我试图在我的Mac上模拟缓冲区溢出,但即使使用-fno-stack-protector,它仍然会出现分段错误。
下面是我得到的输出。
Vulnerable function executed!
data:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
zsh: segmentation fault
我使用以下命令编译并运行。
gcc -o sql_slammer slammer.c -fno-stack-protector -D_FORTIFY_SOURCE=0 -Wl && ./sql_slammer
以下是我的代码供参考。
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 27
void malicious_function()
{
printf("Malicious code executed!\n");
// Insert your malicious code here
}
void vulnerable_function(char *data)
{
char buffer[BUFFER_SIZE];
printf("Vulnerable function executed!\n");
printf("data:%s\n", data);
sprintf(buffer, "%s", data); // Vulnerable sprintf() call
// Create a function pointer and set it to the address of the malicious function
void (*function_ptr)() = &malicious_function;
// Overwrite the return address with the address of the malicious function
// This assumes little-endian architecture where addresses are stored in reverse order
memcpy(buffer + BUFFER_SIZE - sizeof(void *), &function_ptr, sizeof(void *));
}
int main()
{
char packet[] = "\x04"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41";
vulnerable_function(packet);
return 0;
}
我阅读了与此相关的其他 stackoverflow 帖子并尝试了解决方案,但它对我不起作用。我包含了编译器标志,例如 -O0 和 -fno-stack-protector。我也尝试在 Windows 上运行它。
您将
malicious_function()
的地址存储在 buffer[] 的合法分配的内存空间内: memcpy(buffer + BUFFER_SIZE - sizeof(void *), ..., sizeof(void *));
如果后面的代码需要空终止字符串,这只会导致问题。
相反,您的
sprintf()
调用会导致堆栈上的破坏性覆盖。当从 vulnerable_function()
退出时,它可能会尝试返回到地址 0x41414141。我认为这会触发你的分段错误。
要利用
vulnerable_function()
,你必须输入一个非常特制的邪恶字符串