缓冲区溢出攻击 [英] Buffer Overflow Attack
问题描述
我试图执行一个非常简单的缓冲区溢出攻击。我是pretty很多新手到这一点。因此,如果这个问题是愚蠢的,请原谅我: - )
I'm trying to execute a very simple buffer overflow attack. I'm pretty much a newbie to this. So, if this question is stupid, please excuse me :-)
在code:
#include<stdio.h>
#include<stdlib.h>
int i, n;
void confused(int i)
{
printf("**Who called me? Why am I here?? *** %x\n ", i);
}
void shell_call(char *c)
{
printf(" ***Now calling \"%s\" shell command *** \n", c);
system(c);
}
void victim_func()
{
int a[4];
printf("Enter n: "); scanf("%d",&n);
printf("~~~~~~~~~~~~~ values and address of n locations ~~~~~~~~~~");
for (i = 0;i <n ;i++)
printf ("\n a[%d] = %x, address = %x", i, a[i], &a[i]);
printf("\nEnter %d HEX Values \n", n);
// Buffer Overflow vulnerability HERE!
for (i=0;i<n;i++) scanf("%x",&a[i]);
printf("Done reading junk numbers\n");
}
int main()
{
victim_func();
printf("\n done");
return 0;
}
当我使用objdump的获取函数的地址,我有以下几点:
When I use objdump to get the function addresses, I have the following:
main(): 0x804854d
Address of main() where printf() is called: 0x8048563
victim_func(): 0x8048455
confused(): 0x8048414
现在,我要的是溢出缓冲区那里,改写返回地址的地址跳转到从victim_func功能'混淆()()相混淆()。我想从混淆()的printf()主语句,正常退出返回回来。所以,我提供以下输入
Now, what I want is to jump to the function 'confused()' from victim_func() by overflowing the buffer there, and overwriting the return address to the address of confused(). And I want to return back from confused() to the printf() statement in main, and exit normally. So, I provide the following input
Enter n: 7
Enter 7 HEX values:
1
2
3
4
5
8048414 (This is to jump to confused)
8048563 (this is to jump to printf() in main)
虽然,完成从printf语句的程序打印,它跳回到victim_func(),并打印输入n:
Although, the program prints "Done" from that printf statement, it is jumping back to victim_func() and prints "Enter n:"
我是什么做错了吗?任何帮助将大大AP preciated!
What am I doing wrong? Any help would be greatly appreciated!
PS:我不知道我是否已经把问题的权利。请让我知道,如果需要任何更多的信息。
PS: I'm not sure if I have put the question right. Please let me know, if any more information is needed.
推荐答案
一个缓冲区溢出攻击是很多比这更复杂。首先你需要了解汇编才能执行此操作。当您拆卸程序和功能要的目标,你需要确定堆栈布局时,它的执行该功能。
这里有一个缓冲区溢出的样本它使用的Visual Studio,但原理是一样的。
A buffer overflow attack is a lot more complex than this. First of all you need to understand assembler in order to perform this. After you disassemble the program and function you want to target you need to determine the stack layout when it's executing that function. Here's a sample of a buffer overflow it's using visual studio but principle is the same.
#include "stdafx.h"
#include <math.h>
volatile double test;
double function3()
{
test++;
return exp(test);
}
double function2()
{
return log(test);
}
double function1()
{
int a[5] = {0};
a[7] = (int)&function3;
return exp(function2());
}
int _tmain(int argc, _TCHAR* argv[])
{
double a = function1();
test = a;
return a;
}
由于拆卸我们知道,在功能1是函数保存在栈帧指针之前分配。那一个之后的值是返回地址,其中功能1应该去如果它完成
Thanks to disassembly we know that a in function1 is allocated before where the function saved the stack frame pointer. The value after that one is the return address where function1 should go to if it is finished.
00401090 55 push ebp <- we save the stack pointer
00401091 8B EC mov ebp,esp
00401093 83 EC 1C sub esp,1Ch <- save space to allocate a[5]
00401096 B8 CC CC CC CC mov eax,0CCCCCCCCh
0040109B 89 45 E4 mov dword ptr [ebp-1Ch],eax <- crt debug init a[5]
0040109E 89 45 E8 mov dword ptr [ebp-18h],eax
004010A1 89 45 EC mov dword ptr [ebp-14h],eax
004010A4 89 45 F0 mov dword ptr [ebp-10h],eax
004010A7 89 45 F4 mov dword ptr [ebp-0Ch],eax
004010AA 89 45 F8 mov dword ptr [ebp-8],eax
004010AD 89 45 FC mov dword ptr [ebp-4],eax
从这个如果我们覆盖[7]不同的地址,该函数将返回不是主要的,但与任何地址,我们在写我们可以得出一个[7]。
From this we can conclude if we overwrite a[7] with a different address, the function will return not to main but with whatever address we wrote in a[7].
希望这有助于。
这篇关于缓冲区溢出攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
