缓冲区溢出返回地址为00
我只是想让缓冲区溢出在 OSX(10.6) 上的以下程序上工作;我需要通过溢出缓冲区来执行 foo 。
#include <string.h>
#include <stdio.h>
void foo() {
printf("hacked!");
}
int main(int argc, const char *argv[]) {
char s[100];
strcpy(s, argv[1]);
}
我将其编译为:-
$ gcc -o test test.c -arch i386
在反汇编 test 时,我得到 foo 的地址为 0x00001eda。该漏洞无法按预期发挥作用;可能是因为返回地址应该被包含 \x00 的 0x00001eda 溢出。
如果目标地址有\x00,如何执行缓冲区溢出漏洞利用?
I was just trying to get a buffer overflow to work on OSX(10.6) on the following program; I need to make foo execute by overflowing the buffer.
#include <string.h>
#include <stdio.h>
void foo() {
printf("hacked!");
}
int main(int argc, const char *argv[]) {
char s[100];
strcpy(s, argv[1]);
}
I compile it as:-
$ gcc -o test test.c -arch i386
On disassembling test I get the address of foo as 0x00001eda. The exploit does not work as intended; probably because the return address is supposed to be overflowed with 0x00001eda with contains a \x00.
In cases where the target address has a \x00, how can a buffer overflow exploit be performed?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
strcpy()函数在遇到零字节 (\x00) 时停止。由于您要写入堆栈的地址可能包含这样一个字节,因此执行与以下示例之一类似的操作也许是可以接受的。免责声明
示例 1
代码
减小了缓冲区的大小,以便使用较短的输入文本来溢出缓冲区。
输出
示例 2
代码
使用 atoi() 直接定位返回地址并不是真正的“缓冲区溢出”的好例子。不过,对于在堆栈帧内定位和修改返回地址来说,这是一个很好的练习。
输出
The
strcpy()function stops when it encounters a zero byte (\x00). Since the address you want to write to the stack may contain such a byte, perhaps it is acceptable to do something similar to one of the following examples.disclaimer
Example 1
code
The size of the buffer was reduced in order to use shorter input text for overflowing the buffer.
output
Example 2
code
The use of atoi() to directly target the return address is not really a good example of a "buffer overflow". However, it is a good exercise in locating and modifying the return address within the stack frame.
output
请记住,所有整数(我很确定这包括返回地址)都以小端格式存储,这意味着最低有效字节首先出现。
因此,您所需的返回地址 (0x00001eda) 的字节将是:
查看 karlphillip 将您链接到的代码。他只在字符串末尾插入了两个地址字节。你也可以这样做。 strcpy 函数将愉快地将字符串末尾的两个字节复制到堆栈中,并愉快地添加空终止字符 (\x00)。因此strcpy可以设置假返回地址的前3个字节。如果幸运的话,也许第 4 个字节已经是 \x00,因为正确的返回地址的第 4 个字节是 \x00?
这不是我的专业知识,所以我可能是错的。
Remember that all integers (and I'm pretty sure this includes return addresses) are stored in little endian format, which means that the least-significant bytes come first.
Therefore, the bytes of your desired return address (0x00001eda) would be:
Look at the code that karlphillip linked you to. He only inserted two address bytes in to the end of his string. You could do the same. The strcpy function will happily copy the two bytes at the end of your string on to the stack, and happily add the null termination character (\x00). Therefore strcpy can set the first 3 bytes of the fake return address. If you are lucky, maybe the 4th byte will already be \x00, because the 4th byte of the correct return address was \x00?
This is not my expertise so I might be wrong.
由于某种原因,即使应用程序崩溃了,我也无法使用 strcpy 覆盖堆栈和寄存器。
这个问题与你的问题相关,我设法使用该代码。
For some reason I was unable to override the stack and registers using strcpy, even though the application crashed.
This question is related to yours and I managed to do trick using that code.