Linux security--construct data for buffer overflow

Source: Internet
Author: User

Source:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
Char *file[2] = {"Superman.txt", "Batman.txt"};
Char email[128];

char* Cat_file (char *filename) {
FILE *FP;
Char *content = (char *) malloc (40);
memset (content,0,40);
fp = fopen (FileName, "RB");
FSCANF (FP, "%40s", content);
Fclose (FP);
printf ("The content is:%s\n", content);
return content;
}

int main ()
{
int i = 0;
char *temp = NULL;
char *file_content = NULL;
Char buf[140];
while (I&LT;2)
{
temp = File[i];
File_content = Cat_file (temp);
printf ("What ' s this?\nguess:");
scanf ("%s", buf);
if (strcmp (buf,file_content))
{
Puts ("Bad luck!");
Continue
}
i++;
Puts ("Hey you is so smart!");
}
Puts ("congratulatinons! You guessed everything! ");
printf ("Input you Email");
scanf ("%s", email);
Puts ("Thank you so much! I'll send you a gift,bye! ");
return 0;
}


Lab Catalogue:


The requirements of the experiment:

Overflow by constructing data to read the contents of Flag.txt


Experimental process:

The main idea of the experiment is to add a string inside the BUF, generate a buffer overflow, and then cover the return address of the main function as Cat_file, and then implement the function jump to achieve the output flag.txt

Experimental steps

1. Analyzing the stack of functions

Debugging the Exc.exc file with GDB


View the assembly code for the main function, and set breakpoints where


We set breakpoints at 0x08048661 and 0x0804866c to debug the overall structure of the stack, so the structure of the stack should be like this

Since the program is always compared with the content_file at the time of input buf, if it is not the same, it will always fall into the dead loop, so our main work in buffer overflow is to override the value of I, then overwrite the return address of the main function and the input of the Cat_file parameter.

For overriding the value of I first we can derive the address of the variable i through Analysis: 0xbffff36c

The return address of the main function is: 0xbffff378

The address of the Cat_file is: 0X080485DD


Because the cat_file is parametric, the way we push the parameters is mainly through the code


To implement, look at the assembly code and you can see


Address is 0x0804a080

Basically the relevant parameters have been determined next we construct shellcode

Shellcode as follows: ' A ' *0x8c+l32 (0x08048800) + ' A ' *4+l32 (2) + ' A ' *12+l32 (0X080485DD) +l32 (0) +l32 (0x0804a080)

Write the Python file as follows:


To run the viewing effect:


The result of this experiment is that the return and call instructions are not the same as the buffer overflows that were previously done, and the parameters are pressed in different ways.
Call command as long as it's push+jmp.

And the return command is not the same,



Linux security--construct data for buffer overflow

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.