"0Day" stack Overflow vulnerability base-simple input vulnerability & Modify return function

Recently again using fragmented time, the second chapter of the study finished. After the success of the experiment, I was very happy! Hey.

The theory of books can be read very quickly, but there will be some problems when it comes to real practice. A little summary will be shared later.

Their own construction of the vulnerability code, if the use of VS compilation, Debug version overflow will be error, release version of it itself to optimize the code, to eliminate the overflow of the vulnerability.

It seems that several years ago the technology has now been very thorough protection. Therefore, learning technology can not die, to learn ideas.

The fundamentals of the 0x00 stack

After calling a call, this is the case with the stack.

Call is recorded in the previous stack frame of EBP. This time:

For example, this says a function int f (int a, int b) {int ABC = 5; return ABC;}

In the assembly, the local variables and incoming parameters of the function are obtained using the relative addresses of the EBP.

[b] is equivalent to the param1 in the figure, the address is ebp+c

[A] equivalent to param2, with an address of ebp+8

After calling function F, the instruction address is [return addr] and the address is ebp+4

Local variables declared are reduced from EBP,

The local variable [ABC] is equivalent to the local PA1, the address is EBP-4, and so on.

The role of ESP is the stack top pointer, commonly used to call the function when the parameter is pressed in.

The purpose of this vulnerability construct is to make use of the overflow characteristics of copy function in function functions to change local Pa1,return addr to its desired goal.

0x01 Simple Input Vulnerability

The code that is constructed with the vulnerability is as follows:

/* note:1, find the location where the aut,buffer is stored. In this example: Aut=[esp-c] buffer=[esp-14]2, view stack, and follow in the data window. 3, according to the specific circumstances of the construction of the corresponding overflow code  */#include <string.h> #include <stdio.h> #define PASSWORD "123456" int authen ( Char *password) {int Aut;char buffer[8];//add to be overflowed!! AUT = strcmp (Password,password); strcpy (buffer, PASSWORD);//overflow!return aut;} int main () {char password[1024];while (1) {printf ("Please input the password:           "); scanf ("%s", password); if (Authen ( Password)///input number less than 123456, value 00000001, Overwrite 00000000, conversely, value ffffffff, overwrite as FFFFFF00, {printf ("no!  You should try again!\n ");} else{printf ("yes! You did it! \ n "); break;}} GetChar (); GetChar (); return 0;}

To exploit this vulnerability in this code is to look at two points. Is there a buffer that can overflow? Is there a condition that can populate the buffer with data?

In this code are the two functions of buffer and strcpy. Our goal is to change the value of the adjacent variable aut to 0 by populating the data with buffer. 0 indicates that the password is successful.

Stack prior to overflow:

After overflow of the stack, the AUT bit is overflowed to 0, indicating that the string is more successful and equal:

In this case, the password required is less than the true password, and the resulting value is a positive 1. Conversely, if it is greater than the true password, it will get negative-1. The complement is FFFFFFFF. Normal input will not overflow correctly, need to use file input.

0x02 Modifying function return address

Construct the vulnerability code:

/* Note: */#include <string.h> #include <stdio.h> #define PASSWORD "123456" int authen (char *password) {int aut ; Char Buffer[8];//add to be overflowed!! AUT = strcmp (Password,password); strcpy (buffer, PASSWORD);//overflow!return aut;} int main () {char password[1024]; file* fp;if (!) ( Fp=fopen ("Password.txt", "rw+"))//get the pass by Read Filereturn 0;fscanf (FP, "%s", password); if (authen (password)) { printf ("No!  You should try again!\n ");} else{printf ("yes! You did it! \ n ");} Fclose (FP); GetChar (); GetChar (); return 0;}

Because of the special character "0x0041567" like address, it is difficult to enter the hand, so the input of the file is used. This construct is done purely to understand the principle of vulnerability.

Also, you should find the location of the buffer, along with the location of the return address.

First determine the address you want to jump to. Here we will jump directly to the point where the cue succeeds after the function returns. [0x00401467]

We then master the stack structure and lock the specific location to fill our address.

It can be found that each line is four characters, preceded by 6 lines, 24 characters, filled out, and four characters later representing the return address. We fill in our address.

Construct the exploit file when this is true:

Then execute again. The discovery has been replaced by our address.

Show the execution is successful!

After finishing, I still feel a sense of accomplishment.

Preliminary study of loophole theory.

The following are the exploits that inject their own code, but the methods are not generic. Related to the operating system version number, compiler, and so on.

"0Day" stack Overflow vulnerability base-simple input vulnerability & Modify return function