Buffer overflow Attack-introductory example principle analysis

After passing the basic test procedure, we begin to analyze its principle.

The content of this question is still the main reference http://blog.csdn.net/linyt/article/details/43315429

　

Let's look at some of the basics:

Assembler QuickStart (32-bit): http://www.cnblogs.com/YukiJohnson/archive/2012/10/27/2741836.html

Program Memory space allocation: http://blog.csdn.net/ljianhui/article/details/21666327

function Frame Structure

Modern high-level language C + +, in the program each function corresponds to a function frame structure (in the stack), before invoking a function, will be stored in the stack of data, when jumping to the new function, the new function first set up its own frame structure, and then after the completion of the calculation to log off their frame structure, and restore the previous function frame structure

The most important of these (described in more detail in the "Quick start of assembler" above) is the data transformation in the program's stack when the function is called, as shown in.

For the following code:

1#include <stdio.h>2 3 voidFintAintb)4 {5printf"%d\n", A +b); 6 }7 8 intMain ()9 {Ten     intA =1; One     intb =1; A F (A, b); -     return 0; -}

The structure in its stack is shown, of course, this is for 32-bit programs ~

1) The main function, before invoking the F function, first pushes the parameters of the parameter into the stack;

2) Next, the current program executes the next position eip into the stack, the back of the F function is used;

3) into the F function, the F function first presses the current EBP into the stack, then mov esp, EBP (which points to the current stack top), and then builds its own function frame structure based on EBP.

The function frame structure contains the local variables of the current function (the buffer variable of the attack sample program and in this case)

4) After the completion of the F function, the EBP value in the stack pops up, reverts to the EBP register, restores the ESP register, and then pops up the EIP variable, which executes the program part following the main function, depending on where the EIP variable points.

Stack structure of the sample program

The main function in the previous section of STACK1 calls the stack structure of the F function as shown in:

Copy the data to the BUF, and the results are as follows:

When 0xffffd710 covers the position of the original EIP, the F function will bounce the 0xffffd710 out to the EIP when it returns, and the program is looking for the following program according to the EIP address.

Summary

This section describes the principle of buffer overflow vulnerability attacks, mainly modifying the value of EIP in the stack.

Reference:

http://blog.csdn.net/linyt/article/details/43315429

Buffer overflow Attack-introductory example principle analysis