被溢出程序源码如下:
root@linux:~/pentest# cat vulnerable.c
#include <stdio.h>
#include <string.h>
void evilfunction(char *input) {
char buffer[1000];
strcpy(buffer, input);
}
int main(int argc, char **argv) {
evilfunction(argv[1]);
return 0;
}
编译,并用gdb反汇编代码如下:
root@linux:~/pentest# gcc -fno-stack-protector -z execstack -g -o vulnerable vulnerable.c
root@linux:~/pentest# gdb vulnerable
GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/pentest/vulnerable...done.
(gdb) disass main
Dump of assembler code for function main:
0x080483e4 <+0>: push %ebp
0x080483e5 <+1>: mov %esp,%ebp
0x080483e7 <+3>: and {1}xfffffff0,%esp
0x080483ea <+6>: sub {1}x10,%esp
0x080483ed <+9>: mov 0xc(%ebp),%eax
0x080483f0 <+12>: add {1}x4,%eax
0x080483f3 <+15>: mov (%eax),%eax
0x080483f5 <+17>: mov %eax,(%esp)
0x080483f8 <+20>: call 0x80483c4 <evilfunction>
0x080483fd <+25>: mov {1}x0,%eax
0x08048402 <+30>: leave
0x08048403 <+31>: ret
End of assembler dump.
(gdb) disass evilfunction
Dump of assembler code for function evilfunction:
0x080483c4 <+0>: push %ebp
0x080483c5 <+1>: mov %esp,%ebp
0x080483c7 <+3>: sub {1}x408,%esp
0x080483cd <+9>: mov 0x8(%ebp),%eax
0x080483d0 <+12>: mov %eax,0x4(%esp)
0x080483d4 <+16>: lea -0x3f0(%ebp),%eax
0x080483da <+22>: mov %eax,(%esp)
0x080483dd <+25>: call 0x80482f4 <strcpy@plt>
0x080483e2 <+30>: leave
0x080483e3 <+31>: ret
End of assembler dump.
(gdb)