缓冲区溢出

一个自带缓冲区溢出bug的代码

greeting函数存在buffer overflow

 $ gdb -q meet

warning: ~/gef/gef.py: No such file or directory

warning: ~/gef/scripts/helpme.py: No such file or directory
Reading symbols from meet...
(gdb) list
1	// meet.c
2	#include <stdio.h>         // needed for screen printing
3	#include <string.h>        // needed for strcpy
4	void greeting(char *temp1,char *temp2){  // greeting function to say hello
5	   char name[400];         // string variable to hold the name
6	   strcpy(name, temp2);    // copy argument to name with the infamous strcpy
7	   printf("Hello %s %s\n", temp1, name);  // print out the greeting
8	}
9	int main(int argc, char * argv[]){    // note the format for arguments
10	   greeting(argv[1], argv[2]);        // call function, pass title & name

设置断点

(gdb) b 7
Breakpoint 1 at 0x1228: file meet.c, line 7.
(gdb) info b
Num     Type           Disp Enb Address    What
1       breakpoint     keep y   0x00001228 in greeting at meet.c:7

运行程序，600个A填充name buffer

(gdb) run Mr `python -c 'print("A"*600)'`
Starting program: /home/kali/grayhackv6/ch10/meet Mr `python -c 'print("A"*600)'`

Breakpoint 1, greeting (temp1=0x41414141 <error: Cannot access memory at address 0x41414141>,
    temp2=0x41414141 <error: Cannot access memory at address 0x41414141>) at meet.c:7
7	   printf("Hello %s %s\n", temp1, name);  // print out the greeting

反汇编greeting

(gdb) set disassembly-flavor intel
(gdb) disass greeting
Dump of assembler code for function greeting:
   0x56556201 <+0>:	push   ebp
   0x56556202 <+1>:	mov    ebp,esp
   0x56556204 <+3>:	push   ebx
   0x56556205 <+4>:	sub    esp,0x190
   0x5655620b <+10>:	call   0x565560c0 <__x86.get_pc_thunk.bx>
   0x56556210 <+15>:	add    ebx,0x2df0
   0x56556216 <+21>:	push   DWORD PTR [ebp+0xc]
   0x56556219 <+24>:	lea    eax,[ebp-0x194]
   0x5655621f <+30>:	push   eax
   0x56556220 <+31>:	call   0x56556050 <strcpy@plt>
   0x56556225 <+36>:	add    esp,0x8
   0x56556228 <+39>:	lea    eax,[ebp-0x194]
   0x5655622e <+45>:	push   eax
   0x5655622f <+46>:	push   DWORD PTR [ebp+0x8]
   0x56556232 <+49>:	lea    eax,[ebx-0x1ff8]
   0x56556238 <+55>:	push   eax
   0x56556239 <+56>:	call   0x56556040 <printf@plt>
   0x5655623e <+61>:	add    esp,0xc
   0x56556241 <+64>:	nop
   0x56556242 <+65>:	mov    ebx,DWORD PTR [ebp-0x4]
   0x56556245 <+68>:	leave
   0x56556246 <+69>:	ret
End of assembler dump.

printf的参数使用[ebp+8]不可访问

(gdb) info reg ebp eip
ebp            0x41414141          0x41414141
eip            0xf7e5eb1f          0xf7e5eb1f
(gdb) x /16d 0x41414141
0x41414141:	Cannot access memory at address 0x41414141

eip没有被污染

(gdb) run Mr `python -c 'print("A"*408)'`
Starting program: /home/kali/grayhackv6/ch10/meet Mr `python -c 'print("A"*408)'`
Hello Mr AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0xffffd651 in ?? ()
(gdb) info reg ebp eip
ebp            0x41414140          0x41414140
eip            0xffffd651          0xffffd651

继续加4字节污染eip

(gdb) run Mr `python -c 'print("A"*412)'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/kali/grayhackv6/ch10/meet Mr `python -c 'print("A"*412)'`
Hello   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg ebp eip
ebp            0x41414141          0x41414141
eip            0x41414141          0x41414141

缓冲区溢出的影响

dos(deny of service)

如上面例子的错误： Program received signal SIGSEGV, Segmentation fault. 造成程序崩溃。

执行恶意程序(eip controlled by malicious code)

如上面例子，可以控制eip的地址。