修改堆栈的返回地址 [英] Modify return address on stack

问题描述

我看着缓冲区溢出漏洞的基础知识，并试图理解堆栈是如何工作的。对于我想写一个简单的程序，返回地址的地址更改为某个值。任何人都可以帮我搞清楚基本指针的大小从第一个参数得到补偿？

I looked at the basics of buffer overflow vulnerabilities and tried to understand how the stack is working. For that I wanted to write a simple program which changes the address of the return address to some value. Can anybody help me with figuring out the size of the base pointer to get the offset from the first argument?

void foo(void)
{
    char ret;
    char *ptr;

    ptr = &ret; //add some offset value here 
    *ptr = 0x00;
}

int main(int argc, char **argv)
{
    foo();

    return 1;
}

生成的汇编code如下所示：

The generated assembler code looks as follows:

    .file   "test.c"
    .text
    .globl  foo 
    .type   foo, @function
foo:
.LFB0:
    .cfi_startproc
    pushq   %rbp
    .cfi_def_cfa_offset 16
    .cfi_offset 6, -16 
    movq    %rsp, %rbp
    .cfi_def_cfa_register 6
    leaq    -9(%rbp), %rax
    movq    %rax, -8(%rbp)
    movq    -8(%rbp), %rax
    movb    $0, (%rax)
    popq    %rbp
    .cfi_def_cfa 7, 8
    ret 
    .cfi_endproc
.LFE0:
    .size   foo, .-foo
    .globl  main
    .type   main, @function
main:
.LFB1:
    .cfi_startproc
    pushq   %rbp
    .cfi_def_cfa_offset 16
    .cfi_offset 6, -16 
    movq    %rsp, %rbp
    .cfi_def_cfa_register 6
    subq    $16, %rsp
    movl    %edi, -4(%rbp)
    movq    %rsi, -16(%rbp)
    call    foo 
    movl    $1, %eax
    leave
    .cfi_def_cfa 7, 8
    ret 
    .cfi_endproc
.LFE1:
    .size   main, .-main
    .ident  "GCC: (GNU) 4.7.1 20120721 (prerelease)"
    .section    .note.GNU-stack,"",@progbits

foo的帧段的相关部分应该是这样的：

The relevant part of the foo frame segment should look like this:

[CHAR RET] [基指针] [返回地址]

[char ret] [base pointer] [return address]

我有第一个这是只有1中大小字节的位置。是它只有1个字节进一步向基指针或一个字的大小在 http://insecure.org/stf/smashstack提到.HTML 的？而且我怎么知道基指针的大小？

I have the position of the first one which is only 1 byte in size. Is it only 1 byte further to the base pointer or the size of a word as mentioned in http://insecure.org/stf/smashstack.html? And how do I get to know the size of the base pointer?

推荐答案

您basepointer是最有可能只是一个指针，因此具有规模的sizeof（INT *）。
但也有在变量 RET 和基指针之间的值。
我会承担其寄存器的值（EAX？）。这将导致类似于以下，如果你想要一个无限循环：

Your basepointer is most likely just a pointer, so it has the size sizeof(int*). But there is also another value in between your variable ret and the base pointer. I would assume its value of a register (eax?). This would lead to something like the following, if you want an endless loop:

void foo(void)
{
    char ret;
    char *ptr;

    ptr = (char*)(&ret) + (sizeof(ret)  + 2*sizeof(int*)) ;
    *(int*)ptr -= 0x0c;
}

的返回目标被修饰假定它有一个指针的大小（可为其他指令集不同）。通过递减它，返回目标的调用点富前设置一个点。

这篇关于修改堆栈的返回地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！