Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to analyze and utilize the principle of stack overflow loopholes. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

0x01 preface

Like me, there are some computer majors who may code code all the time, but pay little attention to how the program is executed, and do not consider whether the code they write will have stack overflow loopholes. Let's take this opportunity to walk into the stack overflow.

How does the 0x02 program run

Before we understand the stack overflow, let's take a look at the program execution process.

The execution of a program can be regarded as a continuous function call. When a function is finished, the program goes back to the next instruction of the call instruction to continue execution, and the function call process is usually implemented using a stack

# include

# include

Int main (int argc, char * * argv) {

Test1 (1)

Test2 (2)

Test3 (3)

Return 0

}

Int test1 (int test1) {

Int a = 6

Printf ("1")

Return 1

}

Int test2 (int test2) {

Printf ("2")

Return 2

}

Int test3 (int test3) {

Printf ("3")

Return 3

}

Compile it into a 32-bit executable file and debug it in ollydbg. Let's take a closer look at the execution process.

Because the execution of the program can be seen as the execution of a function (as is the main function), we can pick one of them and set a breakpoint in the test1 () function

F7 single-step debugging the first step mov dword ptr ss: [esp], 0 × 1, pass parameters, concise and clear.

The second step, call mian.00401559, goes into test (). Here we pay attention to the esp and the top value of the stack, and press the address of the next instruction of this instruction into the stack. Since there is stack pressing, then there will be out of stack, which echoes with the retn instruction in the function.

The third step, push ebp, is to stack the value of ebp, so what is this ebp? What's the use?

EBP, called the extended base pointer register (extended base pointer), contains a pointer that points to the bottom of the top stack frame of the system stack and is used by the C runtime to access local variables and parameters in the stack. So the meaning of this step is to save the frame base pointer in the old stack frame so that the old stack frame can be restored when the function returns.

The fourth step, mov ebp,esp, puts the value of esp in ebp, and let's take a look at what is esp?

ESP (Extended Stack Pointer) is an extended stack pointer register, a kind of pointer register, which is used to store the top pointer of the function stack, pointing to the top of the stack (the top of the next activity record pushed into the stack), that is, it is constantly changing. The ebp just mentioned points to the bottom of the stack and remains unchanged during the internal execution of the function.

So let's take another look at the effect of this step:

From the third step, we can know that the value stored by esp is the frame base pointer in the old stack frame, while the ESP value stack top pointer changes all the time, so in order to recover after the end of the function, the ESP value (the address at the bottom of the outer function stack) is saved in the ebp at the bottom of this function stack. In short, take the value of the inner function ebp as the address, which stores the value of the ebp of the outer function. There is also a reverse instruction leave at the end of this step.

The fifth step is sub esp, 0 × 28, which opens up the local variable space of the function.

Then the sixth step mov dword ptr ss: [ebp-0xC], 0 × 6, gives the variable a space whose size is 0xC, and assigns a value.

Then the ascii code of the parameter character 1 is passed, and the printf function is called to put the return value into eax.

When we focus on the leave instruction, we can see that the value of ebp has been restored, and the value of esp has changed, which is equivalent to mov esp,ebp;pop ebp.

Finally, the retn instruction is executed, and when a function is executed, the values of esp and eip are changed, which is equivalent to pop eip, and the program continues to execute. EIP is an instruction register that holds the address of the next instruction of the current instruction. Which instruction should be executed by CPU is indicated by EIP.

0x03 stack overflow

After analyzing this process, I believe that everyone should be clear about how the function is executed, so let's get back to business and continue to talk about stack overflow. First of all, let's take a look at what a stack is.

The stack can be regarded as a funnel, the address at the bottom of the stack is large, the address at the top of the stack is small, and then it is stored from small to large in a storage unit. Its purpose is to give the program a convenient way to access the local data of a specific function. And transfer information from the function caller.

Stack overflow belongs to buffer overflow, which means that the number of bytes written by the program to a variable in the stack exceeds the number of bytes requested by the variable itself, resulting in a change in the value of the variable in the adjacent stack.

In addition, it is not difficult to find that the basic premise of stack overflow is that the program must write data to the stack, and the size of the data written is not well controlled. Cite an example to understand the stack overflow

# include

# include

Void success () {puts ("You Hava already controlled it.");}

Void vulnerable () {

Char s [12]

Gets (s)

Puts (s)

Return

}

Int main (int argc, char * * argv) {

Vulnerable ()

Return 0

}

Obviously, in accordance with the above two conditions, gets () becomes a breakthrough, and we break the point at the main function, run and debug.

Lea eax,dword ptr ss: [ebp-0x14] then open up a space for the variable, that is, s, as shown in the figure

What should we do if we want to execute the sucess () function?

After executing the vulnerable () function, the ebp is restored, the value of esp is changed (leave), then retn, that is, pop eip, and CPU continues to run according to the instructions pointed to by the eip pointer.

All we can catch is to control eip. How to control it? By controlling the value at the top of the stack, what is the value at the top of the stack? The value at the top of the stack is the address of the next instruction stored when entering the function. To mention here, to enter the function, you need to save two values: the address of the next command and the frame base pointer of the old EBP stack frame. Only in this way can you fully recover.

At this point, we can construct a payload to control where we want to control, the previous storage unit of the storage unit that stores the address value in the stack, that is, the storage unit of the EBP in the diagram.

Let's first try to see what happens when we enter 0 × 14 * 'A'+BBBB+0000.

Good, according to our expectation (python-c 'print "A" * 0 × 18 + p32 (0 × 00401520)'), we can achieve the effect of stack overflow.

On how to carry out stack overflow loophole principle analysis and utilization is shared here, I hope the above content can be of some help to everyone, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.