CSAPP-LAB3-Attack

最新推荐文章于 2024-07-26 14:53:47 发布

Dreams0000

最新推荐文章于 2024-07-26 14:53:47 发布

阅读量1.2k

点赞数 1

分类专栏： CSAPP学习文章标签：操作系统

本文链接：https://blog.csdn.net/Dallas01/article/details/123030797

版权

文章目录

00 Prerequisite
Part 1: Code injection
Part2: Returned-Oriented Programming
- 2.1 phase_4
- 2.2 Phase_5

00 Prerequisite

听见课堂上老爷子说：

	But to be a good person you also know what the bet have to know what the bad people do, so part of it is to become more effective as a force for good.

Part 1: Code injection

关于Attack的，攻击两个c代码，分别是ctarget 和rtarget，前3个阶段是关于 ctarget 后面2个是关于rtarget的，Code injection and Return-oriented programming.

ctarget

void test()
{
   
    int val;
    val = getbuf();
    printf("No exploit. Getbuf returned 0x%x\n", val);
}

关于getbuf实际上是在模拟c语言的库函数gets，这类函数容易出现Overunning on buffer 的现象

1 unsigned getbuf()
2 {
   
3 char buf[BUFFER_SIZE];
4 Gets(buf);
5 return 1;
6 }

运用GDB调试 ctarget

执行命令

disas test

Dump of assembler code for function test:
   0x0000000000401968 <+0>:	sub    $0x8,%rsp // 分配栈帧
   0x000000000040196c <+4>:	mov    $0x0,%eax
   0x0000000000401971 <+9>:	callq  0x4017a8 <getbuf>
   0x0000000000401976 <+14>:	mov    %eax,%edx // 返回值 -> %edx
       // 准备调用 printf 函数
   0x0000000000401978 <+16>:	mov    $0x403188,%esi // 0x403188 -> %esi
   0x000000000040197d <+21>:	mov    $0x1,%edi // Load rdi ready to call fun print
   0x0000000000401982 <+26>:	mov    $0x0,%eax
   0x0000000000401987 <+31>:	callq  0x400df0 <__printf_chk@plt>
   0x000000000040198c <+36>:	add    $0x8,%rsp
   0x0000000000401990 <+40>:	retq

对于0x401388的地址check一下，是对应的printf输出的内容

(gdb) x/s 0x403188
0x403188:	"No exploit.  Getbuf returned 0x%x\n"

执行命令

(gdb) disas getbuf

Dump of assembler code for function getbuf:
   0x00000000004017a8 <+0>:	sub    $0x28,%rsp // 分配 40bytes的栈帧
   0x00000000004017ac <+4>:	mov    %rsp,%rdi
   0x00000000004017af <+7>:	callq  0x401a40 <Gets>
   0x00000000004017b4 <+12>:	mov    $0x1,%eax
   0x00000000004017b9 <+17>:	add    $0x28,%rsp
   0x00000000004017bd <+21>:	retq   
End of assembler dump.

disas Gets

Dump of assembler code for function Gets:
   0x0000000000401a40 <+0>:	push   %r12
   0x0000000000401a42 <+2>:	push   %rbp
   0x0000000000401a43 <+3>:	push   %rbx
   0x0000000000401a44 <+4>:	mov    %rdi,%r12
   0x0000000000401a47 <+7>:	movl   $0x0,0x2036b3(%rip)        # 0x605104 <gets_cnt>
   0x0000000000401a51 <+17>:	mov    %rdi,%rbx
   0x0000000000401a54 <+20>:	jmp    0x401a67 <Gets+39>
   0x0000000000401a56 <+22>:	lea    0x1(%rbx),%rbp
   0x0000000000401a5a <+26>:	mov    %al,(%rbx)
   0x0000000000401a5c <+28>:	movzbl %al,%edi
   0x0000000000401a5f <+31>:	callq  0x4019a0 <save_char>
   0x0000000000401a64 <+36>:	mov    %rbp,%rbx
   0x0000000000401a67 <+39>:	mov    0x202a62(%rip),%rdi        # 0x6044d0 <infile>
   0x0000000000401a6e <+46>:	callq  0x400dc0 <_IO_getc@plt>
   0x0000000000401a73 <+51>:	cmp    $0xffffffff,%eax
   0x0000000000401a76 <+54>:	je     0x401a7d <Gets+61>
   0x0000000000401a78 <+56>:	cm

最低0.47元/天解锁文章

Dreams0000

关注

1
点赞
踩
4

收藏

觉得还不错? 一键收藏
0
评论
CSAPP-LAB3-Attack

文章目录00 PrerequisitePart 1: Code injection1.1 phase_11.2 phase_21.3 phase_3Part2: Returned-Oriented Programming2.1 phase_42.2 Phase_500 Prerequisite听见课堂上老爷子说： But to be a good person you also know what the bet have to know what the bad people do, so part
复制链接

扫一扫

专栏目录