C 缓冲区溢出测试程序未按预期运行
我编写了以下程序来自学缓冲区溢出和内存寄存器:C 缓冲区溢出测试程序未按预期运行,c,macos,buffer-overflow,strcpy,C,Macos,Buffer Overflow,Strcpy,我编写了以下程序来自学缓冲区溢出和内存寄存器: #include <stdio.h> int main(int argc, char *argv[]) { char name[400]; strcpy(name,argv[1]); printf("Hello %s!\n",name); return 0; } 当我试图让它执行实际的shell代码时,问题就出现了。我首先尝试使用pattern_create.rb(包含在metasploit框架中)查找
#include <stdio.h>
int main(int argc, char *argv[])
{
char name[400];
strcpy(name,argv[1]);
printf("Hello %s!\n",name);
return 0;
}
当我试图让它执行实际的shell代码时,问题就出现了。我首先尝试使用pattern_create.rb(包含在metasploit框架中)查找偏移量。然而,我得到的不是分段错误,而是EXC_BAD_访问
(gdb) run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6
Starting program: /Users/me/Downloads/bof Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6
Reading symbols for shared libraries +.............................. done
Hello Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6!
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x0000000000000000
0x0000000100000f0d in main ()
(gdb)
我正在运行OSX10.8.5。
有人有什么想法吗
[编辑]
当我用一大堆NOP运行它时,我得到了以下输出,这是不同的,但仍然不是我所期望的:
(gdb) run `python -c 'print "0x90"*108'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /Users/me/Downloads/bof `python -c 'print "0x90"*108'`
Hello 0x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x90!
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x00007fff8539d700 in tlv_load_notification ()
(gdb)
随着程序参数[1]变长,OP正在经历各种未定义行为(UB) 一旦argv[1]具有400个或更多字符,
strcpy(名称,argv[1])代码>开始将数据复制到内存的各个无主部分
OP遇到seg故障,输入字符串长度为432,但由于它是UB,明天可能会在另一台机器上使用不同的数据进行更改。OP没有解释该数据是如何设置的。我假设argv[1]是通过OP的开发环境设置的
OP在shell中运行,结果不同“EXC_BAD_ACCESS”。既然是UB,任何事情都可能发生。考虑到缓冲区溢出,这种类型的错误肯定是预期的UB类型
OP说:“当我试图让它执行实际的shell代码时,问题就出现了。”我断言,当程序执行strcpy(name,TooMuchData)时,问题就发生了
您是否关闭了保护?如果您的意思是使用-fno stack protector进行编译是,我使用的命令是:gcc bof.c-fno stack protector-mprefered stack boundary=4-o boft这可能会有所帮助,谢谢,我想我从阅读中学到了一些东西,但实际上我正在尝试覆盖rip,以便它指向一些运行的可执行代码。/bof2python-c'print“\x90”*433'
提供与运行相同的输出。/bof2python-c'print“q”*433'
它是:$./bof2python-c'print“q”*433'
68分段错误:11我不明白为什么不管我是否给它一个有效的操作码,它都会给我相同的错误。全局和main()
内存可能不在你认为的地方。如果希望将溢出数据放在经典堆栈上,请尝试将strcpy()
放在函数中,而不是放在main中。当然,可以转储可执行文件并在那里分析代码。
(gdb) run `python -c 'print "0x90"*108'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /Users/me/Downloads/bof `python -c 'print "0x90"*108'`
Hello 0x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x900x90!
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x00007fff8539d700 in tlv_load_notification ()
(gdb)
int main(int argc, char *argv[]) {
char name[400];
strcpy(name,argv[1]);
printf("Hello %s!\n",name);