问题
I have the following code to simulate buffer overflow.
Edit: I missed an important step in the code below. As the discussion progressed that the variable c is getting modified.
void function (int fd, int e)
{
int i = 0;
int n;
char c;
char s[44];
.
.
c = getchar(fd);
.
//Some check on c
s[i++] = c;
.
//Some more local variables and some operations on them.
}
I am trying to overflow the buffer by sending more input > 4 bytes in order to see how the local variables and EBP and RET and arguments get modified.
However when I debug in GDB to see the stack frame, this buffer gets overflowed and the overflowed data doesn't seem to be allocated contiguous memory locations.
Buffer base address: 0xbfff fdb3 Address of C : 0xbfff fddf Address of i: 0xbfff fde0
As you can see, my input string contains plenty of NOP's (\x90) then plenty of A's (\x41). In the GDB stack frame you can see that the 1st 4 byte of the buffer gets filled contiguously as expected then some part of the excess data also gets filled contiguously.
from (address: 0xbffffddc onwards till 0xbffffdfc)
But this is not the complete data. Then there is some other data in between and again my input string can be seen from address 0xbffffe1c to 0xbffffe2c.
SO the buffer although gets overflowed, the overflowed data is not stored in contiguous locations. How can I make the overflow data get stored at continuous locations ?
PS: On my Ubuntu machine, 32 bit system,
回答1:
When you declared your variables
int i = 0;
int n;
char c;
char s[4];
assuming the stack overflows "up" past c, you are relying upon an assumption which may not be true, i.e., that the variables are immediately adjacent on the stack. This may not be true because there may be a "stack guard" or "stack canary" between variables.
To read more about this, look for "stack guard" and "stack canaries":
- COEN 152 Computer Forensics: Buffer Overflow Attack
- StackGuard: Simple Stack Smash Protection for GCC
- Four different tricks to bypass StackShield and StackGuard protection
- Stack Overflows - Defeating Canaries, ASLR, DEP, NX
- Epilogues, Canaries, and Buffer Overflows
来源:https://stackoverflow.com/questions/33708568/overflowed-buffer-data-does-not-get-stored-contiguously