我试图在我的Mac上模拟缓冲区溢出,但即使使用-fno-stack-protector,它仍然会出现分段错误。
下面是我得到的输出。
Vulnerable function executed!
data:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
zsh: segmentation fault
我使用以下命令编译并运行。
gcc -o sql_slammer slammer.c -fno-stack-protector -D_FORTIFY_SOURCE=0 -Wl && ./sql_slammer #include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 27
void malicious_function()
{
printf("Malicious code executed!\n");
// Insert your malicious code here
}
void vulnerable_function(char *data)
{
char buffer[BUFFER_SIZE];
printf("Vulnerable function executed!\n");
printf("data:%s\n", data);
sprintf(buffer, "%s", data); // Vulnerable sprintf() call
// Create a function pointer and set it to the address of the malicious function
void (*function_ptr)() = &malicious_function;
// Overwrite the return address with the address of the malicious function
// This assumes little-endian architecture where addresses are stored in reverse order
memcpy(buffer + BUFFER_SIZE - sizeof(void *), &function_ptr, sizeof(void *));
}
int main()
{
char packet[] = "\x04"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41"
"\x41";
vulnerable_function(packet);
return 0;
}
我阅读了与此相关的其他 stackoverflow 帖子并尝试了解决方案,但它对我不起作用。我包含了编译器标志,例如 -O0 和 -fno-stack-protector。我也尝试在 Windows 上运行它。
您将
malicious_function()memcpy(buffer + BUFFER_SIZE - sizeof(void *), ..., sizeof(void *));相反,您的
sprintf()vulnerable_function()要利用
vulnerable_function()