缓冲区溢出用C [英] Buffer overflow in C
问题描述
我试图写用C在Mac OS X 10.6的64位简单的缓冲区溢出。这里的概念:
I'm attempting to write a simple buffer overflow using C on Mac OS X 10.6 64-bit. Here's the concept:
void function() {
char buffer[64];
buffer[offset] += 7; // i'm not sure how large offset needs to be, or if
// 7 is correct.
}
int main() {
int x = 0;
function();
x += 1;
printf("%d\n", x); // the idea is to modify the return address so that
// the x += 1 expression is not executed and 0 gets
// printed
return 0;
}
下面是主要的汇编转储的一部分:
Here's part of main's assembler dump:
...
0x0000000100000ebe <main+30>: callq 0x100000e30 <function>
0x0000000100000ec3 <main+35>: movl $0x1,-0x8(%rbp)
0x0000000100000eca <main+42>: mov -0x8(%rbp),%esi
0x0000000100000ecd <main+45>: xor %al,%al
0x0000000100000ecf <main+47>: lea 0x56(%rip),%rdi # 0x100000f2c
0x0000000100000ed6 <main+54>: callq 0x100000ef4 <dyld_stub_printf>
...
我要跃过 MOVL 指令,这意味着我需要42个递增的返回地址 - (正确)35 = 7。现在我需要知道的返回地址存储这样我就可以计算出正确的偏移量。
I want to jump over the movl instruction, which would mean I'd need to increment the return address by 42 - 35 = 7 (correct?). Now I need to know where the return address is stored so I can calculate the correct offset.
我试图寻找手动正确的值,但无论是1被打印或我得到中止陷阱 - ?有没有可能某种缓冲区溢出保护的事情
I have tried searching for the correct value manually, but either 1 gets printed or I get abort trap – is there maybe some kind of buffer overflow protection going on?
使用的作品88我的机器上抵消。我用查不到返回地址Nemo的做法。
Using an offset of 88 works on my machine. I used Nemo's approach of finding out the return address.
推荐答案
本 32位示例说明了如何看着办吧,见下面的64位:
This 32-bit example illustrates how you can figure it out, see below for 64-bit:
#include <stdio.h>
void function() {
char buffer[64];
char *p;
asm("lea 4(%%ebp),%0" : "=r" (p)); // loads address of return address
printf("%d\n", p - buffer); // computes offset
buffer[p - buffer] += 9; // 9 from disassembling main
}
int main() {
volatile int x = 7;
function();
x++;
printf("x = %d\n", x); // prints 7, not 8
}
在我的系统偏移量为76.这是64个字节的缓冲区(记住,栈向下增长,所以缓冲区的开始远离返回地址)以及任何其他碎屑是介于两者之间。
On my system the offset is 76. That's the 64 bytes of the buffer (remember, the stack grows down, so the start of the buffer is far from the return address) plus whatever other detritus is in between.
显然,如果你正在攻击现有的程序,你不能指望它来计算你的答案,但我认为这说明了原则。
Obviously if you are attacking an existing program you can't expect it to compute the answer for you, but I think this illustrates the principle.
(另外,我们是幸运的, +9 不进行到下一个字节。否则,单字节增量将不设置返回地址如何,我们的预期。这个例子如果您在得到倒霉的返回地址可能会打破主)
(Also, we are lucky that +9 does not carry out into another byte. Otherwise the single byte increment would not set the return address how we expected. This example may break if you get unlucky with the return address within main)
的我忽略了原来的问题的64位数莫名其妙。的对x86-64的等效是 8(RBP%),因为指针8个字节长。在这种情况下,我的测试版本恰好产生104偏移在code以上的替代品 8(RBP %%)使用双 %% 来输出装配得到一个单一的%。这在此ABI文件描述。搜索 8(RBP%)。
I overlooked the 64-bitness of the original question somehow. The equivalent for x86-64 is 8(%rbp) because pointers are 8 bytes long. In that case my test build happens to produce an offset of 104. In the code above substitute 8(%%rbp) using the double %% to get a single % in the output assembly. This is described in this ABI document. Search for 8(%rbp).
有是在 4(%EBP)的评论的投诉只是魔术为 76 或其他任意数。事实上寄存器的含义的%ebp (也被称为帧指针)及其在堆栈上的返回地址的位置关系是标准化的。一个例子我赶紧用谷歌搜索是这里。这篇文章所使用的术语基本指针。如果你想利用其他体系结构上的缓冲区溢出,将需要CPU的调用约定的同样详细的了解。
There is a complaint in the comments that 4(%ebp) is just as magic as 76 or any other arbitrary number. In fact the meaning of the register %ebp (also called the "frame pointer") and its relationship to the location of the return address on the stack is standardized. One illustration I quickly Googled is here. That article uses the terminology "base pointer". If you wanted to exploit buffer overflows on other architectures it would require similarly detailed knowledge of the calling conventions of that CPU.
这篇关于缓冲区溢出用C的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
