*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
FUNCTION
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
undefined vulnerable()
undefined AL:
1
<RETURN>
undefined4 Stack[
-
0x8
]:
4
local_8 XREF[
1
]:
080484f8
(R)
undefined1 Stack[
-
0x18
]:
1
local_18 XREF[
2
]:
080484dc
(
*
),
080484eb
(
*
)
vulnerable XREF[
4
]: Entry Point(
*
), main:
08048518
(c),
080485f0
,
080486a8
(
*
)
080484b5
55
PUSH EBP
080484b6
89
e5 MOV EBP,ESP
080484b8
53
PUSH EBX
080484b9
83
ec
14
SUB ESP,
0x14
/
/
缓冲区的大小(EBP到ESP:
0x14
)
080484bc
e8 ff fe CALL __x86.get_pc_thunk.bx undefined __x86.get_pc_thunk.bx()
ff ff
080484c1
81
c3
3f
ADD EBX,
0x1b3f
1b
00
00
080484c7
83
ec
0c
SUB ESP,
0xc
080484ca
8d
83
b8 LEA EAX,[EBX
+
0xffffe5b8
]
=
>DAT_080485b8
=
E8h
e5 ff ff
080484d0
50
PUSH EAX
=
>DAT_080485b8
=
E8h
080484d1
e8
5a
fe CALL <EXTERNAL>::puts
int
puts(char
*
__s)
ff ff
080484d6
83
c4
10
ADD ESP,
0x10
080484d9
83
ec
0c
SUB ESP,
0xc
080484dc
8d
45
ec LEA EAX
=
>local_18,[EBP
+
-
0x14
]
080484df
50
PUSH EAX
080484e0
e8
3b
fe CALL <EXTERNAL>::gets
/
/
⚠️危险函数 char
*
gets(char
*
__s)
ff ff
080484e5
83
c4
10
ADD ESP,
0x10
080484e8
83
ec
0c
SUB ESP,
0xc
080484eb
8d
45
ec LEA EAX
=
>local_18,[EBP
+
-
0x14
]
080484ee
50
PUSH EAX
080484ef
e8
3c
fe CALL <EXTERNAL>::puts
int
puts(char
*
__s)
ff ff
080484f4
83
c4
10
ADD ESP,
0x10
080484f7
90
NOP
080484f8
8b
5d
fc MOV EBX,dword ptr [EBP
+
local_8]
080484fb
c9 LEAVE
080484fc
c3 RET