Linux security--construct data for buffer overflow

Source:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
Char *file[2] = {"Superman.txt", "Batman.txt"};
Char email[128];

char* Cat_file (char *filename) {
FILE *FP;
Char *content = (char *) malloc (40);
memset (content,0,40);
fp = fopen (FileName, "RB");
FSCANF (FP, "%40s", content);
Fclose (FP);
printf ("The content is:%s\n", content);
return content;
}

int main ()
{
int i = 0;
char *temp = NULL;
char *file_content = NULL;
Char buf[140];
while (I&LT;2)
{
temp = File[i];
File_content = Cat_file (temp);
printf ("What ' s this?\nguess:");
scanf ("%s", buf);
if (strcmp (buf,file_content))
{
Puts ("Bad luck!");
Continue
}
i++;
Puts ("Hey you is so smart!");
}
Puts ("congratulatinons! You guessed everything! ");
printf ("Input you Email");
scanf ("%s", email);
Puts ("Thank you so much! I'll send you a gift,bye! ");
return 0;
}

Lab Catalogue:

The requirements of the experiment:

Overflow by constructing data to read the contents of Flag.txt

Experimental process:

The main idea of the experiment is to add a string inside the BUF, generate a buffer overflow, and then cover the return address of the main function as Cat_file, and then implement the function jump to achieve the output flag.txt

Experimental steps

1. Analyzing the stack of functions

Debugging the Exc.exc file with GDB

View the assembly code for the main function, and set breakpoints where

We set breakpoints at 0x08048661 and 0x0804866c to debug the overall structure of the stack, so the structure of the stack should be like this

、

Since the program is always compared with the content_file at the time of input buf, if it is not the same, it will always fall into the dead loop, so our main work in buffer overflow is to override the value of I, then overwrite the return address of the main function and the input of the Cat_file parameter.

For overriding the value of I first we can derive the address of the variable i through Analysis: 0xbffff36c

The return address of the main function is: 0xbffff378

The address of the Cat_file is: 0X080485DD

Because the cat_file is parametric, the way we push the parameters is mainly through the code

To implement, look at the assembly code and you can see

Address is 0x0804a080

Basically the relevant parameters have been determined next we construct shellcode

Shellcode as follows: ' A ' *0x8c+l32 (0x08048800) + ' A ' *4+l32 (2) + ' A ' *12+l32 (0X080485DD) +l32 (0) +l32 (0x0804a080)

Write the Python file as follows:

To run the viewing effect:

The result of this experiment is that the return and call instructions are not the same as the buffer overflows that were previously done, and the parameters are pressed in different ways.
Call command as long as it's push+jmp.

And the return command is not the same,

Linux security--construct data for buffer overflow