dump.
(gdb) r `perl -e 'print "A"x78;'`
Starting program: /home/marshall/bof `perl -e 'print "A"x78;'`
Program received signal SIGSEGV, Segmentation fault.
0x0000414141414141 in ?? ()
(gdb) info registers
rax 0x7fffffffdce0 140737488346336
rbx 0x0 0
rcx 0x4141414141414141 4702111234474983745
rdx 0x414141 4276545
rsi 0x7fffffffe140 140737488347456
rdi 0x7fffffffdd23 140737488346403
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffdd30 0x7fffffffdd30
r8 0x555555554770 93824992233328
r9 0x7ffff7de99e0 140737351948768
r10 0x5b 91
r11 0x7ffff7b9ab28 140737349528360
r12 0x555555554580 93824992232832
r13 0x7fffffffde20 140737488346656
r14 0x0 0
r15 0x0 0
rip 0x414141414141 0x414141414141
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.