Source:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
Char *file[2] = {"Superman.txt", "Batman.txt"};
Char email[128];
char* Cat_file (char *filename) {
FILE *FP;
Char *content = (char *) malloc (40);
memset (content,0,40);
fp = fopen (FileName, "RB");
FSCANF (FP, "%40s", content);
Fclose (FP);
printf ("The content is:%s\n", content);
return content;
}
int main ()
{
int i = 0;
char *temp = NULL;
char *file_content = NULL;
Char buf[140];
while (I<2)
{
temp = File[i];
File_content = Cat_file (temp);
printf ("What ' s this?\nguess:");
scanf ("%s", buf);
if (strcmp (buf,file_content))
{
Puts ("Bad luck!");
Continue
}
i++;
Puts ("Hey you is so smart!");
}
Puts ("congratulatinons! You guessed everything! ");
printf ("Input you Email");
scanf ("%s", email);
Puts ("Thank you so much! I'll send you a gift,bye! ");
return 0;
}
Lab Catalogue:
The requirements of the experiment:
Overflow by constructing data to read the contents of Flag.txt
Experimental process:
The main idea of the experiment is to add a string inside the BUF, generate a buffer overflow, and then cover the return address of the main function as Cat_file, and then implement the function jump to achieve the output flag.txt
Experimental steps
1. Analyzing the stack of functions
Debugging the Exc.exc file with GDB
View the assembly code for the main function, and set breakpoints where
We set breakpoints at 0x08048661 and 0x0804866c to debug the overall structure of the stack, so the structure of the stack should be like this
、
Since the program is always compared with the content_file at the time of input buf, if it is not the same, it will always fall into the dead loop, so our main work in buffer overflow is to override the value of I, then overwrite the return address of the main function and the input of the Cat_file parameter.
For overriding the value of I first we can derive the address of the variable i through Analysis: 0xbffff36c
The return address of the main function is: 0xbffff378
The address of the Cat_file is: 0X080485DD
Because the cat_file is parametric, the way we push the parameters is mainly through the code
To implement, look at the assembly code and you can see
Address is 0x0804a080
Basically the relevant parameters have been determined next we construct shellcode
Shellcode as follows: ' A ' *0x8c+l32 (0x08048800) + ' A ' *4+l32 (2) + ' A ' *12+l32 (0X080485DD) +l32 (0) +l32 (0x0804a080)
Write the Python file as follows:
To run the viewing effect:
The result of this experiment is that the return and call instructions are not the same as the buffer overflows that were previously done, and the parameters are pressed in different ways.
Call command as long as it's push+jmp.
And the return command is not the same,
Linux security--construct data for buffer overflow