performing simple buffer overflow on Mac os 10.6

大憨熊 提交于 2019-12-03 16:24:36

include

int main(int argc, char **argv) {
    char buffer[4];
    puts("Hello");
    gets(buffer);
    return 0;)
}

and call it as:

printf "0123456789abcdefghij\260\037" | ./a.out

\260\037 is the address of main(0x1fb0 here) in octal and in little endian order.

You should see hello print two times before a bus error. The trick is to use a debugger(even gdb will do) to know both where you want to end up and where is the return address. It won't be the same as in Linux!

MacOS X for i386(most OSes for i386 in fact including Linux and Windows) and especially <=Leopard are not the most secure OS.

EDIT: just realized I was using clang as the compiler. So you will need to adapt it to gcc but I can tell you it works with little change :p.

Paolo Moretti

@joveha's answer is correct, with GCC you have to compile with the -fno-stack-protector to turn of the buffer overflow protections.

However, additionally you’ll need to disable the FORTIFY_SOURCE option, otherwise you’ll get “Abort trap” if you try to do a buffer overflow that uses something like strcpy or memcpy.

To disable it, simply compile with the flag -D_FORTIFY_SOURCE=0, for example:

gcc -g -fno-stack-protector -D_FORTIFY_SOURCE=0 -o overflow overflow.c

Source: Turning off buffer overflow protections in GCC.

Stack overflow?

The term stack overflow refers to the situation when the stack size attempts to grow beyond the maximum limit allowed by the current platform and/or configuration. What you are trying to do has no relation to stack overflow at all. If you want to see stack overflow, write an infinitely recursive function, execute it and just wait till it overflows:

void foo() {
  foo();
}

(Hoping that the compiler will not optimize the tail recursion into a cycle. If it does, make it a bit more complicated, non-tail recursive.)

What you seem to be trying to do is to reproduce the infamous buffer overflow exploit. While the buffer in question is supposed to be allocated in the stack, the exploit has never been referred to as "stack overflow". In order to actually demonstrate the exploit, it is not sufficient to just overrun the bounds of some buffer. The whole point is to plant a pre-determined value in the area of the stack originally occupied by the stored return address, so that when the function finishes, it "returns" to some other (presumably malicious) code instead of the original calling code.

So, what is it you are trying to do? Stack overflow? Or buffer overflow?

Your compiler on Mac OS has compiled in a stack canary which gives you the abort trap. Search in your compiler manual on how to disable it.

With GCC this option is -fno-stack-protector.

On a separate note, overflow with 1 byte will surely not be enough to trigger anything but a compiler stack check. Use something like 12 bytes :)

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!