我需要修改返回地址,以便我可以调用print_good函数。我需要一个偏移值,并存储十六进制值来执行此操作。我使用obj计算的偏移量是0xcd,得到的是0x40074e(我相信打印出来的puts函数再次尝试)减去400686(我要调用的print_good函数的地址)。我认为正确的十六进制值是400686,这是print_good值的地址。把我得到的偏移值和我得到的十六进制值都没有给出正确的答案。
我非常确定十六进制值是0x400686,但如果我错了,请纠正我。我相信偏移值可能会关闭。
我给出了代码和可执行文件。我需要找到密码,它是一个偏移值和一个十六进制值。我使用objdump获取地址并查看其代码。
如果您想亲自尝试帮助我,请点击下载可执行文件的文件: 可执行文件: https://www.mediafire.com/file/disui6pwcb55ing/Ch3_07_CanaryBypass
c代码: https://www.mediafire.com/file/yu3j3dxg476qy8c/Ch3_07_CanaryBypass.c
这里写的c代码:
#include <stdio.h>
#include <signal.h>
#include <stdlib.h>
#define USERDEF 30
char msg[] =
"Stack canaries and non-executable stacks make stack exploitation difficult. Such\n"
"techniques, however, do not protect against return-oriented programming where\n"
"only the return addresses on the stack are targeted. In this level, you control\n"
"a single write into a vulnerable buffer in the function prompt_user. Overflow\n"
"the buffer to modify the return address beyond the stack canary so that it\n"
"points to a function of your choice. The level will prompt you with an offset\n"
"(in decimal) from the beginning of the buffer that will be written into followed\n"
"by a hexadecimal value that will be written there (e.g. scanf(\"%d %x\");).\n"
"The program will then write the hexadecimal value to a location computed\n"
"using the offset. To determine how close you are, examine the pointer\n"
"being used to write into the stack and how far away it is from the value\n"
"of $rsp when the retq instruction at the end of prompt_user is reached.\n\n";
void print_good() {
printf("Good Job.\n");
exit(0);
}
void print_msg() {
printf("%s",msg);
}
void prompt_user() {
char buffer[30];
int offset;
char *user_addr;
char **over_addr;
printf("Enter the password: ");
scanf("%d %lx", &offset, (unsigned long *) &user_addr);
over_addr = (char **) (buffer + offset);
*over_addr = user_addr;
}
int main(int argc, char *argv[]) {
print_msg();
prompt_user();
printf("Try again.\n");
return 0;
}