使用strcpy进行逆向工程(堆栈溢出攻击)

时间:2012-10-18 14:32:03

标签: assembly x86

c代码是这样的,

void foo (char *x){
    int buf[1];
    strcpy((char *) buf, x);
}

void callfoo() {
    foo("abcdefghi");
}

和汇编代码foo的一部分是

leal 0xfffffffc(%ebp), %eax
pushl %eax
call 80483c4 <strcpy>
movl %ebp, %esp
popl %ebp
ret

我期望strcpy得到%eax用buf填充,所以它填充%ebp-4,%ebp,%ebp + 4(旧%ebp)%ebp + 8(foo的返回地址)。 .... 我的攻击字符串是&#34; abcdefghi&#34;

缓冲区将在案例下填充,

%ebp-0x4 = 64636261
%ebp = 68676665
%ebp+0x4 = 08040069

但是解决方案说它会填满%ebp~%ebp + 0x8。我误解了堆栈结构?

解决方案说,

B. Immediately before the ret instruction at address of foo, what is the value of the frame pointer register %ebp?

%ebp = 0x68676665

C. Immediately after the ret instruction of foo, what is the value of the program counter register %eip?

%eip = %ebp+8(it is changed by strcpy)

1 个答案:

答案 0 :(得分:0)

我误解了推送指令。

推送指令是

pushl %ebp

相同
subl 0x4, %esp
movl %ebp, (%esp)

所以strcpy填充到%ebp~%ebp + 0x8