分类: C/C++
2007-09-12 04:32:26
EXPLOIT 缓冲区溢出:
下面是缓冲区溢出导致coredump的例子,我们给vul输入一个长度为20的字符串。根据上面的分析,这个字符串会在Foo中溢出20-16=4个字节(实际上还应该包括结尾的字节'\x00'),会把main的堆栈栈底地址覆盖掉:
shanghai =>vul AAAAAAAAAAAAAAAAAAAA
The input String is AAAAAAAAAAAAAAAAAAAA
Segmentation Fault(coredump)
溢出的结果是段错误导致coredump,程序被系统终止执行。我们再用gdb看看coredump出来的core文件,vul中有源程序的symbol可以帮助分析。
shanghai =>gdb vul core
GNU gdb 5.2
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-pc-solaris2.8"...
Core was generated by `vul AAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Loaded symbols for /usr/lib/libc.so.1
Loaded symbols for /usr/lib/libdl.so.1
#0 0x08050900 in init_dummy ()
/*
看看coredump时寄存器的内容:
*/
(gdb) i reg
eax 0x29 41
ecx 0x0 0
edx 0xe10e62e0 -519150880
ebx 0xdfbfb000 -541085696
esp 0x8047c00 0x8047c00
ebp 0x41414141 0x41414141
esi 0x8047bfc 134511612
edi 0x8047cc0 134511808
eip 0x8050900 0x8050900
eflags 0x10202 66050
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x0 0
fctrl 0x137f 4991
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
---Type
Quit
(gdb) x/20x $ebp
0x41414141: Cannot access memory at address 0x41414141
(gdb) q
shanghai =>
shanghai =>
寄存器EBP中的内容为输入字符串"AAAA"的ASCII码0x41414141,系统把溢出来的0x41414141当作调用函数main的堆栈栈底地址而恢复给寄存器EBP。但是由于内存0x41414141中是不能访问的,结果造成段出错。
我们下面给vul输入同样的20个字符,不过这次试着用gdb来debug程序vul:
shanghai =>gdb vul
GNU gdb 5.2
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General
Public License, and you are
welcome to change it and/or distribute copies of it
under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show
warranty" for details.
This GDB was configured as "i386-pc-solaris2.8"...
(gdb) b main
Breakpoint 1 at 0x8050956: file vul.c, line 12.
(gdb) b Foo
Breakpoint 2 at 0x805090a: file vul.c, line 5.
(gdb) r AAAAAAAAAAAAAAAAAAAA
Starting program: /export/home/moda/buf_of/vul
AAAAAAAAAAAAAAAAAAAA
Breakpoint 1, main (argc=2, argv=0x8047c0c) at
vul.c:12
12 if(argc == 2)
(gdb) c
Continuing.
Breakpoint 2, Foo (s=0x8047d21 'A'
at vul.c:5
5 char buf[16]="";
(gdb) s
6 strcpy(buf, s);
(gdb) s
7 printf("The input String is %s\n",
buf);
(gdb) s
The input String is AAAAAAAAAAAAAAAAAAAA
8 }
(gdb) x/20x 0x41414141
0x41414141: Cannot access memory at address
0x41414141
(gdb)
(以下略。。。)