为什么我得到“无法找到当前函数的界限”?当我覆盖易受攻击程序的ret地址时? [英] Why I do get "Cannot find bound of current function" when I overwrite the ret address of a vulnerable program?
问题描述
我想出于教育目的而利用基于堆栈的缓冲区溢出。
I want to exploit a stack based buffer overflow for education purposes.
有一个典型的函数,调用时带有main参数,该函数作为编程保存参数的本地缓冲区。给定这样的输入,即 nops + shellcode + address_shellcode ,我将利用它。
There is a typical function called with a parameter from main, which is given as input from the program a local buffer where the parameter is saved. Given an input such that nops+shellcode+address_shellcode, I will exploit it.
用gdb调试后,我发现了shell代码的地址,因为它将作为参数传递,并且在 strcpy 我检查了堆栈,返回地址 $ ebp + 8 已成功被shell代码的地址覆盖。所以我有我想要的。但是当我向前执行时,我得到了:
After debugging with gdb I found the address of the shell code as it will pass as a parameter, and right after the strcpy I examine the stack and the $ebp+8 which is the return address has successfully overwritten with the address of the shell code. So I have what I want. But when I stepped forward the execution I got:
->shellcode_address in ?? ()
,然后
Cannot find bound of current function
返回地址的值为I想。知道发生了什么吗?
The return address has the value that I want. Any ideas what is happening?
当我执行它时,我遇到了段错误,并用 -g -fno-stack-编译了它。保护者。为什么?
Also when I execute it I got a segmentation fault and I have compile it with -g -fno-stack-protector. Why?
推荐答案
调试器了解程序中函数代码的开始和结束位置,因为提供了此信息调试数据或因为它使用可执行文件中可见的任何外部符号来提供基本信息。
The debugger has knowledge about where the code for functions in your program begin and end, either because this information is provided in debugging data or because it uses any external symbols visible in the executable to provide rudimentary information.
当堆栈处于适当状态时,它包含一个返回地址。调用函数,以及在此之上的某个地方,返回到更高级别调用函数的返回地址,依此类推。当您执行各种调试器命令时,它使用这些返回地址(以及堆栈上以及进程状态下的其他信息)为您显示这些函数的名称。这需要在调试器的知识中查找有关函数在哪里的返回地址。
When the stack is in a proper state, it contains a return address to the calling function and, somewhere above that, a return address to a higher-level calling function, and so on. While you are executing various debugger commands, it uses these return addresses (and other information on the stack and in the state of the process) to show you the names of these functions. This requires looking up the return address in the debugger’s knowledge about where the functions are.
一旦溢出缓冲区并破坏了堆栈,则正确的返回地址将被破坏。相反,您有一个不同的地址(如果您的漏洞利用有效,则指向您的shellcode)。当调试器试图弄清楚该地址在哪个函数中时,它将失败,因为该地址不在程序中的任何函数中。
Once you overflow a buffer and corrupt the stack, the proper return address is destroyed. Instead you have a different address (one pointing to your shellcode if your exploit has worked). When the debugger tries to figure out which function this address is in, it fails, because the address is not in any of the functions in your program.
发生此故障时,调试器会打印出您看到的错误消息。
When this failure occurs, the debugger prints the error message you see.
通常,调试器仍可以执行基本功能:它可以向您显示程序中的寄存器和内存,仍然可以单步执行步骤并设置断点,依此类推。在执行需要更复杂解释的事情时会遇到麻烦:它无法弄清楚堆栈帧在哪里,无法按名称查找局部变量,等等。
Usually, the debugger can still perform basic functions: It can show you registers and memory in your program, it can still single-step and set breakpoints, and so on. It will have trouble doing things that require more complicated interpretation: It cannot figure out where stack frames are, it cannot find local variables by name, and so on.
这篇关于为什么我得到“无法找到当前函数的界限”?当我覆盖易受攻击程序的ret地址时?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
