Codice sorgente per entrambi i programmi alla fine del post
Quindi, ho lavorato con Hacking: The Art Of Exploitation, e finora tutto bene. Sono riuscito a controllare EIP nel programma vulnerabile notesearch.c.
gdb-peda$ run $(perl -e 'print "a"x112 . "bbbb"')
Starting program: /root/hacking/booksrc/notesearch $(perl -e 'print "a"x112 . "bbbb"')
[DEBUG] found a 5 byte note for user id 0
[DEBUG] found a 7 byte note for user id 0
-------[ end of note data ]-------
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers---------------------------------- -]
EAX: 0x0
EBX: 0x0
ECX: 0xbffff300 ('a' <repeats 36 times>, "gdb-peda$ run
Starting program: /root/vulnerable
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbbbb
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0x41414141 ('AAAA')
EDX: 0xb7fb687c --> 0x0
ESI: 0x1
EDI: 0xb7fb5000 --> 0x1b3db0
EBP: 0x41414141 ('AAAA')
ESP: 0x4141413d ('=AAA')
EIP: 0x804841d (<main+50>: ret)
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x8048416 <main+43>: mov ecx,DWORD PTR [ebp-0x4]
0x8048419 <main+46>: leave
0x804841a <main+47>: lea esp,[ecx-0x4]
=> 0x804841d <main+50>: ret
0x804841e: xchg ax,ax
0x8048420 <__libc_csu_init>: push ebp
0x8048421 <__libc_csu_init+1>: push edi
0x8048422 <__libc_csu_init+2>: push esi
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x4141413d
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0804841d in main ()
gdb-peda$ p/x $eip
$1 = 0x804841d
gdb-peda$
3")
EDX: 0x0
ESI: 0x2
EDI: 0xb7fb5000 --> 0x1b3db0
EBP: 0x0
ESP: 0xbffff300 ('a' <repeats 36 times>, "#include <stdio.h>
int main(){
char *buffer[64];
gets(buffer);
return 0;
}
3")
EIP: 0x61616161 ('aaaa')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code------------------------------------ -]
Invalid $PC address: 0x61616161
[------------------------------------stack------------------------------------ -]
0000| 0xbffff300 ('a' <repeats 36 times>, "gdb-peda$ run $(perl -e 'print "a"x112 . "bbbb"')
Starting program: /root/hacking/booksrc/notesearch $(perl -e 'print "a"x112 . "bbbb"')
[DEBUG] found a 5 byte note for user id 0
[DEBUG] found a 7 byte note for user id 0
-------[ end of note data ]-------
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers---------------------------------- -]
EAX: 0x0
EBX: 0x0
ECX: 0xbffff300 ('a' <repeats 36 times>, "gdb-peda$ run
Starting program: /root/vulnerable
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbbbb
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0x41414141 ('AAAA')
EDX: 0xb7fb687c --> 0x0
ESI: 0x1
EDI: 0xb7fb5000 --> 0x1b3db0
EBP: 0x41414141 ('AAAA')
ESP: 0x4141413d ('=AAA')
EIP: 0x804841d (<main+50>: ret)
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x8048416 <main+43>: mov ecx,DWORD PTR [ebp-0x4]
0x8048419 <main+46>: leave
0x804841a <main+47>: lea esp,[ecx-0x4]
=> 0x804841d <main+50>: ret
0x804841e: xchg ax,ax
0x8048420 <__libc_csu_init>: push ebp
0x8048421 <__libc_csu_init+1>: push edi
0x8048422 <__libc_csu_init+2>: push esi
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x4141413d
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0804841d in main ()
gdb-peda$ p/x $eip
$1 = 0x804841d
gdb-peda$
3")
EDX: 0x0
ESI: 0x2
EDI: 0xb7fb5000 --> 0x1b3db0
EBP: 0x0
ESP: 0xbffff300 ('a' <repeats 36 times>, "#include <stdio.h>
int main(){
char *buffer[64];
gets(buffer);
return 0;
}
3")
EIP: 0x61616161 ('aaaa')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code------------------------------------ -]
Invalid $PC address: 0x61616161
[------------------------------------stack------------------------------------ -]
0000| 0xbffff300 ('a' <repeats 36 times>, "%pre%3")
0004| 0xbffff304 ('a' <repeats 32 times>, "%pre%3")
0008| 0xbffff308 ('a' <repeats 28 times>, "%pre%3")
0012| 0xbffff30c ('a' <repeats 24 times>, "%pre%3")
0016| 0xbffff310 ('a' <repeats 20 times>, "%pre%3")
0020| 0xbffff314 ('a' <repeats 16 times>, "%pre%3")
0024| 0xbffff318 ('a' <repeats 12 times>, "%pre%3")
0028| 0xbffff31c ("aaaaaaaa%pre%3")
[----------------------------------------------------------------------------- -]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x61616161 in ?? ()
gdb-peda$
3")
0004| 0xbffff304 ('a' <repeats 32 times>, "%pre%3")
0008| 0xbffff308 ('a' <repeats 28 times>, "%pre%3")
0012| 0xbffff30c ('a' <repeats 24 times>, "%pre%3")
0016| 0xbffff310 ('a' <repeats 20 times>, "%pre%3")
0020| 0xbffff314 ('a' <repeats 16 times>, "%pre%3")
0024| 0xbffff318 ('a' <repeats 12 times>, "%pre%3")
0028| 0xbffff31c ("aaaaaaaa%pre%3")
[----------------------------------------------------------------------------- -]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x61616161 in ?? ()
gdb-peda$
Tuttavia, una volta che scrivo il mio codice buggy molto semplice e provo a controllare l'EIP, ciò accade
%pre%Non ottengo nulla, l'ESP non dovrebbe rimanere invariato (dato che non è memorizzato nello stack) e EIP viene sovrascritto?
Puoi trovare notesearch.c @ link Di seguito è riportato il mio programma "sfruttabile".
Inutile dire che ho ASLR disabilitato e i programmi sono compilati con flag -fno-stack-protector e -zexecstack. Se hai bisogno di maggiori informazioni, lascia un commento.
%pre%