A preliminary understanding of the stack overflow vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201560967
Type myhack58
Reporter 佚名
Modified 2015-04-09T00:00:00


1. What is the stack for? The stack is a mechanism that computers use to pass arguments to the function, can also be used to put into local function variables, function return address, it's purpose is to give a program a convenient way to access specific function of the partial data and from the function caller there to transmit information. The stack acts as a buffer, preserving function all the required information. In the function of the start time to produce the stack, and the function of the end time to release it. The stack is generally static, it means that once the function starts to create a stack, then the stack is not changed. Stack all the saved data can be changed, but the stack itself is generally not changed. 2. The buffer overflow is divided into two kinds, one is stack overflow, a heap overflow. 3. How to find stack for? EIP: extended instruction pointer. When calling the function, this pointer is stored in the stack, for later use. When the function returns, this stored address is used to determine the next to be executed instruction address. ESP: extended stack pointer. This register points to the stack of the current position, and allows the use of push and pop to manipulate or direct pointer operations to the stack content is added and removed. EBP: extended base pointer. This register is in the function execution process is usually kept constant. It as a static pointer to use for just want a basic stack information, for example, the use of the offset function of the amount of data and variables. This pointer usually points to the function using the stack bottom. 4. Through practice to deal with First, show the stack of the form:below is the following code;


int main() { _asm { push 0x12345678 pop eax } } We can in VC++6.0 debugging to look at the esp and eip and ebp of the state change; !

Our F11 for follow-up under, you will find that esp is the stack pointer will follow the changes, because we have to stack pressure people 1 2 3 4 5 6 7 8 so that the four bytes of data, the pointer will be reduced to 4 bytes. !

And we pop when you will find that the top of the stack pointer becomes large became the original look. This tells us a truth of the stack in the pressure data when the stack pointer is smaller, and popped off the stack when the stack pointer is larger. That is the bottom of the stack address higher than the top of the stack address. The next presentation within the function stack of the calling process. !

The first does not enter into the overflow function inside of when the ebp and esp are worth, the description of the outside of the main function there is also a stack implementation. We disassemble look at the specific stack implementation. F11 to single-step it will find a jump jmp jump to function of the overflow is. !

This time after we single-step run F11.

0 0 4 0 1 0 2 0 push ebp 0 0 4 0 1 0 2 1 mov ebp,esp 0 0 4 0 1 0 2 3 sub esp,44h 0 0 4 0 1 0 2 6 push ebx 0 0 4 0 1 0 2 7 push esi 0 0 4 0 1 0 2 8 push edi 0 0 4 0 1 0 2 9 lea edi,[ebp-44h] 0040102C mov ecx,11h 0 0 4 0 1 0 3 1 mov eax,0CCCCCCCCh 0 0 4 0 1 0 3 6 rep stos dword ptr [edi] 5: int our=0; 0 0 4 0 1 0 3 8 mov dword ptr [ebp-4],0 6: return; You will see such as codes, this time we have to further analyze it. First, it will be ebp pointer pressure people stack, the current esp points to the address to ebp, this time the esp is reduced 44h, this time in the stack and opens up a length of 44h a new stack space. From our analysis can be drawn dwordptr[ebp-4], 0 is this local variable is stored in the new stack space inside. ebp-4 is far less than the 44h space size. Local variables are stored in stack. Through this example we can draw a conclusion is: Stack stored in the data? If the program you want to call a function, then the computer will automatically function returns after the execution of the instruction address is first pressed into the stack, such as function calls after completion and then removed from, jump to the branch. The overflow of the reason? Officially because of the first into the stack the address of the former, and then placed into the stack once the data is too long, it will cover to the front of the address which will cause the program error occurs. Let's look at the following example to demonstrate the stack overflow phenomenon;




void overflow(char *buf) { char des[5]=""; strcpy(des,buf); return; }

void main(int argc,char *argc[]) { LoadLibrary("user32.dll"); char longbuf[1 0 0]="aaaaaaaaaaaabbbbcccccccccccc"; overflow(longbuf); return;

[1] [2] next