<< Stack Overflow >> Win32 platform Stack Overflow attack principle and practice (beginner)

Date-2015/11/16.monday

< buffer overflow attack (Overflow)>

hackers most commonly used attack means, often concerned about the area of cyber security people are not unfamiliar with the word "overflow". When it comes to the origins of the loophole and why it is so frequent, it is important to mention one person: the father of digital computing- von Neumann. and his theoretical achievements: the famous " von Neumann architecture ", from the ENIAC to the present supercomputer without exception is derived from this structure. The "instruction" and "data" in this structure are not differentiated storage, resulting in " instruction is data, data can also be executed as instructions!" ".

Professionally speaking, the in-memory eip points to where the CPU will execute as an instruction, and if the instruction is malformed, it will go wrong! such as 1:

[ illegal instructions!] EIP has been overwritten as 0x30303030]

Use a short C-program to illustrate the problem:

Figure 2

You can simply interpret the buffer as an "array," which uses a two-character array, but does not cross-check. Crash directly after running! big[] "copy" the string "to small[", the results can be imagined. The extra-long data drowns out the memory areas beyond the array, and unpredictable results can occur! The art of buffer overflow attacks is to "turn unpredictable consequences into the results we want!" "

For more detailed information about "buffer overflow", please refer to network resources.

The following is a debugger to go through the overflow of the program inside to find out.

To better demonstrate how the overflow data is at our command, we will rewrite a program with an overflow vulnerability (modified by password in the previous blog post), as follows

Buff_2.cpp

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#define PASSWORD "1234567"

int ypp (char *);

int main ()

{

Char password[1024];

int n=0;

FILE *FP;

if (! ( Fp=fopen ("Password.txt", "rw+")))

{

printf ("Cannot Open this file!\n");

Exit (0);

}

FSCANF (FP, "%s", password);

N=YPP (password);

if (n)

printf ("error!\n");

Else

printf ("congratulation!\n");

Fclose (FP);

return 0;

}

int ypp (char *password)

{

int num;

Char Buff[8]; Artificially constructed stack Overflow

NUM=STRCMP (Password,password);

strcpy (Buff,password);

return num;

}

It is important to note that the "password" is no longer entered manually, but is read by the file.

That is, we have to create a new password.txt to store passwords;

Put the text file in the current directory, compiled with VC6.0 (Debug version)

Figure 3

Ctr+f5 Run

Figure 4

In the source program, the "1234567" defined by # define is the true password, but how can "43214321" be verified successfully???

It's time to talk about the concept of " stack frame ".

Stack (Stack)is an "advanced out-of-the-box" data structure. EBP points to the bottom of the stack (high address), ESP to the top of the stack (low address), the stack (push), the stack (POP) at the top of the stack. Calling a function requires a new "stack space" for this function, and the return address of the function and the transfer of the parameters require a stack to match (the equivalent of a broker).

The stack frame in ollydbg is in the following form:

Figure 5

All that needs to be said is in the picture.

Current EBP=0012FB20 so you know exactly which piece is EBP (highlighted) in the stack frame.

On the right side of EBP, which is higher than 4h bytes above it, there are a series of very prominent hints "RETURNto..." in the 0012fb24.

You may have guessed it, yes, this is the "return address" at 00401005.

Figure 6

Figure 7 (YPP () is the one that jumps here)

According to Figure 5, a summary, is the following diagram

Figure 8

The 8-bit password "43214321" saved in the previous password.txt is full of buff, and don't forget to have a null (' + ')

The logic of judging the program, strcmp () is used to compare the function of the true and false password, the same password, num set to 0, the password is different, is 1.

In Figure 5 you can see that 00000000,main in 0012fb1c will naturally output "congratulation!"

*****************************************************************************

After you know the above information, the overflow attack will be officially started!

We already know that the overflow data will change the value of the local variable num adjacent to it;

The buffer has a length of 8 bytes;

The local variable num will account for 4 bytes;

The front stack frame occupies 4 bytes;

The return address is also 4 bytes.

This time, we're going to drown more than Num. It's num, the former EBP, and the return address.

So we're going to place 20 bytes of data in the password (8+4+4+4)

First step: Reset Password.txt , enter 5 Group "4321 "Save;

Figure 9

The second step: the PE Loading OD for debugging

Ctrl+g directly follows main and places a breakpoint here.

Figure 10

Step three: Step to <0040109f call buff_2.00401005 > F7 Step Into YPP ()

You can continue one step in ypp () while paying attention to the changes in the stack panel.

Or just press F9 to execute! There will be a case of the first picture.

Figure 11

Do not close OD, need to record some data

In the stack panel, view the address of the EIP

Figure 12

The EIP is rewritten as 0x31323334, and the program cannot continue!

Remember what we said earlier, " make the unpredictable consequences of what we want!" "?"

< This step is the key! >

we want to let the EIP re-point to "correct address"! This is perfectly possible!

This "correct address" could be 0x004010c5. , Figure

make EIP point to this instruction, call printf Direct Output "congratulation! "

We need to rewrite the password.txt. Note: The memory address is a hexadecimal number and cannot be entered with the keyboard!

Below we will use the Hex editor ultraedit to make a hexadecimal modification to the text file.

modify Only "after 4 a byte "

Figure 14

Figure 15

modifies the end four byte data to 004010c5 , reverse input!!! (i.e. C5)

Ctrl+s Save

Figure 16

Re-open Password.txt

Figure 17

It is nearing the end of this.

This "password" file we edited is strictly not shellcode.

Next, however, will explain how to lay out "executable code" in the buffer.

、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、

Double-click the EXE file to see the successful "congratulation!"

Because of the stack imbalance, the program crashes after the output string!

Figure 18

The junior part ends!

The middle and high-level part, to be continued .....

END.

Ypp-2015/11/16. 23:42

[Email protected]

<< Stack Overflow >> Win32 platform Stack Overflow attack principle and practice (beginner)