我使用termux
我正在学习缓冲区溢出 我在 gdb 中构建的攻击字符串
奔跑<<< $(printf "")
成功了 但是使用
printf“”|
shell 失败
详细流程如下:
目标程序源码:
#include <stdio.h>
void re_in(void)
{
char arr[10];
scanf("%s",arr);
// gets(arr);
printf("%s\n",arr);
}
void main()
{
re_in();
}
编译:
u0_a238@localhost ~/storage/external-1/hk # gcc -mprefer-vector-width=2 -g overflow.c -o ~/temp/overflow
overflow.c:11:1: warning: return type of 'main' is not 'int' [-Wmain-return-type]
11 | void main()
| ^
overflow.c:11:1: note: change return type to 'int'
11 | void main()
| ^~~~
| int
1 warning generated.
u0_a238@localhost ~/storage/external-1/hk #
确认边界:
✘ u0_a238@localhost /storage/sdcard1/Android/data/com.termux/files/hk # ~/temp/overflow
aaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaa
✘ u0_a238@localhost /storage/sdcard1/Android/data/com.termux/files/hk # ~/temp/overflow
aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaa
[1] 29989 segmentation fault ~/temp/overflow
✘ u0_a238@localhost /storage/sdcard1/Android/data/com.termux/files/hk #
查看re_in函数的地址进行覆盖:
u0_a238@localhost ~/storage/external-1/hk # gdb ~/temp/overflow
GNU gdb (GDB) 15.2
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "aarch64-linux-android".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resour--Type <RET> for more, q to quit, c to continue without paging--
ces online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /data/data/com.termux/files/home/temp/overflow...
(gdb) disas main
Dump of assembler code for function main:
0x000000000000487c <+0>: stp x29, x30, [sp, #-16]!
0x0000000000004880 <+4>: mov x29, sp
0x0000000000004884 <+8>: bl 0x4840 <re_in>
0x0000000000004888 <+12>: ldp x29, x30, [sp], #16
0x000000000000488c <+16>: ret
End of assembler dump.
(gdb)
发起攻击:
(gdb) run <<< $(printf "aaaaaaaaaaaaaaaaaa\x84\x98\x55\x55\x55")
Starting program: /data/data/com.termux/files/home/temp/overflow <<< $(printf "aaaaaaaaaaaaaaaaaa\x84\x98\x55\x55\x55")
warning: Unable to determine the number of hardware watchpoints available.
warning: Unable to determine the number of hardware breakpoints available.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/data/data/com.termux/files/usr/lib/libthread_db.so".
aaaaaaaaaaaaaaaaaa��UUU
aaaaaaaaaaaaaaaaaa��UUU
[Inferior 1 (process 31179) exited with code 030]
(gdb)
成功
尝试在 bash 中:
✘ u0_a238@localhost /storage/sdcard1/Android/data/com.termux/files/hk # printf "aaaaaaaaaaaaaaaaaa\x84\x98\x55\x55\x55" | ~/temp/overflow
aaaaaaaaaaaaaaaaaa��UUU
[1] 1192 done printf "aaaaaaaaaaaaaaaaaa\x84\x98\x55\x55\x55" |
1193 segmentation fault ~/temp/overflow
✘ u0_a238@localhost /storage/sdcard1/Android/data/com.termux/files/hk #
失败了
为什么?
“<<<" of the gdb and the "| " of the shell Is there any difference? Or is there something else?
Gdb 的此处字符串重定向 (
<<<run进行波浪号扩展、参数和变量扩展、命令替换、算术扩展和引号删除。不执行文件名扩展和分词。结果作为单个字符串提供给标准输入上的命令,并附加换行符 [...]。word
即使您提供的数据不受任何这些扩展或分词的影响(或者如果
gdb<<<$()printfprintf '...\n' 或者,我真的不明白为什么你在这两种情况下以不同的方式进行重定向。 至少,只要您的 shell 是 Bash,您就应该能够在 gdb 内外使用 here-string 版本。