0

我正在做这个练习: http ://exploit-exercises.com/protostar/stack5

 1#include <stdlib.h>
 2#include <unistd.h>
 3#include <stdio.h>
 4#include <string.h>
 5
 6int main(int argc, char **argv)
 7{
 8  char buffer[64];
 9
10  gets(buffer);
11}

我使用 gdb 来调试它:

(gdb) disassemble main
Dump of assembler code for function main:
0x080483c4 <main+0>:    push   %ebp
0x080483c5 <main+1>:    mov    %esp,%ebp
0x080483c7 <main+3>:    and    $0xfffffff0,%esp
0x080483ca <main+6>:    sub    $0x50,%esp
0x080483cd <main+9>:    lea    0x10(%esp),%eax
0x080483d1 <main+13>:   mov    %eax,(%esp)
0x080483d4 <main+16>:   call   0x80482e8 <gets@plt>
0x080483d9 <main+21>:   leave  
0x080483da <main+22>:   ret    

汇编程序转储结束。

(gdb) b main
Breakpoint 1 at 0x80483cd: file stack5/stack5.c, line 10.
(gdb) r
Starting program: /opt/protostar/bin/stack5 

Breakpoint 1, main (argc=1, argv=0xbffff874) at stack5/stack5.c:10
10  stack5/stack5.c: No such file or directory.
    in stack5/stack5.c
(gdb) i r
eax            0xbffff874   -1073743756
ecx            0x37ca089a   935987354
edx            0x1  1
ebx            0xb7fd7ff4   -1208123404
esp            0xbffff770   0xbffff770
ebp            0xbffff7c8   0xbffff7c8
esi            0x0  0
edi            0x0  0
eip            0x80483cd    0x80483cd <main+9>
eflags         0x200282 [ SF IF ID ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
(gdb) 

(gdb) x/x buffer
0xbffff7d8: 0xbffff87c

我发现缓冲区地址比$ebp大,它是一个局部变量,我看不懂。我认为它应该在$esp和$ebp之间。

(gdb) b *main+21
Breakpoint 2 at 0x80483d9: file stack5/stack5.c, line 11.

(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 2, main (argc=1, argv=0xbffff874) at stack5/stack5.c:11
11  in stack5/stack5.c
(gdb) x/40x $esp
0xbffff770: 0xbffff780  0xb7ec6165  0xbffff788  0xb7eada75
0xbffff780: 0x41414141  0x41414141  0x41414141  0x41414141
0xbffff790: 0x41414141  0x41414141  0x41414141  0x41414141
0xbffff7a0: 0x41414141  0x41414141  0x41414141  0x41414141
0xbffff7b0: 0x41414141  0x41414141  0x00414141  0xb7fd7ff4
0xbffff7c0: 0x080483f0  0x00000000  0xbffff848  0xb7eadc76
0xbffff7d0: 0x00000001  0xbffff874  0xbffff87c  0xb7fe1848
0xbffff7e0: 0xbffff830  0xffffffff  0xb7ffeff4  0x08048232
0xbffff7f0: 0x00000001  0xbffff830  0xb7ff0626  0xb7fffab0
0xbffff800: 0xb7fe1b28  0xb7fd7ff4  0x00000000  0x00000000
(gdb) 

从上面,我认为缓冲区地址是0xbffff780,不像gdb printf:

(gdb) x/x buffer
0xbffff7d8: 0xbffff87c

所以,我无法理解。怎么了?

4

1 回答 1

0

当程序在 main 处中断时,变量缓冲区中的值可能还没有被 avvalorated。尝试在 main+16 突破

于 2013-07-07T07:40:00.577 回答