-
-
[求助]在实践栈溢出时用gdb调试时覆盖了函数的返回地址,却依然执行到了main函数的最后
-
发表于: 2018-5-20 23:16
-
在实践看雪精华18中的Linux Exploit开发实践第一节时,实验现象一直与预期不符,想不透为什么,希望有人能帮我看下问题出在哪个地方。
操作系统:ubuntu16.04
gcc版本:gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
gdb版本:GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
aslr已经关闭:
neko@ubuntu:~/pwn$ cat /proc/sys/kernel/randomize_va_space 0
源代码crackme.c:
#include <stdio.h>
#include <string.h>
int main(int argc, char* argv[]) {
char buf[4]; //方便起见,改小buf长度
strcpy(buf,argv[1]);
printf("Input:%s\n",buf);
return 0;
}
编译:
neko@ubuntu:~/pwn$ gcc -g -m32 -fno-stack-protector -z execstack -o crackme crackme.c
使用gdb调试:
gdb-peda$ r aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Starting program: /home/neko/pwn/crackme aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Input:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0x61616161 ('aaaa')
EDX: 0xf7fb8870 --> 0x0
ESI: 0xf7fb7000 --> 0x1afdb0
EDI: 0xf7fb7000 --> 0x1afdb0
EBP: 0x61616161 ('aaaa')
ESP: 0x6161615d (']aaa')
EIP: 0x8048486 (<main+75>: ret)
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x804847f <main+68>: mov ecx,DWORD PTR [ebp-0x4]
0x8048482 <main+71>: leave
0x8048483 <main+72>: lea esp,[ecx-0x4]
=> 0x8048486 <main+75>: ret
0x8048487: xchg ax,ax
0x8048489: xchg ax,ax
0x804848b: xchg ax,ax
0x804848d: xchg ax,ax
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x6161615d
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x08048486 in main (
argc=<error reading variable: Cannot access memory at address 0x61616161>,
argv=<error reading variable: Cannot access memory at address 0x61616165>)
at crackme.c:8
8 }
gdb-peda$ p/x $eip
$1 = 0x8048486
此处我输入了足够多的'a',应该覆盖了strcpy的返回地址,可程序却一直执行到了=> 0x8048486 <main+75>: ret
按理说strcpy执行完后,返回地址应该被覆盖为0x61616161,然后跳转到0x61616161执行,接着报错.
就应该像文章记录的效果:
$ gdb -q vuln Reading symbols from /home/sploitfun/lsploits/new/csof/vuln...done. (gdb) r `python -c 'print "A"*268 + "B"*4'` Starting program: /home/sploitfun/lsploits/new/csof/vuln `python -c 'print "A"*268 + "B"*4'` Input:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? () (gdb) p/x $eip $1 = 0x42424242 (gdb)
而我的实验结果只有
Program received signal SIGSEGV, Segmentation fault.
没有类似像
0x42424242 in ?? ()
这样的报错。
这是为什么???????希望有人能给我讲讲,刚入门,可能是个很蠢的错误,但我真的没看出来。
-----------------------------分割线
-----------------------------
二楼解释的很清楚,感谢.此外没有类似像0x42424242 in ?? ()这样的报错,是因为使用了>5.0版本的gcc,换成gcc 4.8版本的即可
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2018-5-22 20:00
被勿喋编辑
,原因:
