堆栈溢出漏洞用C [英] Stack Overflow Exploit in C
问题描述
问题其实是关于C.栈溢出
我有我不能做了我的生活的assigment,我看着gdb的一切,我只是不能它的身影。
The question is actually about stack overflows in C. I have an assigment that I can not get done for the life of me, I've looked at everything in the gdb and I just cant figure it.
问题如下:
int i,n;
void confused()
{
printf("who called me");
exit(0);
}
void shell_call(char *c)
{
printf(" ***Now calling \"%s\" shell command *** \n",c);
system(c);
exit(0);
}
void victim_func()
{
int a[4];
printf("[8]:%x\n", &a[8]);
printf("Enter n: "); scanf("%d",&n);
printf("Enter %d HEX Values \n",n);
for(i=0;i<n;i++) scanf("%x",&a[i]);
printf("Done reading junk numbers\n");
}
int main()
{
printf("ls=736c --- ps = 7370 --- cal = 6c6163\n");
printf("location of confused %x \n", confused);
printf("location of shell_call %x \n", shell_call);
victim_func();
printf("Done, thank you\n");
}
好了,我设法得到正确的第一个问题,这是任意调用这两个函数不显式调用的主要路径之一。顺便说一下,这具有无需任何修改运行程序而工作要做。
我通过运行程序,设置 N 到 7 ,这让我对<$的函数指针这样做C $ C> victim_func 框架,我写的 A [7] 与迷茫的内存地址或 shell_call ,和它的作品。 (我有一个64位的机器,这就是为什么我一定要得到它的7,因为EBI指针宽2整数,而不是1)
Ok, so I managed to get the first question correctly, which is to arbitrarily call one of the two functions not explicitly called in the main path. By the way, this has to be done while running the program without any modifications.
I did this by running the program, setting N to 7, which gets me to the Function Pointer of the victim_func frame, I write a[7] with the memory address of confused or shell_call, and it works. (I have a 64 bit machine, thats why I have to get it to 7, since the EBI pointer is 2 ints wide, instead of 1)
我的问题是下面,我怎么能控制哪些参数被传递到 shell_ code funcion? IE浏览器。我怎样写字符串到的char * C 。
整点正在执行像UNIX命令的 PS 等,通过只运行该程序。
My question is the following, how could I control which argument gets passed to the shell_code funcion? ie. how do I write a string to char* c.
The whole point is executing unix commands like ps etc, by running only the program.
我想用的 PS 并设置 shell_call 的ARG名单的,但六角重新presentation写EBI指针没有工作。我也试着输入查询 argsv 参数和设置 shell_call 的ARG列表中 arg_list 的主力,但也不能工作。
I figured writing the EBI pointer with the hex representation of ps and setting the arg list of shell_call to that, but that didn't work. I also tried inputing argsv arguments and setting the arg list of shell_call to the arg_list of main, but didn't work either.
我觉得第二个版本应该工作,但是我相信我没有正确设置新的堆栈帧的ARG列表(我做到了写 A [8] 到 0 ,因为它的函数指针的第一部分,写 A [9] = 736c 和 A [10] = 0000 ,但它可能是不对的,因为这些都是参数 victim_func 。因此,我怎么获得 shell_call ?
I think the second version should work, but I believe I'm not setting the arg list of the new stack frame correctly ( I did it by writing a[8] to 0, since its the first part of the function pointer, and writing a[9]=736c and a[10]=0000, but its probably not right since those are the parameters of victim_func. So how do I access the parameters of shell_call?
推荐答案
我也许不应该为你做你的功课。但基本上是:
I probably shouldn't do your homework for you. But the basically:
您需要的地方获得一个字符缓冲区的内存来存储要执行的字符串。很明显,你可以做到这一点,你所得到的其他函数调用(即你把文字堆栈上为好)以同样的方式。之后你有写的,你需要写一个指向它在该shell_ code函数期望找到它的参数的位置堆栈。
You need to get a character buffer somewhere in memory to store the string you want to execute. Obviously, you can do this the same way you are getting the other functions called (i.e. you put the text on the stack as well). After you have that written, you need to write a pointer to it on to the stack in the location that the shell_code function expects to find its arguments.
要算出这个没有我的工作做的所有的你是写下你的筹码/存储器中的内容在一张纸/白板的最佳途径。写下怎么会看,如果你从程序中调用shell_ code正常。然后记下栈是什么样子的内部victum_func并找出哪些事情来改变让它看起来像它看起来自然(记航向保持有些事情是无关之类的返回地址)。
The best way to figure this out without me doing all of the work for you is to write down your stack/memory contents on a piece of paper/whiteboard. Write down how it would look if you called shell_code normally from inside the program. Then write down what the stack looks like inside victum_func and figure out which things to change to get it to look like it would look "naturally" (of course keeping in mind some things are "don't cares" like the return address).
这就是你会从我这里得到今天的慈善机构! :-P
That's all the charity you're gonna get from me today! :-P
这篇关于堆栈溢出漏洞用C的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
