That's a good problem. In order to solve that problem you will also have to disable ASLR otherwise the address of g() will be unpredictable.

这是个好问题。为了解决该问题，您还必须禁用 ASLR，否则 g() 的地址将是不可预测的。

Disable ASLR:

禁用 ASLR：

sudo bash -c 'echo 0 > /proc/sys/kernel/randomize_va_space'

Disable canaries:

禁用金丝雀：

gcc overflow.c -o overflow -fno-stack-protector

After canaries and ASLR are disabled it should be a straight forward attack like the ones described in Smashing the Stack for Fun and Profit

在 Canary 和 ASLR 被禁用后，它应该是一个直接的攻击，就像Smashing the Stack for Fun and Profit 中描述的那样

Here is a list of security features used in ubuntu: https://wiki.ubuntu.com/Security/FeaturesYou don't have to worry about NX bits, the address of g() will always be in a executable region of memory because it is within the TEXT memory segment. NX bits only come into play if you are trying to execute shellcode on the stack or heap, which is not required for this assignment.

以下是 ubuntu 中使用的安全功能列表：https: //wiki.ubuntu.com/Security/Features您不必担心 NX 位，g() 的地址将始终位于内存的可执行区域中因为它在 TEXT 内存段内。NX 位仅在您尝试在堆栈或堆上执行 shellcode 时发挥作用，这不是此分配所必需的。

Now go and clobber that EIP!

现在去破坏那个EIP！

Urm, allof the answers so far have been wrong with Rook's answer being correct.

呃，到目前为止所有的答案都是错误的，而 Rook 的答案是正确的。

Entering:

进入：

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Followed by:

其次是：

gcc -fno-stack-protector -z execstack -o bug bug.c

Disables ASLR, SSP/Propolice and Ubuntu's NoneXec (which was placed in 9.10, and fairly simple to work around see the mprotect(2)technique to map pages as executable and jmp) should help a little, however these "security features" are by no means infallible. Without the `-z execstack' flag, pages have non-executable stack markings.

禁用 ASLR、SSP/Propolice 和 Ubuntu 的 NoneXec（它被放置在 9.10 中，并且很容易解决，请参阅mprotect(2)技术将页面映射为可执行文件和 jmp）应该会有所帮助，但是这些“安全功能”是由不意味着万无一失。如果没有 `-z execstack' 标志，页面具有不可执行的堆栈标记。

On newer distros (as of 2016), it seems that PIE is enabled by default so you will need to disable it explicitly when compiling.

在较新的发行版上（截至 2016 年），似乎默认情况下启用了 PIE，因此您需要在编译时明确禁用它。

Here's a little summary of commands which can be helpful when playing locally with buffer overflow exercises in general:

以下是一些命令摘要，它们通常在本地进行缓冲区溢出练习时会很有帮助：

Disable canary:

禁用金丝雀：

gcc vuln.c -o vuln_disable_canary -fno-stack-protector

Disable DEP:

禁用 DEP：

gcc vuln.c -o vuln_disable_dep -z execstack

Disable PIE:

禁用 PIE：

gcc vuln.c -o vuln_disable_pie -no-pie

Disable all of protection mechanisms listed above (warning: for local testing only):

禁用上面列出的所有保护机制（警告：仅用于本地测试）：

gcc vuln.c -o vuln_disable_all -fno-stack-protector -z execstack -no-pie

For 32-bit machines, you'll need to add the -m32parameter as well.

对于 32 位机器，您还需要添加-m32参数。

Try the -fno-stack-protectorflag.

试试-fno-stack-protector国旗。

You don't need to disable ASLR in order to do a buffer overflow! Although ASLR is enabled (kernel_randomize_va_space = 2), it will not take effect unless the compiled executable is PIE. So unless you compiled your file with -fPIC -pieflag, ASLR will not take effect.

您不需要禁用 ASLR 来执行缓冲区溢出！虽然启用了 ASLR ( kernel_randomize_va_space = 2)，但除非编译的可执行文件是 PIE，否则它不会生效。所以除非你用-fPIC -pieflag编译你的文件，否则ASLR 不会生效。

I think only disabling the canaries with -fno-stack-protectoris enough. If you want to check if ASLR is working or not (Position independent code must be set), use:

我认为只禁用金丝雀-fno-stack-protector就足够了。如果要检查 ASLR 是否正常工作（必须设置与位置无关的代码），请使用：

hardening-check executable_name

I won't quote the entire page but the whole manual on optimisation is available here: http://gcc.gnu.org/onlinedocs/gcc-4.4.3/gcc/Optimize-Options.html#Optimize-Options

我不会引用整个页面，但可以在此处获得整个优化手册：http: //gcc.gnu.org/onlinedocs/gcc-4.4.3/gcc/Optimize-Options.html#Optimize-Options

From the sounds of it you want at least -O0, the default, and:

从它的声音你至少想要-O0，默认，和：

-fmudflap -fmudflapth -fmudflapir

For front-ends that support it (C and C++), instrument all risky pointer/array dereferencing operations, some standard library string/heap functions, and some other associated constructs with range/validity tests. Modules so instrumented should be immune to buffer overflows, invalid heap use, and some other classes of C/C++ programming errors. The instrumentation relies on a separate runtime library (libmudflap), which will be linked into a program if -fmudflap is given at link time. Run-time behavior of the instrumented program is controlled by the MUDFLAP_OPTIONS environment variable. See env MUDFLAP_OPTIONS=-help a.out for its options.

-fmudflap -fmudflapth -fmudflapir

对于支持它的前端（C 和 C++），检测所有有风险的指针/数组解引用操作、一些标准库字符串/堆函数以及其他一些具有范围/有效性测试的相关结构。如此检测的模块应该不受缓冲区溢出、无效堆使用和其他一些 C/C++ 编程错误类别的影响。检测依赖于一个单独的运行时库 (libmudflap)，如果在链接时给出 -fmudflap，它将被链接到程序中。检测程序的运行时行为由 MUDFLAP_OPTIONS 环境变量控制。有关其选项，请参阅 env MUDFLAP_OPTIONS=-help a.out。