返回 libc 导致分段错误
我正在尝试使用 return to libc 创建缓冲区溢出。
这是攻击者代码: http://codepad.org/TtoLjAHc 。它创建有效负载并将其存储在名为 badfile 的文件中。
这是易受攻击的代码: http://codepad.org/DZ7AQy4D。它从 badfile 读取并应该生成一个 shell。
ASLR 和堆栈保护已关闭。
攻击者代码有效。但易受攻击的代码会导致段错误。
谁能解释一下我哪里出了问题?
漏洞利用代码的相关部分:
memset(buffer, "\x90", 52);
memcpy(buffer,"BUF=",4);
memcpy(buffer+36, systemAddr,4);
memcpy(buffer+40,exitAddr,4);
memcpy(buffer+44, shAddr,4);
memcpy(buffer+48, nullPad, 4);
这个变量 buffer 现在被写入名为 badfile 的文件中,该文件由易受攻击的程序使用 fread() 读取。 易受攻击程序的相关部分:
char buffer[12];
length = fread (buffer, sizeof (char), 52, badfile);
I am trying to create a buffer overflow using return to libc.
Here is the attacker code:
http://codepad.org/TtoLjAHc . It creates the payload and stores it in a file named badfile.
Here is the vulnerable code:
http://codepad.org/DZ7AQy4D. It reads from badfile and is supposed to spawn a shell.
ASLR and stack-protection are off.
The attacker code works. But the vulnerable code causes a segfault.
Can anyone please explain where I am going wrong?
Relevant sections of exploiter code:
memset(buffer, "\x90", 52);
memcpy(buffer,"BUF=",4);
memcpy(buffer+36, systemAddr,4);
memcpy(buffer+40,exitAddr,4);
memcpy(buffer+44, shAddr,4);
memcpy(buffer+48, nullPad, 4);
This variable, buffer, is now written to a file named badfile, which is read by the vulnerable program using fread().
Relevant section of vulnerable program:
char buffer[12];
length = fread (buffer, sizeof (char), 52, badfile);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您已为
buffer分配了 12 个八位字节的内存,但您尝试写入 52 个八位字节。因此,您走出数组会引发分段错误。尝试一下:
它应该可以正常工作。
You have allocated 12 octets of memory for
buffer, but you try to write 52 octets. Therefore you go out of the array provoking the segmentation fault.Try:
and it should work fine.