缓冲区溢出，数据被踩的案例学习

继续在ubuntu上学习GDB，今天要学习的是缓冲区溢出。

程序的地址：

GitHub - gedulab/gebypass: bypass password by heap buffer overflow

编译的方法：

gcc -g -O2 -o gebypass gebypass.c

照例设置一下科学shangwang代理：

export https_proxy="https://xxx:8080"，为的是能下载符号。

这个代码通俗易懂，就一个.c文件，主要是使用最传统的gets方法，没有判断输入的内容是否超过了缓冲区长度，造成了buffer的输入覆盖了token内存，token内存被填入了刻意准备的值，绕过了鉴权，登录了系统。程序如下：

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <ctype.h>
#include <string.h>#define GE_MAX_PASSWORD 20
#define GE_TOKEN_SIZE 26
#define GE_TOKEN_PREFIX "#TOKEN#"
#define GE_MINI_PASSWORD 6int ge_set_token(char* user_token, int size) {if(size < GE_TOKEN_SIZE)return -1;snprintf(user_token, size, "%s:%08d%08d#", GE_TOKEN_PREFIX, getpid(), getpid());return 0;
}int ge_check_token(char* user_token, int size) {int i;if(strncmp(user_token, GE_TOKEN_PREFIX, strlen(GE_TOKEN_PREFIX))!=0) {return -1;}char* ptr = user_token + strlen(GE_TOKEN_PREFIX)+1;for(i=0; i<16; i++) {if(isdigit(*ptr) == 0) {return -1;}ptr++;}if(*ptr != '#') {return -1;}return 0;
}void ge_auth(const char* input, char* user_token, int size) {// check the password via user database etc.if(strcmp(input, "$$secret$$") == 0) {printf("Your password is correct\n");ge_set_token(user_token, size);} else {printf("You have entered the incorrect password\n");}
}int main() {int ret = -1;char* buffer = (char*)malloc(GE_MAX_PASSWORD);  //20char* token = (char*)malloc(GE_TOKEN_SIZE);     //26puts("Please enter password:");if(gets(buffer) == NULL || strlen(buffer) < GE_MINI_PASSWORD) {printf("password is too short %ld\n", strlen(buffer));goto tag_exit;}ge_auth(buffer, token, GE_TOKEN_SIZE);if(ge_check_token(token, GE_TOKEN_SIZE) != 0) {printf("Login failed. You are denied.\n");goto tag_exit;}printf("Login succeeded. You are welcome.\n");puts("You can do privileged operations now...\n");getchar();ret = 0;tag_exit:free(buffer);free(token);return ret;    
}

上GDB调试：

gdb ./gebypass

b main -- 设置断点

r -- run起来，会提示下载源码，前面我们设置的proxy,顺利下载。

l --list一下源码，可以看到

(gdb) p buffer
$1 = <optimized out>
(gdb) p token
$2 = <optimized out>
(gdb) n
49 char* buffer = (char*)malloc(GE_MAX_PASSWORD); //20
(gdb) n
50 char* token = (char*)malloc(GE_TOKEN_SIZE); //26
(gdb) n
52 puts("Please enter password:");
(gdb) p bu
buf bufsize build_trtable build_wcs_upper_buffer builtin_modules
buffer build_charclass build_trtable[cold] builtin_aliases
buffer_size build_charclass_op build_wcs_buffer builtin_map
(gdb) p buffer
$3 = 0x5555555592a0 ""
(gdb) p token
$4 = 0x5555555592c0 "" --token紧挨着buffer

查看进程内存：

(gdb) !ps
PID TTY TIME CMD
3138 pts/0 00:00:00 bash
3290 pts/0 00:00:02 gdb
3296 pts/0 00:00:00 gebypass
5612 pts/0 00:00:00 ps
(gdb) !cat /proc/3296/maps
555555554000-555555555000 r--p 00000000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555555000-555555556000 r-xp 00001000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555556000-555555557000 r--p 00002000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555557000-555555558000 r--p 00002000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555558000-555555559000 rw-p 00003000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555559000-55555557a000 rw-p 00000000 00:00 0 [heap]
7ffff7d90000-7ffff7d93000 rw-p 00000000 00:00 0
7ffff7d93000-7ffff7dbb000 r--p 00000000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7dbb000-7ffff7f43000 r-xp 00028000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7f43000-7ffff7f92000 r--p 001b0000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7f92000-7ffff7f96000 r--p 001fe000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7f96000-7ffff7f98000 rw-p 00202000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7f98000-7ffff7fa5000 rw-p 00000000 00:00 0
7ffff7fbd000-7ffff7fbf000 rw-p 00000000 00:00 0
7ffff7fbf000-7ffff7fc3000 r--p 00000000 00:00 0 [vvar]
7ffff7fc3000-7ffff7fc5000 r-xp 00000000 00:00 0 [vdso]
7ffff7fc5000-7ffff7fc6000 r--p 00000000 08:02 4215471 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffff7fc6000-7ffff7ff1000 r-xp 00001000 08:02 4215471 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffff7ff1000-7ffff7ffb000 r--p 0002c000 08:02 4215471 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffff7ffb000-7ffff7ffd000 r--p 00036000 08:02 4215471 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffff7ffd000-7ffff7fff000 rw-p 00038000 08:02 4215471 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0 [vsyscall]
能看到刚刚malloc建立的堆块。

在ge_auth函数设置断点

(gdb) b ge_auth
Breakpoint 2 at 0x555555555460: ge_auth. (2 locations)
(gdb) l ge_auth
file: "/usr/include/x86_64-linux-gnu/bits/stdio2.h", line number: 86, symbol: "ge_auth"
81 }
82
83 __fortify_function int
84 printf (const char *__restrict __fmt, ...)
85 {
86 return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
87 }
88 # elif !defined __cplusplus
89 # define printf(...) \
90 __printf_chk (__USE_FORTIFY_LEVEL - 1, __VA_ARGS__)
file: "gebypass.c", line number: 37, symbol: "ge_auth"
32 return -1;
33 }
34 return 0;
35 }
36
37 void ge_auth(const char* input, char* user_token, int size) {
38 // check the password via user database etc.
39 if(strcmp(input, "$$secret$$") == 0) {
40 printf("Your password is correct\n");
41 ge_set_token(user_token, size);
(gdb) c
Continuing.
Please enter password:
$$secret$$

Breakpoint 2.1, ge_auth (input=0x5555555592a0 "$$secret$$", user_token=0x5555555592c0 "", size=26) at gebypass.c:37
37 void ge_auth(const char* input, char* user_token, int size) {

下面再跟踪一下异常覆盖的情况：

重新run,这次输入特殊的串：

(gdb) r
Starting program: /home/zxl/gelabs/gtk/bypass/gebypass

This GDB supports auto-downloading debuginfo from the following URLs:
<https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

第一次少输入了一个0，结果错位了，造成没有到达token的条件，验证失败。所以这个串必须精心设计。

继续单步跟踪，提示输入错误：

(gdb) b ge_auth
Breakpoint 2 at 0x555555555460: ge_auth. (2 locations)
(gdb) c
Continuing.
Please enter password:
01234567890abcdefghijklmnopqrstu#TOKEN#:0002381800023638#

Breakpoint 2.1, ge_auth (input=0x5555555592a0 "01234567890abcdefghijklmnopqrstu#TOKEN#:0002381800023638#",
user_token=0x5555555592c0 "#TOKEN#:0002381800023638#", size=26) at gebypass.c:37
37 void ge_auth(const char* input, char* user_token, int size) {
(gdb) n
39 if(strcmp(input, "$$secret$$") == 0) {
(gdb) p input
$1 = 0x5555555592a0 "01234567890abcdefghijklmnopqrstu#TOKEN#:0002381800023638#"
(gdb) n
86 return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
(gdb) n
43 printf("You have entered the incorrect password\n");
(gdb) l
38 // check the password via user database etc.
39 if(strcmp(input, "$$secret$$") == 0) {
40 printf("Your password is correct\n");
41 ge_set_token(user_token, size);
42 } else {
43 printf("You have entered the incorrect password\n");
44 }
45 }
46
47 int main() {
(gdb)
接下来检查token

(gdb) n
main () at gebypass.c:59
59 if(ge_check_token(token, GE_TOKEN_SIZE) != 0) {
(gdb) l
54 printf("password is too short %ld\n", strlen(buffer));
55 goto tag_exit;
56 }
57 ge_auth(buffer, token, GE_TOKEN_SIZE);
58
59 if(ge_check_token(token, GE_TOKEN_SIZE) != 0) {
60 printf("Login failed. You are denied.\n");
61 goto tag_exit;
62 }
63 printf("Login succeeded. You are welcome.\n");
(gdb) n
63 printf("Login succeeded. You are welcome.\n");
(gdb) p token
$2 = 0x5555555592c0 "#TOKEN#:0002381800023638#"
token值符合要求。

(gdb) p buffer --超出了20个字节
$3 = 0x5555555592a0 "01234567890abcdefghijklmnopqrstu#TOKEN#:0002381800023638#"
(gdb) p token
$4 = 0x5555555592c0 "#TOKEN#:0002381800023638#"

重新运行，认识堆。ptmalloc的堆管理方式，有个一个主场地 main_arena

Breakpoint 1, main () at gebypass.c:47
47 int main() {
(gdb) p main_arena --开始主场地大部分是0，
$5 = {mutex = 0, flags = 0, have_fastchunks = 0, fastbinsY = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, top = 0x0,
last_remainder = 0x0, bins = {0x0 <repeats 254 times>}, binmap = {0, 0, 0, 0}, next = 0x7ffff7f96ac0 <main_arena>,
next_free = 0x0, attached_threads = 1, system_mem = 0, max_system_mem = 0}
(gdb) p &main_arena --它本身在glibc中
$6 = (struct malloc_state *) 0x7ffff7f96ac0 <main_arena>
(gdb) !ps
PID TTY TIME CMD
3138 pts/0 00:00:00 bash
5884 pts/0 00:00:03 gdb
6063 pts/0 00:00:00 gebypass
6358 pts/0 00:00:00 ps
(gdb) !cat /proc/6063/maps
555555554000-555555555000 r--p 00000000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555555000-555555556000 r-xp 00001000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555556000-555555557000 r--p 00002000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555557000-555555558000 r--p 00002000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555558000-555555559000 rw-p 00003000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
7ffff7d90000-7ffff7d93000 rw-p 00000000 00:00 0
7ffff7d93000-7ffff7dbb000 r--p 00000000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7dbb000-7ffff7f43000 r-xp 00028000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7f43000-7ffff7f92000 r--p 001b0000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7f92000-7ffff7f96000 r--p 001fe000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7f96000-7ffff7f98000 rw-p 00202000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7f98000-7ffff7fa5000 rw-p 00000000 00:00 0
7ffff7fbd000-7ffff7fbf000 rw-p 00000000 00:00 0
7ffff7fbf000-7ffff7fc3000 r--p 00000000 00:00 0 [vvar]
7ffff7fc3000-7ffff7fc5000 r-xp 00000000 00:00 0 [vdso]
7ffff7fc5000-7ffff7fc6000 r--p 00000000 08:02 4215471 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffff7fc6000-7ffff7ff1000 r-xp 00001000 08:02 4215471 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffff7ff1000-7ffff7ffb000 r--p 0002c000 08:02 4215471 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffff7ffb000-7ffff7ffd000 r--p 00036000 08:02 4215471 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffff7ffd000-7ffff7fff000 rw-p 00038000 08:02 4215471 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0 [vsyscall]
(gdb) s
49 char* buffer = (char*)malloc(GE_MAX_PASSWORD); //20
(gdb) s
Download failed: 无效的参数. Continuing without source file ./malloc/./malloc/malloc.c.
0x00007ffff7e40654 in __GI___libc_malloc (bytes=bytes@entry=20) at ./malloc/malloc.c:3301
warning: 3301 ./malloc/malloc.c: 没有那个文件或目录 --没有源码，看不了。

需要下载源码：

zxl@qwq:~$ cat /etc/apt/sources.list
# Ubuntu sources have moved to /etc/apt/sources.list.d/ubuntu.sources
zxl@qwq:~$ cat /etc/apt/sources.list.d/ubuntu.sources
Types: deb deb-src
URIs: http://mirrors.huaweicloud.com/repository/ubuntu/
Suites: noble noble-updates noble-security noble-backports
Components: main restricted universe
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
说明已经设置了HW的网站作为下载网站。deb-src

开始下载：

zxl@qwq:~$ sudo apt source lib
[sudo] zxl 的密码：
正在读取软件包列表... 完成
E: 无法找到与 lib 对应的源代码包
zxl@qwq:~$ sudo apt source glibc
正在读取软件包列表... 完成
提示：glibc 的打包工作被维护于以下位置的 Git 版本控制系统中：
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/glibc
请使用：
git clone https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/glibc
获得该软件包的最近更新(可能尚未正式发布)。
需要下载 19.0 MB 的源代码包。
获取:1 http://mirrors.huaweicloud.com/repository/ubuntu noble-updates/main glibc 2.39-0ubuntu8.3 (dsc) [9,213 B]
获取:2 http://mirrors.huaweicloud.com/repository/ubuntu noble-updates/main glibc 2.39-0ubuntu8.3 (tar) [18.5 MB]
获取:3 http://mirrors.huaweicloud.com/repository/ubuntu noble-updates/main glibc 2.39-0ubuntu8.3 (asc) [833 B]
获取:4 http://mirrors.huaweicloud.com/repository/ubuntu noble-updates/main glibc 2.39-0ubuntu8.3 (diff) [463 kB]
已下载 19.0 MB，耗时 2秒 (9,716 kB/s)
dpkg-source: info: extracting glibc in glibc-2.39
dpkg-source: info: unpacking glibc_2.39.orig.tar.xz
dpkg-source: info: unpacking glibc_2.39-0ubuntu8.3.debian.tar.xz
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: applying git-updates.diff
dpkg-source: info: applying locale/check-unknown-symbols.diff
dpkg-source: info: applying locale/locale-print-LANGUAGE.diff
dpkg-source: info: applying locale/LC_IDENTIFICATION-optional-fields.diff
dpkg-source: info: applying localedata/sort-UTF8-first.diff
dpkg-source: info: applying localedata/supported.diff
dpkg-source: info: applying localedata/locale-eu_FR.diff
......

dpkg-source: info: applying CVE-2024-33600_2.patch
dpkg-source: info: applying CVE-2024-33601_33602.patch
W: 由于文件'glibc_2.39-0ubuntu8.3.dsc'无法被用户'_apt'访问，已脱离沙盒并提权为根用户来进行下载。 - pkgAcquire::Run (13: 权限不够)
zxl@qwq:~$ ls
公共的 examples.desktop idea orange
模板 gegdb IdeaProjects pg
视频 gelabs java
图片 glibc-2.39 lmos rust
文档 glibc_2.39-0ubuntu8.3.debian.tar.xz

malloc在：q:~/glibc-2.39/malloc$ pwd
/home/zxl/glibc-2.39/malloc

回到GDB设置源码路径

(gdb) bt
#0 0x00007ffff7e40654 in __GI___libc_malloc (bytes=bytes@entry=20) at ./malloc/malloc.c:3301
#1 0x00005555555551d2 in main () at gebypass.c:49
(gdb) dir /home/zxl/glibc-2.39/malloc
Source directories searched: /home/zxl/glibc-2.39/malloc:$cdir:$cwd
(gdb) l --再调用list就可以看到源码了。不错
3296 void *victim;
3297
3298 _Static_assert (PTRDIFF_MAX <= SIZE_MAX / 2,
3299 "PTRDIFF_MAX is not more than half of SIZE_MAX");
3300
3301 if (!__malloc_initialized)
3302 ptmalloc_init ();
3303 #if USE_TCACHE
3304 /* int_free also calls request2size, be careful to not pad twice. */
3305 size_t tbytes = checked_request2size (bytes);
可以跟着一下malloc的细节

分配完成后，再看堆空间，就多了

(gdb) !cat /proc/6063/maps
555555554000-555555555000 r--p 00000000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555555000-555555556000 r-xp 00001000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555556000-555555557000 r--p 00002000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555557000-555555558000 r--p 00002000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555558000-555555559000 rw-p 00003000 08:02 3969804 /home/zxl/gelabs/gtk/bypass/gebypass
555555559000-55555557a000 rw-p 00000000 00:00 0 [heap]
7ffff7d90000-7ffff7d93000 rw-p 00000000 00:00 0
7ffff7d93000-7ffff7dbb000 r--p 00000000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7dbb000-7ffff7f43000 r-xp 00028000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7f43000-7ffff7f92000 r--p 001b0000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7f92000-7ffff7f96000 r--p 001fe000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7f96000-7ffff7f98000 rw-p 00202000 08:02 4219286 /usr/lib/x86_64-linux-gnu/libc.so.6
7ffff7f98000-7ffff7fa5000 rw-p 00000000 00:00 0
再看主场地也变化了：

(gdb) p main_arena
$8 = {mutex = 0, flags = 0, have_fastchunks = 0, fastbinsY = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
top = 0x5555555592e0, last_remainder = 0x0, bins = {0x7ffff7f96b20 <main_arena+96>, 0x7ffff7f96b20 <main_arena+96>,
0x7ffff7f96b30 <main_arena+112>, 0x7ffff7f96b30 <main_arena+112>, 0x7ffff7f96b40 <main_arena+128>,
0x7ffff7f96b40 <main_arena+128>, 0x7ffff7f96b50 <main_arena+144>, 0x7ffff7f96b50 <main_arena+144>,
0x7ffff7f96b60 <main_arena+160>, 0x7ffff7f96b60 <main_arena+160>, 0x7ffff7f96b70 <main_arena+176>,
0x7ffff7f96b70 <main_arena+176>, 0x7ffff7f96b80 <main_arena+192>, 0x7ffff7f96b80 <main_arena+192>,
0x7ffff7f96b90 <main_arena+208>, 0x7ffff7f96b90 <main_arena+208>, 0x7ffff7f96ba0 <main_arena+224>,
0x7ffff7f96ba0 <main_arena+224>, 0x7ffff7f96bb0 <main_arena+240>, 0x7ffff7f96bb0 <main_arena+240>,
0x7ffff7f96bc0 <main_arena+256>, 0x7ffff7f96bc0 <main_arena+256>, 0x7ffff7f96bd0 <main_arena+272>,
0x7ffff7f96bd0 <main_arena+272>, 0x7ffff7f96be0 <main_arena+288>, 0x7ffff7f96be0 <main_arena+288>,
0x7ffff7f96bf0 <main_arena+304>, 0x7ffff7f96bf0 <main_arena+304>, 0x7ffff7f96c00 <main_arena+320>,
0x7ffff7f96c00 <main_arena+320>, 0x7ffff7f96c10 <main_arena+336>, 0x7ffff7f96c10 <main_arena+336>,
0x7ffff7f96c20 <main_arena+352>, 0x7ffff7f96c20 <main_arena+352>, 0x7ffff7f96c30 <main_arena+368>,

实验的原理：如何造特殊字符串：这就不讲了，自己体会一下：

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/zxl/gelabs/gtk/bypass/gebypass
Downloading separate debug info for system-supplied DSO at 0x7ffff7fc3000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, main () at gebypass.c:47
47 int main() {
(gdb) info b
Num Type Disp Enb Address What
1 breakpoint keep y 0x00005555555551c0 in main at gebypass.c:47
breakpoint already hit 1 time
2 breakpoint keep y <MULTIPLE>
2.1 y 0x0000555555555460 in ge_auth at gebypass.c:37
2.2 y 0x000055555555547f in ge_auth at /usr/include/x86_64-linux-gnu/bits/stdio2.h:86
(gdb) c
Continuing.
Please enter password:
1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ

Breakpoint 2.1, ge_auth (input=0x5555555592a0 "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ",
user_token=0x5555555592c0 "wxyzABCDEFGHIJKLMNOPQRSTUVWXYZ", size=26) at gebypass.c:37
37 void ge_auth(const char* input, char* user_token, int size) {
(gdb) s
39 if(strcmp(input, "$$secret$$") == 0) {
(gdb) b ge_check_token
Breakpoint 3 at 0x5555555553f0: file gebypass.c, line 19.
(gdb) c
Continuing.
You have entered the incorrect password

Breakpoint 3, ge_check_token (user_token=user_token@entry=0x5555555592c0 "wxyzABCDEFGHIJKLMNOPQRSTUVWXYZ", size=size@entry=26)
at gebypass.c:19
19 int ge_check_token(char* user_token, int size) {
(gdb)

valgrind工具：

q:~/gelabs/gtk/bypass$ sudo apt update
[sudo] zxl 的密码：
命中:1 http://mirrors.huaweicloud.com/repository/ubuntu noble InRelease
命中:2 http://mirrors.huaweicloud.com/repository/ubuntu noble-updates InRelease
命中:3 http://mirrors.huaweicloud.com/repository/ubuntu noble-security InRelease
命中:4 http://mirrors.huaweicloud.com/repository/ubuntu noble-backports InRelease
正在读取软件包列表... 完成
正在分析软件包的依赖关系树... 完成
正在读取状态信息... 完成
有 10 个软件包可以升级。请执行 ‘apt list --upgradable’ 来查看它们。
zxl@qwq:~/gelabs/gtk/bypass$ sudo apt install valgrind
正在读取软件包列表... 完成
正在分析软件包的依赖关系树... 完成
正在读取状态信息... 完成

wq:~/gelabs/gtk/bypass$ valgrind --version
valgrind-3.22.0
zxl@qwq:~/gelabs/gtk/bypass$ valgrind ./gebypass
==7220== Memcheck, a memory error detector
==7220== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==7220== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==7220== Command: ./gebypass
==7220==
Please enter password:
1111111111112222222222222222222222333333333333333333333333333333333
==7220== Invalid write of size 8
==7220== at 0x4850643: memcpy@GLIBC_2.2.5 (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==7220== by 0x48F8FE3: memcpy (string_fortified.h:29)
==7220== by 0x48F8FE3: _IO_getline_info (iogetline.c:96)
==7220== by 0x48F91DD: gets (iogets.c:54)
==7220== by 0x1091F7: main (gebypass.c:53)
==7220== Address 0x4a87050 is 16 bytes inside a block of size 20 alloc'd
==7220== at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==7220== by 0x1091D1: main (gebypass.c:49)
==7220==
==7220== Invalid write of size 8
==7220== at 0x485064B: memcpy@GLIBC_2.2.5 (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==7220== by 0x48F8FE3: memcpy (string_fortified.h:29)
==7220== by 0x48F8FE3: _IO_getline_info (iogetline.c:96)
==7220== by 0x48F91DD: gets (iogets.c:54)
==7220== by 0x1091F7: main (gebypass.c:53)
==7220== Address 0x4a87058 is 4 bytes after a block of size 20 alloc'd
==7220== at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==7220== by 0x1091D1: main (gebypass.c:49)
==7220==
==7220== Invalid write of size 8
==7220== at 0x4850653: memcpy@GLIBC_2.2.5 (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==7220== by 0x48F8FE3: memcpy (string_fortified.h:29)
==7220== by 0x48F8FE3: _IO_getline_info (iogetline.c:96)
==7220== by 0x48F91DD: gets (iogets.c:54)
==7220== by 0x1091F7: main (gebypass.c:53)
==7220== Address 0x4a87060 is 12 bytes after a block of size 20 alloc'd
==7220== at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==7220== by 0x1091D1: main (gebypass.c:49)
==7220==
==7220== Invalid write of size 8
==7220== at 0x4850691: memcpy@GLIBC_2.2.5 (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==7220== by 0x48F8FE3: memcpy (string_fortified.h:29)
==7220== by 0x48F8FE3: _IO_getline_info (iogetline.c:96)
==7220== by 0x48F91DD: gets (iogets.c:54)
==7220== by 0x1091F7: main (gebypass.c:53)
==7220== Address 0x4a87068 is 20 bytes after a block of size 20 alloc'd
==7220== at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==7220== by 0x1091D1: main (gebypass.c:49)
==7220==

valgrind: m_mallocfree.c:304 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 96, hi = 3689348814741910323.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata. If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away. Please try that before reporting this as a bug.

host stacktrace:
==7220== at 0x58044A9A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==7220== by 0x58044BDF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==7220== by 0x58044D75: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==7220== by 0x5804EDB8: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==7220== by 0x5803CDCA: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==7220== by 0x5803B3E7: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==7220== by 0x5803FFD0: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==7220== by 0x5803A260: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==7220== by 0x58010887: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==7220== by 0x1002E874AC: ???
==7220== by 0x1002DA9F0F: ???

sched status:
running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 7220)
==7220== at 0x48506E3: memcpy@GLIBC_2.2.5 (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==7220== by 0x48F8FE3: memcpy (string_fortified.h:29)
==7220== by 0x48F8FE3: _IO_getline_info (iogetline.c:96)
==7220== by 0x48F91DD: gets (iogets.c:54)
==7220== by 0x1091F7: main (gebypass.c:53)
client stack range: [0x1FFEFFE000 0x1FFF000FFF] client SP: 0x1FFEFFFF18
valgrind stack range: [0x1002CAA000 0x1002DA9FFF] top usage: 18232 of 1048576

Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using. Thanks.