因此,我一直在学习Jon Erickson(2008)的《 Hacking: The Art of Exploitation, 2nd Edn》一书中的黑客基础知识,因为我将来想成为渗透测试人员。这本书很棒。仍然存在问题,因为所有示例都在x86处理器上运行。我的处理器是x64,gdb中的输出与书中的输出完全不同。除此之外,该程序甚至拒绝像示例中那样工作,并且输出是不同的。
这是我的gdb输出:
avaxio@avaxio-Aspire-E5-573G:~/Desktop/hax$ gdb -q ./auth_overflow2
Reading symbols from ./auth_overflow2...done.
(gdb) list 1
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <string.h>
4
5 int check_authentication(char *password) {
6 char password_buffer[16];
7 int auth_flag = 0;
8
9 strcpy(password_buffer, password);
10
(gdb)
11 if(strcmp(password_buffer, "brillig") == 0)
12 auth_flag = 1;
13 if(strcmp(password_buffer, "outgrabe") == 0)
14 auth_flag = 1;
15
16 return auth_flag;
17 }
18
19 int main(int argc, char *argv[]) {
20 if(argc < 2) {
(gdb)
21 printf("Usage: %s <password>\n", argv[0]);
22 exit(0);
23 }
24 if(check_authentication(argv[1])) {
25 printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
26 printf(" Access Granted.\n");
27 printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
28 } else {
29 printf("\nAccess Denied.\n");
30 }
(gdb) break 24
Breakpoint 1 at 0x88e: file auth_overflow2.c, line 24.
(gdb) break 9
Breakpoint 2 at 0x7ec: file auth_overflow2.c, line 9.
(gdb) break 16
Breakpoint 3 at 0x83b: file auth_overflow2.c, line 16.
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Starting program: /home/avaxio/Desktop/hax/auth_overflow2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 1, main (argc=2, argv=0x7fffffffe468) at auth_overflow2.c:24
24 if(check_authentication(argv[1])) {
(gdb) i r rsp
rsp 0x7fffffffe370 0x7fffffffe370
(gdb) x/32xw $rsp
0x7fffffffe370: 0xffffe468 0x00007fff 0x00000000 0x00000002
0x7fffffffe380: 0x555548e0 0x00005555 0xf7a05b97 0x00007fff
0x7fffffffe390: 0x00000002 0x00000000 0xffffe468 0x00007fff
0x7fffffffe3a0: 0x00008000 0x00000002 0x55554854 0x00005555
0x7fffffffe3b0: 0x00000000 0x00000000 0x7fa36084 0x1900eec9
0x7fffffffe3c0: 0x555546c0 0x00005555 0xffffe460 0x00007fff
0x7fffffffe3d0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe3e0: 0x29436084 0x4c55bb9c 0x58fd6084 0x4c55ab23
(gdb) c
Continuing.
Breakpoint 2, check_authentication (
password=0x7fffffffe6fc 'A' <repeats 35 times>) at auth_overflow2.c:9
9 strcpy(password_buffer, password);
(gdb) i r rsp
rsp 0x7fffffffe320 0x7fffffffe320
(gdb) x/32xw $rsp
0x7fffffffe320: 0x00000009 0x00000000 0xffffe6fc 0x00007fff
0x7fffffffe330: 0xffffe398 0x00007fff 0x00f0b6ff 0x00000000
0x7fffffffe340: 0x00000001 0x00000000 0x5555492d 0x00005555
0x7fffffffe350: 0xf7de59a0 0x00007fff 0x6f9c7600 0x3543fdb3
0x7fffffffe360: 0xffffe380 0x00007fff 0x555548a1 0x00005555
0x7fffffffe370: 0xffffe468 0x00007fff 0x00000000 0x00000002
0x7fffffffe380: 0x555548e0 0x00005555 0xf7a05b97 0x00007fff
0x7fffffffe390: 0x00000002 0x00000000 0xffffe468 0x00007fff
(gdb) x/s password_buffer
0x7fffffffe340: "\001"
所以我知道,如果我使用strcpy()
而不是strncpy()
,它将不会检查要复制到password_buffer
变量中的数据的大小。在那里,我想问一个问题,为什么它的最后一行说的是password_buffer包含"\001"
而不是包含35个字节的大量垃圾(就像书中那样,使用了x86处理器) )?通过进一步运行程序,它不允许继续运行并抛出错误“ core dumped”。是因为某些x64体系结构功能还是什么?很想知道它发生的原因。