文章目录
00 Prerequisite
听见课堂上老爷子说:
But to be a good person you also know what the bet have to know what the bad people do, so part of it is to become more effective as a force for good.
Part 1: Code injection
关于Attack的,攻击两个c代码,分别是ctarget
和rtarget
,前3个阶段是关于 ctarget
后面2个是关于rtarget
的,Code injection
and Return-oriented programming
.
ctarget
void test()
{
int val;
val = getbuf();
printf("No exploit. Getbuf returned 0x%x\n", val);
}
关于getbuf实际上是在模拟c语言的库函数gets,这类函数容易出现Overunning on buffer 的现象
1 unsigned getbuf()
2 {
3 char buf[BUFFER_SIZE];
4 Gets(buf);
5 return 1;
6 }
运用GDB调试 ctarget
执行命令
disas test
Dump of assembler code for function test:
0x0000000000401968 <+0>: sub $0x8,%rsp // 分配栈帧
0x000000000040196c <+4>: mov $0x0,%eax
0x0000000000401971 <+9>: callq 0x4017a8 <getbuf>
0x0000000000401976 <+14>: mov %eax,%edx // 返回值 -> %edx
// 准备调用 printf 函数
0x0000000000401978 <+16>: mov $0x403188,%esi // 0x403188 -> %esi
0x000000000040197d <+21>: mov $0x1,%edi // Load rdi ready to call fun print
0x0000000000401982 <+26>: mov $0x0,%eax
0x0000000000401987 <+31>: callq 0x400df0 <__printf_chk@plt>
0x000000000040198c <+36>: add $0x8,%rsp
0x0000000000401990 <+40>: retq
对于0x401388
的地址check一下,是对应的printf
输出的内容
(gdb) x/s 0x403188
0x403188: "No exploit. Getbuf returned 0x%x\n"
执行命令
(gdb) disas getbuf
Dump of assembler code for function getbuf:
0x00000000004017a8 <+0>: sub $0x28,%rsp // 分配 40bytes的栈帧
0x00000000004017ac <+4>: mov %rsp,%rdi
0x00000000004017af <+7>: callq 0x401a40 <Gets>
0x00000000004017b4 <+12>: mov $0x1,%eax
0x00000000004017b9 <+17>: add $0x28,%rsp
0x00000000004017bd <+21>: retq
End of assembler dump.
disas Gets
Dump of assembler code for function Gets:
0x0000000000401a40 <+0>: push %r12
0x0000000000401a42 <+2>: push %rbp
0x0000000000401a43 <+3>: push %rbx
0x0000000000401a44 <+4>: mov %rdi,%r12
0x0000000000401a47 <+7>: movl $0x0,0x2036b3(%rip) # 0x605104 <gets_cnt>
0x0000000000401a51 <+17>: mov %rdi,%rbx
0x0000000000401a54 <+20>: jmp 0x401a67 <Gets+39>
0x0000000000401a56 <+22>: lea 0x1(%rbx),%rbp
0x0000000000401a5a <+26>: mov %al,(%rbx)
0x0000000000401a5c <+28>: movzbl %al,%edi
0x0000000000401a5f <+31>: callq 0x4019a0 <save_char>
0x0000000000401a64 <+36>: mov %rbp,%rbx
0x0000000000401a67 <+39>: mov 0x202a62(%rip),%rdi # 0x6044d0 <infile>
0x0000000000401a6e <+46>: callq 0x400dc0 <_IO_getc@plt>
0x0000000000401a73 <+51>: cmp $0xffffffff,%eax
0x0000000000401a76 <+54>: je 0x401a7d <Gets+61>
0x0000000000401a78 <+56>: cm