对于缓冲区溢出,使用pthreads时的堆栈地址是什么? [英] For buffer overflows, what is the stack address when using pthreads?
问题描述
我正在上一门计算机安全课程,还有一项额外的功课分配,可以将可执行代码插入缓冲区溢出.我有我要操作的目标程序的c源代码,并且已经到了可以成功覆盖当前函数堆栈框架eip的地步.但是,我总是遇到分段错误,因为我提供的地址总是错误的.问题在于当前函数在pthread内部,因此,堆栈的地址似乎总是在程序的不同运行之间改变.有什么方法可以找到pthread中的堆栈地址(或估计pthread中的堆栈地址)吗? (注意:pthread_create的第二个参数为null,因此我们不会手动分配堆栈地址)
I'm taking a class in computer security and there is an extra credit assignment to insert executable code into a buffer overflow. I have the c source code for the target program I'm trying to manipulate, and I've gotten to the point where I can successfully overwrite the eip for the current function stack frame. However, I always get a Segmentation fault, because the address I supply is always wrong. The problem is that the current function is inside a pthread, and therefore, the address of the stack seems to always change between different runs of the program. Is there any method for finding the stack address within a pthread (or for estimating the stack address within a pthread)? (note: pthread_create's 2nd argument is null, so we're not manually assigning a stack address)
推荐答案
我建议阅读优秀的(如果有点陈旧)有关利用缓冲区溢出漏洞的文章/教程,
I suggest reading the excellent (if a bit dated) article/tutorial on exploiting buffer overflow vulnerabilities Smashing The Stack For Fun And Profit.
这是一个简短的摘录:
问题是我们不知道 程序,我们正在尝试利用代码(以及后面的字符串) 它)将被放置.解决它的一种方法是使用JMP和CALL 操作说明. JMP和CALL指令可以使用IP相对寻址, 这意味着我们可以跳转到当前IP的偏移量而无需 知道我们要跳转到的内存的确切地址.
The problem is that we don't know where in the memory space of the program we are trying to exploit the code (and the string that follows it) will be placed. One way around it is to use a JMP, and a CALL instruction. The JMP and CALL instructions can use IP relative addressing, which means we can jump to an offset from the current IP without needing to know the exact address of where in memory we want to jump to.
您可以使用一些内联汇编来检索堆栈指针的当前值. 粉碎堆栈以获取乐趣和利润 中的所有示例都溢出了一个main中的缓冲区,但是您可以轻松地使用相同的技术在从pthread调用的函数中使缓冲区溢出.下面的代码基于文章( overflow1.c )的示例构建,以表明相同的技术也可以使用pthreads起作用.您将使用的实际技术取决于您尝试利用的目标程序.
You can retrieve the current value of the stack pointer with a bit of inline assembly. All the examples in Smashing The Stack For Fun And Profit overflow a buffer in main, but you can just as easily use the same techniques to overflow a buffer in a function called from a pthread. The code below is built on an example from the article (overflow1.c) to show that the same techniques will work using pthreads. The actual technique you will use will depend on the target program you are trying to exploit.
/* get value of sp off the stack - not essential to example */
unsigned long get_sp()
{
__asm__("movl %esp,%eax"); /* equiv. of 'return esp;' in C */
}
int foo()
{
char buffer[96];
/* overflow buffer to overwrite return address */
/* and place code to be executed into buffer. */
...
return 0;
}
void *thread(void *arg)
{
printf("thread stack 0x%x\n", get_sp());
foo();
return NULL;
}
int main(int argc, char **argv)
{
printf("main stack 0x%x\n", get_sp());
pthread_t t;
pthread_create(&t, NULL, thread, NULL);
pthread_join(t, NULL);
return 0;
}
这篇关于对于缓冲区溢出,使用pthreads时的堆栈地址是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
