Shulou(Shulou.com)06/01 Report--

Principle and practice of stack overflow

This article has been posted to the "Defense Line".

In our lives, there are many loopholes, as you introduce below is the usual practice of stack overflow loopholes.

Next, we use a very simple example to give you an intuitive understanding of stack overflow vulnerabilities.

This is a simple password verification program, but the code is not tight, resulting in stack overflow vulnerabilities.

# include

# include

# define PASSWORD "1234567"

Int verify_password (char * password)

{

Intauthenticated

Charbuffer [8]; / / defines an array of 8 bytes to control the length of strings that do not overflow; (overflow occurs if this length is exceeded)

Authenticated=strcmp (password,PASSWORD)

Strcpy (buffer,password); / / this statement directly leads to overflow.

Returnauthenticated

}

Main ()

{

Intvalid_flag=0

Charpassword [1024]

While (1)

{

Printf ("Please enter password:")

Scanf ("% s", password)

Valid_flag=verify_password (password)

If (valid_flag)

{

Printf ("wrong password!\ n\ n")

}

Else

{

Printf ("Congratulations, you passed the verification!\ n")

Break

}

}

}

The specific operation is as follows:

Figure 1

However, if we enter such a password, it can also pass

Figure 2

So what is the reason for this?

Figure 3

This is what happens when the program runs on the stack.

Anyone who has studied the C language should know that the end of a string is marked with the string truncation null. In this program, we began to define the length of the char buffer array is 8, if you enter the password length is not equal to 8, then the function of this password verifier is perfect, but if your password length is 8, the harm of the stack overflow vulnerability will be revealed. The 'end flag of the 8 buffer string array with a password length of 8 overflows into the memory space of int authenticated and overwrites the original data.

Looking at the source code, it is not difficult to find that the value of the authenticated variable comes from the return value of the strcmp function, and then it will be returned to the main function as a variable indicating whether the password verification is successful or not: when authenticated is 0, the verification is successful, otherwise, the verification is not successful.

Just talking doesn't work, let's use ollydbg to verify whether this is the case or not.

Figure 4

Here, we enter eight Qs.

Figure 5

Figure 6

In ASCII, 71 stands for Q.

In figure 6, we can clearly see that the eight Qs fill up the buffer array, and the string truncator overflows to 0018FB4C (that is, the location of the original authenticated).

The specific changes to the stack are as follows:

Through the above explanation, I think you have a preliminary understanding of stack overflow. The stack overflow vulnerability described here looks simple, but in fact, stack overflow is one of the most common memory errors, and it is also the most powerful and classic exploit method used in the system.

Note:

1. When observing memory, we should pay attention to the difference between memory data and numerical data. Computers do not store data in the way we usually remember. In the debug environment, memory has a low-to-high distribution, but it is interpreted from high-order bytes to low-order bytes in numerical applications.

2. When entering a password, if the string you enter is smaller than the original defined password, you cannot break through the verification program.

3. This experiment is done in win7 64-bit environment. In other environments, the principle of stack overflow is the same, but the memory address is different.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.