- 论坛徽章:
- 0
|
【好玩】缓冲区溢出攻击实验
我有一点不明白,你们如何算出缓冲区的大小 ? 是否是在getbuf中 ebp-esp 的值。
- (gdb) disas getbuf
- Dump of assembler code for function getbuf:
- 0x080484b0 <getbuf+0>;: push %ebp
- 0x080484b1 <getbuf+1>;: mov %esp,%ebp
- 0x080484b3 <getbuf+3>;: lea 0xffffffe8(%ebp),%eax
- 0x080484b6 <getbuf+6>;: sub $0x28,%esp
- 0x080484b9 <getbuf+9>;: mov %eax,(%esp)
- 0x080484bc <getbuf+12>;: call 0x8048420 <getxs>;
- 0x080484c1 <getbuf+17>;: mov %ebp,%esp
- 0x080484c3 <getbuf+19>;: mov $0x1,%eax
- 0x080484c8 <getbuf+24>;: pop %ebp
- 0x080484c9 <getbuf+25>;: ret
- 0x080484ca <getbuf+26>;: lea 0x0(%esi),%esi
- End of assembler dump.
- (gdb) b *0x080484bc
- Breakpoint 2 at 0x80484bc
- (gdb) run
- The program being debugged has been started already.
- Start it from the beginning? (y or n) y
- Starting program: /home/pigjj/prog/c/atack/a.out
- Breakpoint 2, 0x080484bc in getbuf ()
- (gdb) i reg
- eax 0xbfffefd0 -1073745968
- ecx 0x40148080 1075085440
- edx 0x10 16
- ebx 0x4014e620 1075111456
- [color=red]esp 0xbfffefc0 0xbfffefc0
- ebp 0xbfffefe8 0xbfffefe8[/color]
- esi 0x400164a0 1073833120
- edi 0xbffffa04 -1073743356
- eip 0x80484bc 0x80484bc
- eflags 0x286 646
- cs 0x23 35
- ss 0x2b 43
- ds 0x2b 43
- es 0x2b 43
- fs 0x0 0
- gs 0x0 0
复制代码
从上面可以看出 函数getbuf的栈帧大小是 0x28 ,就是40个字节。可是我的程序输入23 个字节就 segmentation fail
- (gdb) run
- Starting program: /home/pigjj/prog/c/atack/a.out
- Type Hex string:01 02 03 04 05 06 07 08 09 10 11 12 13 14 05 16 17 18 19 2021 22 23
- getbuf returned 0x1
- Program exited normally.
- (gdb) run
- Starting program: /home/pigjj/prog/c/atack/a.out
- Type Hex string:01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 2021 22 23 24
- getbuf returned 0x1
- Program received signal SIGSEGV, Segmentation fault.
- 0x00000400 in ?? ()
- (gdb)
复制代码
我想问下各位大哥,你们是怎样确定缓冲区大小的,谢谢 :)[/code] |
|