Difference between revisions of "LU-LSP-b13:L09"
Line 33: | Line 33: | ||
gets(s); |
gets(s); |
||
printf("%s\n", s); |
printf("%s\n", s); |
||
} |
|||
int main(void) { |
|||
f(); |
|||
return 0; |
|||
} |
|||
</pre> |
|||
Modificēts kods: |
|||
<pre> |
|||
#include <stdio.h> |
|||
#include <stdint.h> |
|||
#include <sys/types.h> |
|||
#include <sys/stat.h> |
|||
#include <fcntl.h> |
|||
#define GET_EBP_VALUE(result) \ |
|||
asm volatile("movl %%ebp, %0\n" : "=m" (result)) |
|||
#define GET_ESP_VALUE(result) \ |
|||
asm volatile("movl %%esp, %0\n" : "=m" (result)) |
|||
uint32_t esp, ebp; |
|||
void f(void) { |
|||
GET_EBP_VALUE(ebp); |
|||
printf("%p\n", (void *) ebp); |
|||
char s[16]; |
|||
gets(s); |
|||
printf("%s\n", s); |
|||
asm("leave"); |
|||
GET_ESP_VALUE(esp); |
|||
*(uint32_t *) esp = f; |
|||
asm("pop %eax"); |
|||
asm("push %eax"); |
|||
asm("jmp %eax"); |
|||
} |
} |
||
Revision as of 17:32, 19 November 2013
Praktiskais darbs #9 - steka satura analīze un piekļuve stekam.
- Funkciju izsaukumu analīze. printf() lietošana steka satura izdrukai.
- Koda disasamblēšana ar objdump vai gdb programmām.
- Piekļuve reģistru saturam caur inline asamblera kodu.
#define GET_EBP_VALUE(result) \ asm volatile("movl %%ebp, %0\n" : "=m" (result))
Iesūtīšana
Šis PD ir opcionāls.
Uzdevumi:
1) Panākt, ka f() izsauc sevi izmantojot steka pārpildi (bez ASM koda).
2) Panākt, ka f() veiksmīgi izsauc funkciju system() ar argumentu "touch file.txt", izmantojot steka pārpildi
Programmas kods
#include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> void f(void) { char s[16]; gets(s); printf("%s\n", s); } int main(void) { f(); return 0; }
Modificēts kods:
#include <stdio.h> #include <stdint.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #define GET_EBP_VALUE(result) \ asm volatile("movl %%ebp, %0\n" : "=m" (result)) #define GET_ESP_VALUE(result) \ asm volatile("movl %%esp, %0\n" : "=m" (result)) uint32_t esp, ebp; void f(void) { GET_EBP_VALUE(ebp); printf("%p\n", (void *) ebp); char s[16]; gets(s); printf("%s\n", s); asm("leave"); GET_ESP_VALUE(esp); *(uint32_t *) esp = f; asm("pop %eax"); asm("push %eax"); asm("jmp %eax"); } int main(void) { f(); return 0; }