Stack Overflow technology from entry to advanced: Stack Overflow in windows (1)

Stack Overflow in windows-principles

Let's take a look at the programs in windows. We aim to study how to exploit the stack overflow vulnerability of windows programs. Let's start from scratch.

Related Recommendations]:

Stack Overflow technology from entry to entry: How to Write shell code

Stack Overflow technology from entry to entry: Using stack overflow to obtain shell

Windows 98 Second Edition

First, let's write a problem program:

# Include <stdio. h>

Int main ()

{

Char name [32];

Gets (name );

For (int I = 0; I <32 & name [I]; I ++)

Printf ("// 0x % x", name [I]);

}

As you can see, gets (name) does not perform a boundary check on the name array. Then we can give the program a long string and certainly overwrite the return address in the stack.

C:/Program Files/DevStudio/MyProjects/bo/Debug> vunera ~ 1

Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Aaa

/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0 x

X61/0x61

/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0x61/0 x

X61/0x61

Here, the familiar dialog box "this program has performed illegal operations..." appears ...", Great. Click the details button to see that the EIP value is 0x61616161. Haha, the return address will be displayed in the dialog box. This function is very good. We can select a sequence input string to precisely determine the offset location for storing the returned address.

C:/Program Files/DevStudio/MyProjects/bo/Debug> vunera ~ 1

12345678910111213141516171819202122232425262728293031323334353637383940

/0x31/0x32/0x33/0x34/0x35/0x36/0x37/0x38/0x39/0x31/0x30/0x31/0x31/0x31/0 x

X32/0x31

/0x33/0x31/0x34/0x31/0x35/0x31/0x36/0x31/0x37/0x31/0x38/0x31/0x39/0x32/0 x

X30/0x32

Here, the familiar dialog box "modifying the program has performed illegal operations..." appears ...", Click the details button. The details are as follows:

VUNERABLE module in 00de: 32363235

<Unknown> leading to invalid page error.

Registers:

EAX = 00000005 CS = 017f EIP = 32363235 EFLGS = 00000246

EBX = 00540000 SS = 0187 ESP = 0064fe00 EBP = 32343233

ECX = 00000020 DS = 0187 ESI = 816 bffcc FS = 11df

EDX = 00411a68 ES = 0187 EDI = 00000000 GS = 0000

Bytes at CS: EIP:

Stack dump:

32383237 33303339 33323331 33343333 33363335 33383337 c0000005

0064ff68

0064fe0c 0064fc30 0064ff68 004046f4 0040f088 00000000 0064ff78

Bff8b86c

Oh, the content of the EIP is 0x32363235, that is, 2625, and the content of the EBP is 0x32343233, that is, 2423. In the stack, the offset starting from the name variable address is 36, which is the EBP address, and the offset starting from the name variable address is 40, which is the ret address. We can enter the shellcode we carefully compiled for the name array. We only need to place the start address of name in the address 40 of the overflow string. What is the start address of name? Through the stack dump above, we can see that the current ESP point to the address 0x0064fe00, the content is 0x32383237, then the calculation result is that the start address of name is: 0x0064fe00-44 = 0x64fdd4. In windows, other running processes remain unchanged. Every time we run vunera ~ The starting address of stack 1 is the same. That is to say, the name address for each run is 0x64fdd4. At this point, you must have discovered the following situation: in the win system, due to address conflict detection, register images and Stack Images when an error occurs, this allows us to precisely analyze the overflow offset address of the stack overflow vulnerability. This allows us to find the stack overflow vulnerability accurately and conveniently.

OK, everything is ready, only shellcode is needed.