Many IT companies have heard of buffer overflow, but how can they use the buffer overflow bug to run your own code? Here I will only introduce how to use static buffer overflow to run hacker programs. I will not use it because of the dynamic nature. :)
Section 1 stack formWhen the program is running, every time the program calls a function, the program allocates a space in the memory to save the local variables used by the function. What are the parameters. The following uses a program snippet to demonstrate the stack format void testcaller () {testmethod (1); int I = 0;
} Void testmethod (INT p) {int L1 = 0; char L2 = '3 ';
} The above program is very simple, that is, two functions are defined. The function testcaller calls the function testmethod, and testmethod defines two local variables. The stack format in the computer's memory is as follows (approximate model, not very accurate): | -------------------- | .... | <------ testcaller stack | ---------------------- | 1 | <------ value of parameter p passed by testcaller to testmethod | -------------------- | EBP value of testcaller | <------ start position of testcaller Stack | ---------------------- | function return address | <------- address returned after the testmethod call is complete, in the testcaller function, CALL | ---------------------- | the next line of the testmethod statement. In this example, int I = 0; | 0 | <------- value of L1, the first local variable of testmethod | ---------------------- | '3' | <------- L2 value of testmethod | ---------------------- |
Section 2: a poorly written ProgramLet's look at a poorly written Program: void badfunc (char * input) {If (input = NULL) return; // Well, there is an error in verifying char local [20]; strcpy (local, input); // copy the data in the memory to which the input points.} Many people know why this program is poorly written, what if I add more than 20 strings to which input points? Let's first try badfunc ("12345678901234567890 aaaaaaaaaaaaaaaaaaaaaaa") on the debugger and run the program. Well, an error dialog box pops up in vs (sorry, I don't have C ++ builder here, all programs are debugged in VS 2005. vs 6.0 and vs 2003 may slightly modify the length of some input strings ). The dialog box contains unhandled exception at 0x41414141 in bufferoverflow.exe: 0xc0000005: access violation reading location 0x41414141. Note: The ASCII Ma of the character 'a' is 41. After Tracing Through the debugger, you will find that the error dialog box appears just after the badfunc execution is complete. The error message is access violation reading location, indicating that after your program runs badfunc, the CPU attempts to read some data from the position 0x41414141. Open the memory window (VS 2005: Debug -- windows -- memory -- Memory 1), and enter EBP in the location text box <press enter>. Right-click and select 4-byte display. You will find that there is a slide of 0x41414141 in the upper left corner of the Memory window (MSN space cannot be illustrated, it is really depressing. The ASCII display on the right is also a long string of AAAA. In the memory window, you will find that the parameter 12345678901234567890aaaaaaaaaaaaaaaaaaa of badfunc is near EBP. As I said at the beginning, EBP is your function return address. The error dialog box in vs indicates that the return address of the function has been overwritten by your junk data (multiple aaaaaaaaa). When badfunc returns, the CPU reads the return address of the function stored after EBP as usual, and then tries to jump to the position pointed to by the return address to continue execution. When badfunc returns, because the returned address is already 0x41414141 (aaaa), the CPU tries to read the instruction with the memory address 0x41414141 and continues to execute the program, however, 0x41414141 is an invalid memory address (only days know what is stored in it), so an access violation (AV) is thrown out. In this way, we have the opportunity to change the original execution path of the program, as long as we change the badfunc return address to the address we want, and this address is just a command we designed in advance. Now it is relatively simple: # include <stdio. h>
# Include <string. h>
Void Foo (const char * input)
{
Char Buf [10];
Strcpy (BUF, input );
}
Void bar (void)
{
Printf ("Augh! I 've been hacked! /N ");
}
Int main (INT argc, char * argv [])
{
Printf ("Address of main = % P/N", main );
Printf ("Address of Foo = % P/N", foo );
Printf ("Address of bar = % P/N", bar); // 0x00411131
Foo ("1234567890123456/xa0/X12/x41 ");
Return 0;
}
In the above example, You need to convert the last/xa0/X12/x41 to the address of the bar function on your machine. Finally, you will see that although the bar function is not called in the main function, the bar function is still called.
The above example only calls the existing functions of the program. You still have no way to call the functions you have compiled. For example, you cannot import the DLL you have written into the program that you want to black out, so you still have to do something to make badfunc execute your own function. Haha, next time
