缓冲区溢出在 gdb 中有效,但并非没有它 [英] Buffer overflow works in gdb but not without it
问题描述
我使用的是 CentOS 6.4 32 位,并试图导致程序中的缓冲区溢出.在 GDB 中它有效.这是输出:
I am on CentOS 6.4 32 bit and am trying to cause a buffer overflow in a program. Within GDB it works. Here is the output:
[root@localhost bufferoverflow]# gdb stack
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/bufferoverflow/stack...done.
(gdb) r
Starting program: /root/bufferoverflow/stack
process 6003 is executing new program: /bin/bash
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.107.el6_4.2.i686
sh-4.1#
然而,当我单独运行程序堆栈时,它会出现段错误.为什么会这样?
However when I run the program stack just on its own it seg faults. Why might this be?
推荐答案
如果您没有充分考虑将非确定性引入调试过程的因素,漏洞利用开发可能会导致严重的问题.特别是,调试器中的堆栈地址可能与正常执行期间的地址不匹配.出现此工件是因为操作系统加载程序将环境变量和程序参数放在堆栈的开头:
Exploit development can lead to serious headaches if you don't adequately account for factors that introduce non-determinism into the debugging process. In particular, the stack addresses in the debugger may not match the addresses during normal execution. This artifact occurs because the operating system loader places both environment variables and program arguments before the beginning of the stack:
由于您的易受攻击的程序不接受任何参数,因此环境变量可能是罪魁祸首.确保它们在两次调用、shell 和调试器中都是相同的.为此,您可以将调用包装在 env 中:
Since your vulnerable program does not take any arguments, the environment variables are likely the culprit. Mare sure they are the same in both invocations, in the shell and in the debugger. To this end, you can wrap your invocation in env:
env - /path/to/stack
还有调试器:
env - gdb /path/to/stack
($) show env
LINES=24
COLUMNS=80
在上面的例子中,gdb设置了两个环境变量,可以进一步禁用:
In the above example, there are two environment variables set by gdb, which you can further disable:
unset env LINES
unset env COLUMNS
现在 show env 应该返回一个空列表.此时,您可以开始调试过程以找到您想跳转到的绝对堆栈地址(例如,0xbffffa8b),并将其硬编码到您的漏洞利用程序中.
Now show env should return an empty list. At this point, you can start the debugging process to find the absolute stack address you envision to jump to (e.g., 0xbffffa8b), and hardcode it into your exploit.
另一个微妙但重要的细节:调用 ./stack 和 /path/to/stack 之间存在差异:因为 argv[0] 保存程序正是您调用它的方式,您需要确保调用字符串相等.这就是为什么我在上面的例子中使用 /path/to/stack 而不仅仅是 ./stack 和 gdb stack.
One further subtle but important detail: there's a difference between calling ./stack and /path/to/stack: since argv[0] holds the program exactly how you invoked it, you need to ensure equal invocation strings. That's why I used /path/to/stack in the above examples and not just ./stack and gdb stack.
在学习利用内存安全漏洞时,我建议使用下面的包装程序,它可以完成繁重的工作并确保相等的堆栈偏移:
When learning to exploit with memory safety vulnerabilities, I recommend to use the wrapper program below, which does the heavy lifting and ensures equal stack offsets:
$ invoke stack # just call the executable
$ invoke -d stack # run the executable in GDB
这是脚本:
#!/bin/sh
while getopts "dte:h?" opt ; do
case "$opt" in
h|?)
printf "usage: %s -e KEY=VALUE prog [args...]
" $(basename $0)
exit 0
;;
t)
tty=1
gdb=1
;;
d)
gdb=1
;;
e)
env=$OPTARG
;;
esac
done
shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
if [ -n "$tty" ]; then
touch /tmp/gdb-debug-pty
exec env - $env TERM=screen PWD=$PWD gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
else
exec env - $env TERM=screen PWD=$PWD gdb --args $prog "$@"
fi
else
exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi
这篇关于缓冲区溢出在 gdb 中有效,但并非没有它的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
