| 1 | [Bobo] $ cat gotover. c |
| 2 | # Include <stdio. h> |
| 3 | # Include <string. h> |
| 4 | |
| 5 | IntEvil_code (Char* S) |
| 6 | { |
| 7 | Printf ("Hi, I am here! /N "); |
| 8 | Return 0; |
| 9 | } |
| 10 | |
| 11 | IntMain (IntArgc,Char* Argv []) |
| 12 | { |
| 13 | LongADDR = *(Long*)((Long) Strlen +2); |
| 14 | |
| 15 | *(Long*) ADDR = (Long) Evil_code; |
| 16 | |
| 17 | IntLen = strlen (argv [0]); |
| 18 | |
| 19 | Printf ("Len = [% d]/n", Len ); |
| 20 | |
| 21 | Return 0; |
| 22 | } |
| 23 | |
| 24 | [Bobo] $ GCC gotover. C-o gotover |
| 25 | [Bobo] $./gotover |
| 26 | Hi, I am here! |
| 27 | Len = [0] |
After reading this post, I understood the above program and directly modified the stack content.
For details, refer to the dynamic library symbol parsing process written by alert7.
This is probably the case:
For 32-bit x86 systems, calling functions in the dynamic library, such as printf (), is actually a small piece of code in PLT. this small piece of code is as follows:
Address + 0: JMP * 0 XXXXXXXXX
Address + 6: Push a constant
JMP 0 xyyyyyyyy
When printf is called for the first time, the value in address 0xxxxxxxxx is address + 6, that is, JMP jumps to address + 6 for the first time, and then the next JMP performs ID parsing, then, write the address of the real printf function in 0xxxxxxxxx, and then directly jump to the printf function when you call printf.
The code above is the address of the evil_code () function put in 0xxxxxxxxx. Address + 0: JMP * 0 XXXXXXXXX occupies 6 bytes. The first two are operation codes, followed by addresses, so there is "+ 2" in the code"
The following is an example of a better understanding of the stack structure after running the post:
[S @ fedora-1 test] $ cat test1.c
# Include
Int gi = 1;
F (char * FMT, int * P, int V)
{
Int I;
For (I = 0; I <8; I ++ ){
Printf ("% d % P/N", I, & I + I, * (& I + I ));
}
Printf ("P = % p v = % d/N", P, V );
Return;
For (I = 0; I <256; I ++ ){
Printf ("ADDR = % P value = % d/N", & GI, Gi );
}
}
Main ()
{
F ("FMT", & GI, Gi );
}
[S @ fedora-1 test] $./A. Out
0 0xbf8daf24 (nil)
1 0xbf8daf28 0xbf8daf48
2 0xbf8daf2c 0x8048469
3 0xbf8daf30 0x804855d
4 0xbf8daf34 0x80496d4
5 0xbf8daf38 0x1
6 0xbf8daf3c 0x80484a9
7 0xbf8daf40 0xa7add0
P = 0x80496d4 v = 1
If the partial array in the program overflows, the stack can be changed with unpredictable results. Print out the absurd information.
From: http://bbs.chinaunix.net/viewthread.php? Tid = 1652842 & extra = Page % 3d1% 26amp; filter % 3 ddigest & page = 6
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
