在 Mac os 10.6 上执行简单的缓冲区溢出
我正在尝试了解堆栈基础溢出并编写一个简单的代码来利用堆栈。但不知怎的,它根本不起作用,但在我的机器(mac os leopard)上只显示中止陷阱,
我猜Mac os对待溢出的方式不同,它不允许我通过c代码覆盖内存。例如,
strcpy(buffer, input) // lets say char buffer[6] but input is 7 bytes
在 Linux 机器上,此代码成功覆盖下一个堆栈,但在 mac os 上被阻止(中止陷阱)
有人知道如何在 mac 机器上执行简单的堆栈基础溢出吗?
I'm trying to learn about stack base overflow and write a simple code to exploit stack. But somehow it doesn't work at all but showing only Abort trap on my machine (mac os leopard)
I guess Mac os treats overflow differently, it won't allow me to overwrite memory through c code. for example,
strcpy(buffer, input) // lets say char buffer[6] but input is 7 bytes
on Linux machine, this code successfully overwrite next stack, but prevented on mac os (Abort trap)
Anyone know how to perform a simple stack-base overflow on mac machine?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
@joveha的答案是正确的,使用GCC你必须使用
-fno-stack-protector进行编译关闭缓冲区溢出保护。但是,此外,您还需要禁用
FORTIFY_SOURCE选项,否则,如果您尝试使用strcpy或memcpy。要禁用它,只需使用标志
-D_FORTIFY_SOURCE=0进行编译,例如:Source: 关闭 GCC 中的缓冲区溢出保护。
@joveha's answer is correct, with GCC you have to compile with the
-fno-stack-protectorto turn of the buffer overflow protections.However, additionally you’ll need to disable the
FORTIFY_SOURCEoption, otherwise you’ll get “Abort trap” if you try to do a buffer overflow that uses something likestrcpyormemcpy.To disable it, simply compile with the flag
-D_FORTIFY_SOURCE=0, for example:Source: Turning off buffer overflow protections in GCC.
包含
并调用它:
\260\037 是八进制和小端序的 main(此处为 0x1fb0)的地址。
在出现总线错误之前,您应该会看到两次 hello 打印。诀窍是使用调试器(甚至 gdb 也可以)来知道您想要结束的位置以及返回地址在哪里。它不会和 Linux 中一样!
MacOS X for i386(大多数 i386 操作系统实际上包括 Linux 和 Windows),特别是 <=Leopard 并不是最安全的操作系统。
编辑:刚刚意识到我正在使用 clang 作为编译器。因此,您需要将其适应 gcc,但我可以告诉您,它几乎不需要改变即可工作:p。
include
and call it as:
\260\037 is the address of main(0x1fb0 here) in octal and in little endian order.
You should see hello print two times before a bus error. The trick is to use a debugger(even gdb will do) to know both where you want to end up and where is the return address. It won't be the same as in Linux!
MacOS X for i386(most OSes for i386 in fact including Linux and Windows) and especially <=Leopard are not the most secure OS.
EDIT: just realized I was using clang as the compiler. So you will need to adapt it to gcc but I can tell you it works with little change :p.
堆栈溢出?
术语“堆栈溢出”是指堆栈大小试图增长到超出当前平台和/或配置允许的最大限制的情况。您尝试做的事情与堆栈溢出完全无关。如果你想看到堆栈溢出,就写一个无限递归函数,执行它,直到它溢出:(
希望编译器不要将尾递归优化成循环。如果是的话,让它复杂一点,非-尾递归。)
您似乎正在尝试做的是重现臭名昭著的缓冲区溢出漏洞。虽然有问题的缓冲区应该在堆栈中分配,但该漏洞从未被称为“堆栈溢出”。为了实际演示该漏洞利用,仅仅超出某些缓冲区的边界是不够的。重点是在最初由存储的返回地址占用的堆栈区域中植入一个预先确定的值,以便当函数完成时,它“返回”到其他一些(可能是恶意的)代码,而不是原始的调用代码。
那么,你想做什么?堆栈溢出?还是缓冲区溢出?
Stack overflow?
The term stack overflow refers to the situation when the stack size attempts to grow beyond the maximum limit allowed by the current platform and/or configuration. What you are trying to do has no relation to stack overflow at all. If you want to see stack overflow, write an infinitely recursive function, execute it and just wait till it overflows:
(Hoping that the compiler will not optimize the tail recursion into a cycle. If it does, make it a bit more complicated, non-tail recursive.)
What you seem to be trying to do is to reproduce the infamous buffer overflow exploit. While the buffer in question is supposed to be allocated in the stack, the exploit has never been referred to as "stack overflow". In order to actually demonstrate the exploit, it is not sufficient to just overrun the bounds of some buffer. The whole point is to plant a pre-determined value in the area of the stack originally occupied by the stored return address, so that when the function finishes, it "returns" to some other (presumably malicious) code instead of the original calling code.
So, what is it you are trying to do? Stack overflow? Or buffer overflow?
Mac OS 上的编译器已在 堆栈金丝雀 中进行编译,这会为您提供中止陷阱。在编译器手册中搜索如何禁用它。
对于 GCC,此选项是
-fno-stack-protector。另外,1 个字节的溢出肯定不足以触发编译器堆栈检查之外的任何内容。使用 12 字节之类的东西:)
Your compiler on Mac OS has compiled in a stack canary which gives you the abort trap. Search in your compiler manual on how to disable it.
With GCC this option is
-fno-stack-protector.On a separate note, overflow with 1 byte will surely not be enough to trigger anything but a compiler stack check. Use something like 12 bytes :)