为什么我会得到“找不到当前函数的边界"?当我覆盖易受攻击程序的 ret 地址时? [英] Why I do get "Cannot find bound of current function" when I overwrite the ret address of a vulnerable program?
问题描述
我想利用基于堆栈的缓冲区溢出来进行教育.
I want to exploit a stack based buffer overflow for education purposes.
有一个典型的函数使用来自 main 的参数调用,该函数作为程序的输入提供给保存参数的本地缓冲区.给定一个 nops+shellcode+address_shellcode 的输入,我将利用它.
There is a typical function called with a parameter from main, which is given as input from the program a local buffer where the parameter is saved. Given an input such that nops+shellcode+address_shellcode, I will exploit it.
在使用 gdb 调试后,我找到了 shell 代码的地址,因为它将作为参数传递,并且在 strcpy 之后我检查了堆栈和 $ebp+8 已成功地被 shell 代码的地址覆盖.所以我有我想要的.但是当我上前执行时,我得到了:
After debugging with gdb I found the address of the shell code as it will pass as a parameter, and right after the strcpy I examine the stack and the $ebp+8 which is the return address has successfully overwritten with the address of the shell code. So I have what I want. But when I stepped forward the execution I got:
->shellcode_address in ?? ()
然后
Cannot find bound of current function
返回地址具有我想要的值.任何想法发生了什么?
The return address has the value that I want. Any ideas what is happening?
当我执行它时,我遇到了一个分段错误,我已经用 -g -fno-stack-protector 编译了它.为什么?
Also when I execute it I got a segmentation fault and I have compile it with -g -fno-stack-protector. Why?
推荐答案
调试器知道程序中函数的代码在哪里开始和结束,因为这些信息是在调试数据中提供的,或者因为它使用了任何外部符号在可执行文件中可见以提供基本信息.
The debugger has knowledge about where the code for functions in your program begin and end, either because this information is provided in debugging data or because it uses any external symbols visible in the executable to provide rudimentary information.
当堆栈处于正确状态时,它包含一个调用函数的返回地址,在此之上的某个地方,一个更高级别调用函数的返回地址,等等.当您执行各种调试器命令时,它使用这些返回地址(以及堆栈和进程状态中的其他信息)来显示这些函数的名称.这需要在调试器知道函数在哪里的情况下查找返回地址.
When the stack is in a proper state, it contains a return address to the calling function and, somewhere above that, a return address to a higher-level calling function, and so on. While you are executing various debugger commands, it uses these return addresses (and other information on the stack and in the state of the process) to show you the names of these functions. This requires looking up the return address in the debugger’s knowledge about where the functions are.
一旦溢出缓冲区并破坏堆栈,正确的返回地址就会被破坏.相反,您有一个不同的地址(如果您的漏洞利用成功,则指向您的 shellcode).当调试器试图找出该地址在哪个函数中时,它会失败,因为该地址不在您程序中的任何函数中.
Once you overflow a buffer and corrupt the stack, the proper return address is destroyed. Instead you have a different address (one pointing to your shellcode if your exploit has worked). When the debugger tries to figure out which function this address is in, it fails, because the address is not in any of the functions in your program.
发生此故障时,调试器会打印您看到的错误消息.
When this failure occurs, the debugger prints the error message you see.
通常,调试器仍然可以执行基本功能:它可以显示程序中的寄存器和内存,它仍然可以单步执行和设置断点,等等.它在做需要更复杂解释的事情时会遇到麻烦:它无法确定堆栈帧在哪里,它无法通过名称找到局部变量,等等.
Usually, the debugger can still perform basic functions: It can show you registers and memory in your program, it can still single-step and set breakpoints, and so on. It will have trouble doing things that require more complicated interpretation: It cannot figure out where stack frames are, it cannot find local variables by name, and so on.
这篇关于为什么我会得到“找不到当前函数的边界"?当我覆盖易受攻击程序的 ret 地址时?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
