缓冲区溢出01-溢出漏洞
缓冲区溢出
一个自带缓冲区溢出bug的代码
greeting函数存在buffer overflow
$ gdb -q meet
warning: ~/gef/gef.py: No such file or directory
warning: ~/gef/scripts/helpme.py: No such file or directory
Reading symbols from meet...
(gdb) list
1 // meet.c
2 #include <stdio.h> // needed for screen printing
3 #include <string.h> // needed for strcpy
4 void greeting(char *temp1,char *temp2){ // greeting function to say hello
5 char name[400]; // string variable to hold the name
6 strcpy(name, temp2); // copy argument to name with the infamous strcpy
7 printf("Hello %s %s\n", temp1, name); // print out the greeting
8 }
9 int main(int argc, char * argv[]){ // note the format for arguments
10 greeting(argv[1], argv[2]); // call function, pass title & name
设置断点
(gdb) b 7
Breakpoint 1 at 0x1228: file meet.c, line 7.
(gdb) info b
Num Type Disp Enb Address What
1 breakpoint keep y 0x00001228 in greeting at meet.c:7
运行程序,600个A填充name buffer
(gdb) run Mr `python -c 'print("A"*600)'`
Starting program: /home/kali/grayhackv6/ch10/meet Mr `python -c 'print("A"*600)'`
Breakpoint 1, greeting (temp1=0x41414141 <error: Cannot access memory at address 0x41414141>,
temp2=0x41414141 <error: Cannot access memory at address 0x41414141>) at meet.c:7
7 printf("Hello %s %s\n", temp1, name); // print out the greeting
反汇编greeting
(gdb) set disassembly-flavor intel
(gdb) disass greeting
Dump of assembler code for function greeting:
0x56556201 <+0>: push ebp
0x56556202 <+1>: mov ebp,esp
0x56556204 <+3>: push ebx
0x56556205 <+4>: sub esp,0x190
0x5655620b <+10>: call 0x565560c0 <__x86.get_pc_thunk.bx>
0x56556210 <+15>: add ebx,0x2df0
0x56556216 <+21>: push DWORD PTR [ebp+0xc]
0x56556219 <+24>: lea eax,[ebp-0x194]
0x5655621f <+30>: push eax
0x56556220 <+31>: call 0x56556050 <strcpy@plt>
0x56556225 <+36>: add esp,0x8
0x56556228 <+39>: lea eax,[ebp-0x194]
0x5655622e <+45>: push eax
0x5655622f <+46>: push DWORD PTR [ebp+0x8]
0x56556232 <+49>: lea eax,[ebx-0x1ff8]
0x56556238 <+55>: push eax
0x56556239 <+56>: call 0x56556040 <printf@plt>
0x5655623e <+61>: add esp,0xc
0x56556241 <+64>: nop
0x56556242 <+65>: mov ebx,DWORD PTR [ebp-0x4]
0x56556245 <+68>: leave
0x56556246 <+69>: ret
End of assembler dump.
printf的参数使用[ebp+8]不可访问
(gdb) info reg ebp eip
ebp 0x41414141 0x41414141
eip 0xf7e5eb1f 0xf7e5eb1f
(gdb) x /16d 0x41414141
0x41414141: Cannot access memory at address 0x41414141
eip没有被污染
(gdb) run Mr `python -c 'print("A"*408)'`
Starting program: /home/kali/grayhackv6/ch10/meet Mr `python -c 'print("A"*408)'`
Hello Mr AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0xffffd651 in ?? ()
(gdb) info reg ebp eip
ebp 0x41414140 0x41414140
eip 0xffffd651 0xffffd651
继续加4字节污染eip
(gdb) run Mr `python -c 'print("A"*412)'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/kali/grayhackv6/ch10/meet Mr `python -c 'print("A"*412)'`
Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg ebp eip
ebp 0x41414141 0x41414141
eip 0x41414141 0x41414141
缓冲区溢出的影响
dos(deny of service)
如上面例子的错误: Program received signal SIGSEGV, Segmentation fault. 造成程序崩溃。
执行恶意程序(eip controlled by malicious code)
如上面例子,可以控制eip的地址。
- 原文作者:winsun
- 原文链接:https://winsun.github.io/fightsec/post/pwn_21_overflow01/
- 版权声明:本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议进行许可,非商业转载请注明出处(作者,原文链接),商业转载请联系作者获得授权。