1
尝试缓冲区溢出以覆盖堆栈上的返回地址以用于以下程序。我想打电话给接受的strcmp的两个案例()缓冲区溢出 - 无法覆盖返回地址
void accept()
{
printf ("\nAccess Granted!\n");
return;
}
void deny()
{
printf ("\nAccess Denied!\n");
return;
}
int main()
{
char pwd[16]={0};
printf ("Enter Password: ");
gets (pwd);
if(strcmp(pwd, "pwd1"))
deny();
else
accept();
return 0;
}
虽然解体主,它是了解20个字节分配给变量在0x080484fb <+14>: sub $0x14,%esp
转储汇编代码的功能主要:
0x080484ed <+0>: lea 0x4(%esp),%ecx
0x080484f1 <+4>: and $0xfffffff0,%esp
0x080484f4 <+7>: pushl -0x4(%ecx)
0x080484f7 <+10>: push %ebp
0x080484f8 <+11>: mov %esp,%ebp
0x080484fa <+13>: push %ecx
0x080484fb <+14>: sub $0x14,%esp
0x080484fe <+17>: movl $0x0,-0x18(%ebp)
0x08048505 <+24>: movl $0x0,-0x14(%ebp)
0x0804850c <+31>: movl $0x0,-0x10(%ebp)
0x08048513 <+38>: movl $0x0,-0xc(%ebp)
0x0804851a <+45>: sub $0xc,%esp
0x0804851d <+48>: push $0x8048611
0x08048522 <+53>: call 0x8048370 <[email protected]>
0x08048527 <+58>: add $0x10,%esp
0x0804852a <+61>: sub $0xc,%esp
0x0804852d <+64>: lea -0x18(%ebp),%eax
0x08048530 <+67>: push %eax
0x08048531 <+68>: call 0x8048380 <[email protected]>
0x08048536 <+73>: add $0x10,%esp
0x08048539 <+76>: sub $0x8,%esp
0x0804853c <+79>: push $0x8048622
0x08048541 <+84>: lea -0x18(%ebp),%eax
0x08048544 <+87>: push %eax
0x08048545 <+88>: call 0x8048360 <[email protected]>
0x0804854a <+93>: add $0x10,%esp
0x0804854d <+96>: test %eax,%eax
0x0804854f <+98>: je 0x8048558 <main+107>
0x08048551 <+100>: call 0x80484d4 <deny>
0x08048556 <+105>: jmp 0x804855d <main+112>
0x08048558 <+107>: call 0x80484bb <accept>
0x0804855d <+112>: mov $0x0,%eax
0x08048562 <+117>: mov -0x4(%ebp),%ecx
0x08048565 <+120>: leave
0x08048566 <+121>: lea -0x4(%ecx),%esp
0x08048569 <+124>: ret
当我尝试输入字符串AAAAA要进行模糊测试...我发现在缓冲区中的覆盖是部分
Backtrace stopped: Cannot access memory at address 0x41413d
(gdb) R
The program being debugged has been started already.
Start it from the beginning? (y or n) Y
Starting program: BufferOverflow.x
\Enter Password: AAAAAAAAAAAAAAAAAAAAAAAA
Access Denied!
Program received signal SIGSEGV, Segmentation fault.
0x08048569 in main()
(gdb) BT
#0 0x08048569 in main()
Backtrace stopped: Cannot access memory at address 0x4141413d
(gdb) R
The program being debugged has been started already.
Start it from the beginning? (y or n) Y
Starting program: BufferOverflow.x
Enter Password: AAAAAAAAAAAAAAAAAAAAAAAAA
Access Denied!
Program received signal SIGSEGV, Segmentation fault.
0x08048569 in main()
(gdb) BT
#0 0x08048569 in main()
Backtrace stopped: Cannot access memory at address 0x4141413d
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: BufferOverflow.x
Enter Password: AAAAAAAAAAAAAAAAAAAAAAAAAA
Access Denied!
Program received signal SIGSEGV, Segmentation fault.
0x08048569 in main()
(gdb) bt
#0 0x08048569 in main()
Backtrace stopped: Cannot access memory at address 0x4141413d
如果你观察仔细,返回地址没有被完全溢出,但部分地实现0x4141413d
,如果记下地址与3d
也会结束,即使是100 A
秒 - 0x4141413d
我开始
cat /proc/sys/kernel/randomize_va_space
0
前禁用和已编译的返回地址相同如:
gcc BufferOverflow.c -o BufferOverflow.x -m32 -fno-stack-protector
上午使用gcc
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
任何帮助确定为什么缓冲区没有适当溢出将不胜感激。
感谢