我正在尝试使c程序上的缓冲区溢出,但是我无法设法找到漏洞并利用代码。
我已经尝试了数千种输入。 通常,我已经尝试过这些: 1)我尝试了显而易见的方法-给出一个很长的字符串作为输入。 2)我试图提供一个太大的字符串,以至于strlen()会敏锐地返回一个负值。 3)我试图给空字节和EOF作为输入,并追加字符串。它不会让我输入那些字符作为输入。 4)我尝试覆盖某物,但是没有东西被覆盖(如果我设法覆盖某物,那对我来说是70%的方式)
所有我在Python中尝试过的方法。
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int secretCode = 123;
#define STATUS_WINNER 'WIN!'
typedef struct _word_struct
{
char word[32 + 24];
char result[48 + 24];
int status;
} word_struct, *word_data;
int get_input(char *word, int len)
{
int wordSize = 0;
char *locWord = malloc(len+4);
if(!locWord)
return -2;
printf("Enter your guess: ");
fgets(locWord,len+4,stdin);
wordSize = strlen(locWord);
// strip newline character
if(locWord[wordSize-1] == '\n')
locWord[wordSize-1] = '\0';
if(strlen(locWord) > len)
{
free(locWord);
return -1;
}
strcpy(word,locWord);
free(locWord);
return 1;
}
void check_input(word_data w)
{
//todo: implement this
printf("Incorrect word!\n");
w->status = strlen(w->word);
}
int main(int argc, char* argv[])
{
//check with sizeof - off by one + strcpy (overwrite the next with 0)
//strcpy that will copy that additional symbol
//strncat that will start later because there is a 0 later
word_struct guess;
int i,offset,len,ret;
printf("Welcome to Alladin's magic cave!\n");
printf("Enter the secret word and get the treasure cave entrance code!\n");
ret = get_input(guess.word, sizeof(guess.word));
if(ret == -1)
{
printf("Exiting due to buffer overflow!\n");
return -1;
}
else if(ret == -2)
{
printf("Out of resources! Exiting...\n");
return -2;
}
check_input(&guess);
printf("STATUS: %d\n", guess.status);
printf("REAL:%d\n", STATUS_WINNER);
if(guess.status == STATUS_WINNER)
strcpy(guess.result,"CORRECT! YOU ENTERED: ");
else
strcpy(guess.result,"WRONG! YOUR WORD: ");
//we don't use unsafe str functions, we copy strings carefully one-by-one!
offset = strlen(guess.result);
len = strlen(guess.word);
for(i = 0; i < len; ++i)
guess.result[offset+i] = guess.word[i];
guess.result[offset+i] = '\0';
printf("%s\n",guess.result);
// give them the flag?
if(guess.status == STATUS_WINNER)
printf("It was cool, wasn't it ?! Go get your treasure, the code is %d\n", secretCode);
else
printf("Better luck next time!\n");
return 0;
}
输入56字节长完全-我遇到段错误。 对于大于56的输入-我从程序中得到缓冲区溢出“错误”。 对于非常大的输入(超过10 ^ 6个字节[长或多或少])-该程序只是卡住了。
我希望能够覆盖所有内容,但是我无法覆盖任何内容,也许直接跳入打印出代码的地址(0x804889d)
下面是程序集:
080485ab <get_input>:
80485ab: 55 push %ebp
80485ac: 89 e5 mov %esp,%ebp
80485ae: 83 ec 18 sub $0x18,%esp
80485b1: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
80485b8: 8b 45 0c mov 0xc(%ebp),%eax
80485bb: 83 c0 04 add $0x4,%eax
80485be: 83 ec 0c sub $0xc,%esp
80485c1: 50 push %eax
80485c2: e8 99 fe ff ff call 8048460 <malloc@plt>
80485c7: 83 c4 10 add $0x10,%esp
80485ca: 89 45 f4 mov %eax,-0xc(%ebp)
80485cd: 83 7d f4 00 cmpl $0x0,-0xc(%ebp)
80485d1: 75 0a jne 80485dd <get_input+0x32>
80485d3: b8 fe ff ff ff mov $0xfffffffe,%eax
80485d8: e9 ac 00 00 00 jmp 8048689 <get_input+0xde>
80485dd: 83 ec 0c sub $0xc,%esp
80485e0: 68 60 89 04 08 push $0x8048960
80485e5: e8 26 fe ff ff call 8048410 <printf@plt>
80485ea: 83 c4 10 add $0x10,%esp
80485ed: a1 40 a0 04 08 mov 0x804a040,%eax
80485f2: 8b 55 0c mov 0xc(%ebp),%edx
80485f5: 83 c2 04 add $0x4,%edx
80485f8: 83 ec 04 sub $0x4,%esp
80485fb: 50 push %eax
80485fc: 52 push %edx
80485fd: ff 75 f4 pushl -0xc(%ebp)
8048600: e8 2b fe ff ff call 8048430 <fgets@plt>
8048605: 83 c4 10 add $0x10,%esp
8048608: 83 ec 0c sub $0xc,%esp
804860b: ff 75 f4 pushl -0xc(%ebp)
804860e: e8 6d fe ff ff call 8048480 <strlen@plt>
8048613: 83 c4 10 add $0x10,%esp
8048616: 89 45 f0 mov %eax,-0x10(%ebp)
8048619: 8b 45 f0 mov -0x10(%ebp),%eax
804861c: 8d 50 ff lea -0x1(%eax),%edx
804861f: 8b 45 f4 mov -0xc(%ebp),%eax
8048622: 01 d0 add %edx,%eax
8048624: 0f b6 00 movzbl (%eax),%eax
8048627: 3c 0a cmp $0xa,%al
8048629: 75 0e jne 8048639 <get_input+0x8e>
804862b: 8b 45 f0 mov -0x10(%ebp),%eax
804862e: 8d 50 ff lea -0x1(%eax),%edx
8048631: 8b 45 f4 mov -0xc(%ebp),%eax
8048634: 01 d0 add %edx,%eax
8048636: c6 00 00 movb $0x0,(%eax)
8048639: 83 ec 0c sub $0xc,%esp
804863c: ff 75 f4 pushl -0xc(%ebp)
804863f: e8 3c fe ff ff call 8048480 <strlen@plt>
8048644: 83 c4 10 add $0x10,%esp
8048647: 89 c2 mov %eax,%edx
8048649: 8b 45 0c mov 0xc(%ebp),%eax
804864c: 39 c2 cmp %eax,%edx
804864e: 76 15 jbe 8048665 <get_input+0xba>
8048650: 83 ec 0c sub $0xc,%esp
8048653: ff 75 f4 pushl -0xc(%ebp)
8048656: e8 c5 fd ff ff call 8048420 <free@plt>
804865b: 83 c4 10 add $0x10,%esp
804865e: b8 ff ff ff ff mov $0xffffffff,%eax
8048663: eb 24 jmp 8048689 <get_input+0xde>
8048665: 83 ec 08 sub $0x8,%esp
8048668: ff 75 f4 pushl -0xc(%ebp)
804866b: ff 75 08 pushl 0x8(%ebp)
804866e: e8 dd fd ff ff call 8048450 <strcpy@plt>
8048673: 83 c4 10 add $0x10,%esp
8048676: 83 ec 0c sub $0xc,%esp
8048679: ff 75 f4 pushl -0xc(%ebp)
804867c: e8 9f fd ff ff call 8048420 <free@plt>
8048681: 83 c4 10 add $0x10,%esp
8048684: b8 01 00 00 00 mov $0x1,%eax
8048689: c9 leave
804868a: c3 ret
0804868b <check_input>:
804868b: 55 push %ebp
804868c: 89 e5 mov %esp,%ebp
804868e: 83 ec 08 sub $0x8,%esp
8048691: 83 ec 0c sub $0xc,%esp
8048694: 68 73 89 04 08 push $0x8048973
8048699: e8 d2 fd ff ff call 8048470 <puts@plt>
804869e: 83 c4 10 add $0x10,%esp
80486a1: 8b 45 08 mov 0x8(%ebp),%eax
80486a4: 83 ec 0c sub $0xc,%esp
80486a7: 50 push %eax
80486a8: e8 d3 fd ff ff call 8048480 <strlen@plt>
80486ad: 83 c4 10 add $0x10,%esp
80486b0: 89 c2 mov %eax,%edx
80486b2: 8b 45 08 mov 0x8(%ebp),%eax
80486b5: 89 90 80 00 00 00 mov %edx,0x80(%eax)
80486bb: 90 nop
80486bc: c9 leave
80486bd: c3 ret
080486be <main>:
80486be: 8d 4c 24 04 lea 0x4(%esp),%ecx
80486c2: 83 e4 f0 and $0xfffffff0,%esp
80486c5: ff 71 fc pushl -0x4(%ecx)
80486c8: 55 push %ebp
80486c9: 89 e5 mov %esp,%ebp
80486cb: 51 push %ecx
80486cc: 81 ec b4 00 00 00 sub $0xb4,%esp
80486d2: 89 c8 mov %ecx,%eax
80486d4: 8b 40 04 mov 0x4(%eax),%eax
80486d7: 89 85 54 ff ff ff mov %eax,-0xac(%ebp)
80486dd: 65 a1 14 00 00 00 mov %gs:0x14,%eax
80486e3: 89 45 f4 mov %eax,-0xc(%ebp)
80486e6: 31 c0 xor %eax,%eax
80486e8: 83 ec 0c sub $0xc,%esp
80486eb: 68 84 89 04 08 push $0x8048984
80486f0: e8 7b fd ff ff call 8048470 <puts@plt>
80486f5: 83 c4 10 add $0x10,%esp
80486f8: 83 ec 0c sub $0xc,%esp
80486fb: 68 a8 89 04 08 push $0x80489a8
8048700: e8 6b fd ff ff call 8048470 <puts@plt>
8048705: 83 c4 10 add $0x10,%esp
8048708: 83 ec 08 sub $0x8,%esp
804870b: 6a 38 push $0x38
804870d: 8d 85 70 ff ff ff lea -0x90(%ebp),%eax
8048713: 50 push %eax
8048714: e8 92 fe ff ff call 80485ab <get_input>
8048719: 83 c4 10 add $0x10,%esp
804871c: 89 85 64 ff ff ff mov %eax,-0x9c(%ebp)
8048722: 83 bd 64 ff ff ff ff cmpl $0xffffffff,-0x9c(%ebp)
8048729: 75 1a jne 8048745 <main+0x87>
804872b: 83 ec 0c sub $0xc,%esp
804872e: 68 e8 89 04 08 push $0x80489e8
8048733: e8 38 fd ff ff call 8048470 <puts@plt>
8048738: 83 c4 10 add $0x10,%esp
804873b: b8 ff ff ff ff mov $0xffffffff,%eax
8048740: e9 77 01 00 00 jmp 80488bc <main+0x1fe>
8048745: 83 bd 64 ff ff ff fe cmpl $0xfffffffe,-0x9c(%ebp)
804874c: 75 1a jne 8048768 <main+0xaa>
804874e: 83 ec 0c sub $0xc,%esp
8048751: 68 08 8a 04 08 push $0x8048a08
8048756: e8 15 fd ff ff call 8048470 <puts@plt>
804875b: 83 c4 10 add $0x10,%esp
804875e: b8 fe ff ff ff mov $0xfffffffe,%eax
8048763: e9 54 01 00 00 jmp 80488bc <main+0x1fe>
8048768: 83 ec 0c sub $0xc,%esp
804876b: 8d 85 70 ff ff ff lea -0x90(%ebp),%eax
8048771: 50 push %eax
8048772: e8 14 ff ff ff call 804868b <check_input>
8048777: 83 c4 10 add $0x10,%esp
804877a: 8b 45 f0 mov -0x10(%ebp),%eax
804877d: 3d 21 4e 49 57 cmp $0x57494e21,%eax
8048782: 75 37 jne 80487bb <main+0xfd>
8048784: 8d 85 70 ff ff ff lea -0x90(%ebp),%eax
804878a: 83 c0 38 add $0x38,%eax
804878d: c7 00 43 4f 52 52 movl $0x52524f43,(%eax)
8048793: c7 40 04 45 43 54 21 movl $0x21544345,0x4(%eax)
804879a: c7 40 08 20 59 4f 55 movl $0x554f5920,0x8(%eax)
80487a1: c7 40 0c 20 45 4e 54 movl $0x544e4520,0xc(%eax)
80487a8: c7 40 10 45 52 45 44 movl $0x44455245,0x10(%eax)
80487af: 66 c7 40 14 3a 20 movw $0x203a,0x14(%eax)
80487b5: c6 40 16 00 movb $0x0,0x16(%eax)
80487b9: eb 2b jmp 80487e6 <main+0x128>
80487bb: 8d 85 70 ff ff ff lea -0x90(%ebp),%eax
80487c1: 83 c0 38 add $0x38,%eax
80487c4: c7 00 57 52 4f 4e movl $0x4e4f5257,(%eax)
80487ca: c7 40 04 47 21 20 59 movl $0x59202147,0x4(%eax)
80487d1: c7 40 08 4f 55 52 20 movl $0x2052554f,0x8(%eax)
80487d8: c7 40 0c 57 4f 52 44 movl $0x44524f57,0xc(%eax)
80487df: c7 40 10 3a 20 20 00 movl $0x20203a,0x10(%eax)
80487e6: 83 ec 0c sub $0xc,%esp
80487e9: 8d 85 70 ff ff ff lea -0x90(%ebp),%eax
80487ef: 83 c0 38 add $0x38,%eax
80487f2: 50 push %eax
80487f3: e8 88 fc ff ff call 8048480 <strlen@plt>
80487f8: 83 c4 10 add $0x10,%esp
80487fb: 89 85 68 ff ff ff mov %eax,-0x98(%ebp)
8048801: 83 ec 0c sub $0xc,%esp
8048804: 8d 85 70 ff ff ff lea -0x90(%ebp),%eax
804880a: 50 push %eax
804880b: e8 70 fc ff ff call 8048480 <strlen@plt>
8048810: 83 c4 10 add $0x10,%esp
8048813: 89 85 6c ff ff ff mov %eax,-0x94(%ebp)
8048819: c7 85 60 ff ff ff 00 movl $0x0,-0xa0(%ebp)
8048820: 00 00 00
8048823: eb 2a jmp 804884f <main+0x191>
8048825: 8b 95 68 ff ff ff mov -0x98(%ebp),%edx
804882b: 8b 85 60 ff ff ff mov -0xa0(%ebp),%eax
8048831: 01 c2 add %eax,%edx
8048833: 8d 8d 70 ff ff ff lea -0x90(%ebp),%ecx
8048839: 8b 85 60 ff ff ff mov -0xa0(%ebp),%eax
804883f: 01 c8 add %ecx,%eax
8048841: 0f b6 00 movzbl (%eax),%eax
8048844: 88 44 15 a8 mov %al,-0x58(%ebp,%edx,1)
8048848: 83 85 60 ff ff ff 01 addl $0x1,-0xa0(%ebp)
804884f: 8b 85 60 ff ff ff mov -0xa0(%ebp),%eax
8048855: 3b 85 6c ff ff ff cmp -0x94(%ebp),%eax
804885b: 7c c8 jl 8048825 <main+0x167>
804885d: 8b 95 68 ff ff ff mov -0x98(%ebp),%edx
8048863: 8b 85 60 ff ff ff mov -0xa0(%ebp),%eax
8048869: 01 d0 add %edx,%eax
804886b: c6 44 05 a8 00 movb $0x0,-0x58(%ebp,%eax,1)
8048870: 83 ec 0c sub $0xc,%esp
8048873: 8d 85 70 ff ff ff lea -0x90(%ebp),%eax
8048879: 83 c0 38 add $0x38,%eax
804887c: 50 push %eax
804887d: e8 ee fb ff ff call 8048470 <puts@plt>
8048882: 83 c4 10 add $0x10,%esp
8048885: 8b 45 f0 mov -0x10(%ebp),%eax
8048888: 3d 21 4e 49 57 cmp $0x57494e21,%eax
804888d: 75 18 jne 80488a7 <main+0x1e9>
804888f: a1 38 a0 04 08 mov 0x804a038,%eax
8048894: 83 ec 08 sub $0x8,%esp
8048897: 50 push %eax
8048898: 68 28 8a 04 08 push $0x8048a28
804889d: e8 6e fb ff ff call 8048410 <printf@plt>
80488a2: 83 c4 10 add $0x10,%esp
80488a5: eb 10 jmp 80488b7 <main+0x1f9>
80488a7: 83 ec 0c sub $0xc,%esp
80488aa: 68 68 8a 04 08 push $0x8048a68
80488af: e8 bc fb ff ff call 8048470 <puts@plt>
80488b4: 83 c4 10 add $0x10,%esp
80488b7: b8 00 00 00 00 mov $0x0,%eax
80488bc: 8b 4d f4 mov -0xc(%ebp),%ecx
80488bf: 65 33 0d 14 00 00 00 xor %gs:0x14,%ecx
80488c6: 74 05 je 80488cd <main+0x20f>
80488c8: e8 73 fb ff ff call 8048440 <__stack_chk_fail@plt>
80488cd: 8b 4d fc mov -0x4(%ebp),%ecx
80488d0: c9 leave
80488d1: 8d 61 fc lea -0x4(%ecx),%esp
80488d4: c3 ret
80488d5: 66 90 xchg %ax,%ax
80488d7: 66 90 xchg %ax,%ax
80488d9: 66 90 xchg %ax,%ax
80488db: 66 90 xchg %ax,%ax
80488dd: 66 90 xchg %ax,%ax
80488df: 90 nop
我在c9环境中工作。
另外,我已经阅读了以下主题:Causing a buffer Overflow with fgets 没有帮助。
答案 0 :(得分:1)
当您准确输入len个字符并将字符复制到guess.word中并且nul终止符溢出到末尾时,就会发生缓冲区溢出。
strcpy(guess.result,“事物”然后覆盖nul,然后for循环循环,直到它用完内存并出现段错误为止。
成功利用此漏洞会向i和offset写一个值,这样
a:循环终止而没有遇到错误的内存地址
b:status中的值与STATUS_WINNER
为此,必须使用小于70的值来破坏LEN
答案 1 :(得分:0)
感谢大家的帮助,大家给了我很好的主意,这是我的解决方案:
在主函数中,有一个for循环:
for(i = 0; i < len; ++i)
guess.result[offset+i] = guess.word[i];
offset等于字符串“ WRONG!YOUR WORD:”的长度,为19。 因此,如果用户输入56个字节长的字符串(这是guess.word的最大长度),则“ len”将为75(输入的56 + 19),而“ offset + i”将介于19到74之间(实际上是75,但是循环将退出)。因此,当“ offset + i”为72时,guess.result将开始覆盖guess.status(guess.result为72字节长,guess.status紧随其后),并且在“ offset + i” = 75时-当i = 56时,会发生guess.word [56]为guess.result [0],即“ W”(“ WRONG!YOUR ...”的意思)。 从那里很容易。