缓冲区溢出

一个自带缓冲区溢出bug的代码

greeting函数存在buffer overflow

 $ gdb -q meet

warning: ~/gef/gef.py: No such file or directory

warning: ~/gef/scripts/helpme.py: No such file or directory
Reading symbols from meet...
(gdb) list
1	// meet.c
2	#include <stdio.h>         // needed for screen printing
3	#include <string.h>        // needed for strcpy
4	void greeting(char *temp1,char *temp2){  // greeting function to say hello
5	   char name[400];         // string variable to hold the name
6	   strcpy(name, temp2);    // copy argument to name with the infamous strcpy
7	   printf("Hello %s %s\n", temp1, name);  // print out the greeting
8	}
9	int main(int argc, char * argv[]){    // note the format for arguments
10	   greeting(argv[1], argv[2]);        // call function, pass title & name

设置断点

(gdb) b 7
Breakpoint 1 at 0x1228: file meet.c, line 7.
(gdb) info b
Num     Type           Disp Enb Address    What
1       breakpoint     keep y   0x00001228 in greeting at meet.c:7

运行程序,600个A填充name buffer

(gdb) run Mr `python -c 'print("A"*600)'`
Starting program: /home/kali/grayhackv6/ch10/meet Mr `python -c 'print("A"*600)'`

Breakpoint 1, greeting (temp1=0x41414141 <error: Cannot access memory at address 0x41414141>,
    temp2=0x41414141 <error: Cannot access memory at address 0x41414141>) at meet.c:7
7	   printf("Hello %s %s\n", temp1, name);  // print out the greeting

反汇编greeting

(gdb) set disassembly-flavor intel
(gdb) disass greeting
Dump of assembler code for function greeting:
   0x56556201 <+0>:	push   ebp
   0x56556202 <+1>:	mov    ebp,esp
   0x56556204 <+3>:	push   ebx
   0x56556205 <+4>:	sub    esp,0x190
   0x5655620b <+10>:	call   0x565560c0 <__x86.get_pc_thunk.bx>
   0x56556210 <+15>:	add    ebx,0x2df0
   0x56556216 <+21>:	push   DWORD PTR [ebp+0xc]
   0x56556219 <+24>:	lea    eax,[ebp-0x194]
   0x5655621f <+30>:	push   eax
   0x56556220 <+31>:	call   0x56556050 <strcpy@plt>
   0x56556225 <+36>:	add    esp,0x8
   0x56556228 <+39>:	lea    eax,[ebp-0x194]
   0x5655622e <+45>:	push   eax
   0x5655622f <+46>:	push   DWORD PTR [ebp+0x8]
   0x56556232 <+49>:	lea    eax,[ebx-0x1ff8]
   0x56556238 <+55>:	push   eax
   0x56556239 <+56>:	call   0x56556040 <printf@plt>
   0x5655623e <+61>:	add    esp,0xc
   0x56556241 <+64>:	nop
   0x56556242 <+65>:	mov    ebx,DWORD PTR [ebp-0x4]
   0x56556245 <+68>:	leave
   0x56556246 <+69>:	ret
End of assembler dump.

printf的参数使用[ebp+8]不可访问

(gdb) info reg ebp eip
ebp            0x41414141          0x41414141
eip            0xf7e5eb1f          0xf7e5eb1f
(gdb) x /16d 0x41414141
0x41414141:	Cannot access memory at address 0x41414141

eip没有被污染

(gdb) run Mr `python -c 'print("A"*408)'`
Starting program: /home/kali/grayhackv6/ch10/meet Mr `python -c 'print("A"*408)'`
Hello Mr AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0xffffd651 in ?? ()
(gdb) info reg ebp eip
ebp            0x41414140          0x41414140
eip            0xffffd651          0xffffd651

继续加4字节污染eip

(gdb) run Mr `python -c 'print("A"*412)'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/kali/grayhackv6/ch10/meet Mr `python -c 'print("A"*412)'`
Hello   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg ebp eip
ebp            0x41414141          0x41414141
eip            0x41414141          0x41414141

缓冲区溢出的影响

dos(deny of service)

如上面例子的错误: Program received signal SIGSEGV, Segmentation fault. 造成程序崩溃。

执行恶意程序(eip controlled by malicious code)

如上面例子,可以控制eip的地址。