对于缓冲区溢出，使用 pthread 时的堆栈地址是什么? [英] For buffer overflows, what is the stack address when using pthreads?

问题描述

我正在学习计算机安全课程，并且有一个额外的学分分配将可执行代码插入缓冲区溢出.我有我正在尝试操作的目标程序的 c 源代码，并且我已经到了可以成功覆盖当前函数堆栈帧的 eip 的地步.但是，我总是遇到分段错误，因为我提供的地址总是错误的.问题是当前函数位于 pthread 内部，因此，堆栈的地址似乎总是在程序的不同运行之间发生变化.是否有任何方法可以在 pthread 中查找堆栈地址(或用于估计 pthread 中的堆栈地址)?(注意:pthread_create 的第二个参数为空，所以我们没有手动分配堆栈地址)

I'm taking a class in computer security and there is an extra credit assignment to insert executable code into a buffer overflow. I have the c source code for the target program I'm trying to manipulate, and I've gotten to the point where I can successfully overwrite the eip for the current function stack frame. However, I always get a Segmentation fault, because the address I supply is always wrong. The problem is that the current function is inside a pthread, and therefore, the address of the stack seems to always change between different runs of the program. Is there any method for finding the stack address within a pthread (or for estimating the stack address within a pthread)? (note: pthread_create's 2nd argument is null, so we're not manually assigning a stack address)

推荐答案

我建议阅读关于利用缓冲区溢出漏洞的优秀(如果有点过时)文章/教程为了乐趣和利润而粉碎堆栈.

I suggest reading the excellent (if a bit dated) article/tutorial on exploiting buffer overflow vulnerabilities Smashing The Stack For Fun And Profit.

这里有一个简短的摘录:

Here's a brief excerpt:

问题是我们不知道内存空间在哪里我们试图利用代码(以及后面的字符串)的程序它)将被放置.一种解决方法是使用 JMP 和 CALL操作说明.JMP 和 CALL 指令可以使用 IP 相对寻址，这意味着我们可以在不需要的情况下跳转到当前 IP 的偏移量知道我们要跳转到内存中的确切地址.

The problem is that we don't know where in the memory space of the program we are trying to exploit the code (and the string that follows it) will be placed. One way around it is to use a JMP, and a CALL instruction. The JMP and CALL instructions can use IP relative addressing, which means we can jump to an offset from the current IP without needing to know the exact address of where in memory we want to jump to.

<小时>

您可以通过一些内联汇编来检索堆栈指针的当前值.Smashing The Stack For Fun and Profit 中的所有示例都会溢出缓冲区在 main 中，但是您可以很容易地使用相同的技术来溢出从 pthread 调用的函数中的缓冲区.下面的代码基于文章 (overflow1.c) 中的示例构建，以显示相同的技术可以使用 pthreads.您将使用的实际技术将取决于您尝试利用的目标程序.

---

You can retrieve the current value of the stack pointer with a bit of inline assembly. All the examples in Smashing The Stack For Fun And Profit overflow a buffer in main, but you can just as easily use the same techniques to overflow a buffer in a function called from a pthread. The code below is built on an example from the article (overflow1.c) to show that the same techniques will work using pthreads. The actual technique you will use will depend on the target program you are trying to exploit.

/* get value of sp off the stack - not essential to example */
unsigned long get_sp()
{
   __asm__("movl %esp,%eax"); /* equiv. of 'return esp;' in C */
}

int foo()
{
   char buffer[96];

   /* overflow buffer to overwrite return address */
   /* and place code to be executed into buffer. */
   ...

   return 0;
}

void *thread(void *arg)
{
   printf("thread stack 0x%x
", get_sp()); 

   foo();   

   return NULL;
}

int main(int argc, char **argv) 
{
   printf("main stack 0x%x
", get_sp());   

   pthread_t t;
   pthread_create(&t, NULL, thread, NULL);
   pthread_join(t, NULL);

   return 0;
}

这篇关于对于缓冲区溢出，使用 pthread 时的堆栈地址是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！