缓冲区溢出工作在GDB但不能没有它 [英] Buffer overflow works in gdb but not without it

问题描述

我在CentOS 6.4 32位，我试图引起程序的缓冲区溢出。在GDB它的工作原理。下面是输出：

I am on CentOS 6.4 32 bit and am trying to cause a buffer overflow in a program. Within GDB it works. Here is the output:

[root@localhost bufferoverflow]# gdb stack
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/bufferoverflow/stack...done.
(gdb) r
Starting program: /root/bufferoverflow/stack
process 6003 is executing new program: /bin/bash
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.107.el6_4.2.i686
sh-4.1#

然而，当我刚独立运行程序堆栈它赛格故障。为什么会这样呢？

However when I run the program stack just on its own it seg faults. Why might this be?

推荐答案

漏洞的发展如果不充分考虑对于引进的因素会导致严重的头痛不确定性的进入调试过程。特别是，在调试器堆栈地址可能不正常执行期间匹配的地址。发生这件神器，因为操作系统加载前放置环境变量和程序参数的 的堆栈的开头：

Exploit development can lead to serious headaches if you don't adequately account for factors that introduce non-determinism into the debugging process. In particular, the stack addresses in the debugger may not match the addresses during normal execution. This artifact occurs because the operating system loader places both environment variables and program arguments before the beginning of the stack:

因为你的弱势程序不带任何参数，环境变量可能的罪魁祸首。马雷确保它们在这两个调用相同，在外壳和调试器。为此，你可以用你的调用在 ENV ：

Since your vulnerable program does not take any arguments, the environment variables are likely the culprit. Mare sure they are the same in both invocations, in the shell and in the debugger. To this end, you can wrap your invocation in env:

env - /path/to/stack

和与调试器：

env - gdb /path/to/stack
($) show env
LINES=24
COLUMNS=80

在上面的例子中，存在由GDB，而可以进一步禁用设置两个环境变量

In the above example, there are two environment variables set by gdb, which you can further disable:

unset env LINES
unset env COLUMNS

现在显示ENV 应该返回一个空列表。在这一点上，你就可以开始调试过程中找到你设想跳到绝对堆栈地址（例如， 0xbffffa8b ），和硬code到您的漏洞。

Now show env should return an empty list. At this point, you can start the debugging process to find the absolute stack address you envision to jump to (e.g., 0xbffffa8b), and hardcode it into your exploit.

一名微妙但重要的细节：有叫 ./栈和 /路径/要/堆栈：因为的argv [0] 持有你究竟是如何调用它的程序，你需要确保平等调用字符串。这就是为什么我用 /路径/要/堆栈在上面的例子并不仅仅是 ./栈和 gdb的堆栈。

One further subtle but important detail: there's a difference between calling ./stack and /path/to/stack: since argv[0] holds the program exactly how you invoked it, you need to ensure equal invocation strings. That's why I used /path/to/stack in the above examples and not just ./stack and gdb stack.

在学习记忆的安全漏洞被利用，我建议使用下面的包装程序，它确实繁重，并确保平等的堆栈偏移量：

When learning to exploit with memory safety vulnerabilities, I recommend to use the wrapper program below, which does the heavy lifting and ensures equal stack offsets:

$ invoke stack         # just call the executable
$ invoke -d stack      # run the executable in GDB

下面是脚本：

#!/bin/sh

while getopts "dte:h?" opt ; do
  case "$opt" in
    h|\?)
      printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
      exit 0
      ;;
    t)
      tty=1
      gdb=1
      ;;
    d)
      gdb=1
      ;;
    e)
      env=$OPTARG
      ;;
  esac
done

shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
  if [ -n "$tty" ]; then
    touch /tmp/gdb-debug-pty
    exec env - $env TERM=screen PWD=$PWD gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
  else
    exec env - $env TERM=screen PWD=$PWD gdb --args $prog "$@"
  fi
else
  exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi

这篇关于缓冲区溢出工作在GDB但不能没有它的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！