缓冲区溢出的首次实验 [英] First experiments with buffer overflow
问题描述
我已经开始阅读有关缓冲区溢出以及黑客如何使用其执行自定义代码(而不是常规的已编译代码)的信息,现在,我正在尝试重现一些基本情况,它具有一个脆弱的功能,该功能可以将数据复制到char数组中。
I've started reading about buffer overflow and how hackers use it to execute custom code instead of the regular compiled one and now I'm trying to reproduce some basic situations, with a vurnerable function that copy data into a char array with the unsafe strcpy.
要点是,当我使用程序中定义的函数的汇编指令之一更改返回地址时,它可以正常工作,而当我直接以字节为单位注入代码时,它返回SEGMENTATION FAULT。
我正在使用Kali发行版x64 v3.18
我已禁用地址空间布局随机化(ASLR):
I'm using the Kali distribution x64 v3.18
I've disabled the address space layout randomization (ASLR):
echo 0 > /proc/sys/kernel/randomize_va_space
并禁用编译器添加的堆栈保护代码:
And disabled the stack protection code added by the compiler:
gcc -g -fno-stack-protector exbof.c -o exbof
代码:
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv){
char buffer[500] = {0};
strcpy(buffer, argv[1]);
return 0;
}
用法:
./exbof `perl -e 'print "x90"x216; // nop sled
print CUSTOM_CODE; // my code
print "xff"x(500 - 216 - CODE_LENGTH); // fill empty space
print "xff"xOFFSET // distance between the last byte
// of buffer and the return address
printf("\\x%lx", BUFFER_ADDRESS + int(rand(26)) * 8);'`
输出:
Segmentation Fault
在GDB中:
Program received signal SIGSEGV, Segmentation fault.
0x00007fffffffxyzt in ?? ()
我已经使用GDB对其进行了调试,并且该代码将错误的新地址正确地写入了堆栈中。
我使用的是在线找到的shellcode exec,但是我也尝试从程序中以字节为单位插入一段代码, 当我与GDB核对后,注入的汇编代码被证明是有效的代码,与原始代码完全相同。
在我看来,任何地址都不是
建议?
Suggestions?
推荐答案
解决方案:
根据@andars的建议,有必要设置该标志
As suggested by @andars, it's necessary to set up the flag that mark the stack as executable.
因此,如果您想尝试一下并开始处理缓冲区溢出,则必须:
So, if you want to try this and start playing with buffer overflows, you have to:
-
禁用地址空间布局随机化(ASLR):
disable the address space layout randomization (ASLR):
echo 0> / proc / sys / kernel / randomize_va_space
禁用由编译器添加的堆栈保护代码:
disable the stack protection code added by the compiler:
gcc -g -fno-stack-protector your_program.c -o your_program
在程序标头中设置一个标志,以将堆栈标记为可执行文件:
set up a flag in the program header to mark the stack as executable:
execstack -s your_program
-
,也可以在组装时或链接时直接进行操作:
or you can do it directly at assembly time or at link time:
gcc -g -fno-stack-protector -z execstack your_program.c -o your_program
这篇关于缓冲区溢出的首次实验的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!