Vulnerability discovery based format string-vulnerability warning-the black bar safety net

ID MYHACK58:62201567893
Type myhack58
Reporter 珈蓝夜宇
Modified 2015-10-15T00:00:00


Format string vulnerability is a very old vulnerability, now almost has to see such vulnerability of the figure, but as a vulnerability analysis of the beginners, still it is necessary to study, because it is the basis!!! So there is today this article. My articles are written well,will you come with me to engage in binary!%& gt;. 0x01 basics---stack In Real the formatted string before the attack, we need to understand some basic knowledge, to facilitate better understanding of this class of vulnerability. Personally feel we also need some stack related to the basic knowledge in order to better understand and use format string vulnerabilities. Next we together look at the stack-related knowledge: say to the stack we have to mention is the function call and parameter passing, because the stack is a dynamic storage function calls between the relationships, thereby ensuring that the called function returns when able to return to 母函数 continue to perform. The stack is actually a data structure, the stack data is advanced after the First In Last Out, a common operation, there are two: Onto the stack PUSH and bomb the stack POP, the Used to identify the stack property also has two: the top of the stack TOP and the bottom of the stack BASE is. PUSH: stack increase one of the elements. POP: from the stack remove an element. TOP: identifying a stack position, and is dynamic, once for each push operation, it will increment 1, and Vice versa, once for each pop operation, it will be from minus 1 BASE: identify the bottom of the stack location, its location is not going to change. Function call, what happened?, we will use the following code to do some simple awareness. Sample code: int func_B(arg_B1,arg_B2) { int var_B; var_B = arg_B1+arg_B2; return var_B; } int func_A(arg_A1,arg_A2) { int var_A; var_A = func_B(arg_A1,arg_A2); return var_A; } int main (int argc, char argv, char envp) { int var_main; var_main=func_A(1,2); return var_main; } The execution of the program process as shown below: ! Through the figure we can see the program execution process: main--func_A--func_B--func_A--main, the CPU in the execution of the program is how to know all function calls between the relationships?, next we will introduce a new term: the stack frame. When the function is called, the system stack for this function to open up a new stack frame, the stack frame in the memory space it belongs to the function exclusive, when the function returns, the system stack will pop up the function corresponding to the stack frame. 3 2 bit system provides two special registers ESP and EBP)identifies the stack frame. ESP:stack pointer register, storing a pointer, the pointer to the stack. EBP:the base pointer register, storing a pointer, the pointer to the bottom of the stack. The CPU utilization of EBP(not ESP)register to access the stack for local variables, parameters, function return address, the program is running, the ESP register value change at any time, if the ESP value is a reference to the stack of local variables, parameters, return address to be accessed is clearly impossible, so in the function call, the first is used as a reference to the ESP value stored into EBP, so that later no matter ESP how to change, are able to EBP as a reference to access to local variables, parameters, and return address. Next will compile the above code and debugging, so as to further understand the function calls and parameter passing process. First use gcc for compilation: gcc-fno-stack-protector-o 1 1. c Use objdump to disassemble: objdump-d 1 0804841d : 804841d: 5 5 push %ebp ;function start save the old stack frame bottom 804841e: 8 9 e5 mov %esp,%ebp ;set new stack frame bottom to switch stack frames 8 0 4 8 4 2 0: 8 3 ec 1 0 sub $0x10,%esp; set up new stack frame to the top elevation of the top of the stack as a new stack frame to open up space 8 0 4 8 4 2 3: 6a 0 2 push $0x2; the parameters into the stack from right to left 8 0 4 8 4 2 5: 6a 0 1 push $0x1 8 0 4 8 4 2 7: e8 d5 ff ff ff call 8 0 4 8 4 0 1; the stack is pressed into the current instruction where the memory address of the saved return address ; Jump to the called function at the entrance of the Executive 804842c: 8 3 c4 0 8 add $0x8,%esp 804842f: 8 9 4 5 fc mov %eax,-0x4(%ebp)

[1] [2] [3] [4] [5] [6] next