Preliminary understanding of Stack Overflow Vulnerability

Preliminary understanding of Stack Overflow Vulnerability

1. What is stack?

Stack is a mechanism that computers use to pass parameters to functions. It can also be used to place local function variables. The return address of the function, it aims to give the program a convenient way to access the local data of a specific function and transmit information from the function caller. The stack acts like a buffer, saving all the information required by the function. The stack is generated at the beginning of the function and released at the end of the function. The stack is generally static, which means that once a stack is created at the beginning of the function, the stack cannot be changed. The data stored in the stack can be changed, but the stack itself cannot be changed.

2. There are two types of buffer overflow: Stack Overflow and stack overflow.

3. How to Find the stack?

EIP: Extended command pointer. When calling a function, this pointer is stored in the stack for later use. When the function returns, the stored address is used to determine the address of the next command to be executed.

ESP: Extended Stack pointer. This register points to the current position of the stack and allows you to add and remove stack content by using push and pop operations or direct pointer operations.

EBP: extended base pointer. This register remains unchanged during function execution. It is used as a static pointer and is used only for basic stack information. For example, data and variables of functions with offsets are used. This pointer usually points to the bottom of the function stack.

4. Handling through practice

First, we will demonstrate the formation of the stack: the following code;

#includeint main(){    _asm   {        push 0x12345678        pop eax   }}

We can debug in VC ++ 6.0 to observe the status changes of esp, eip, and ebp;


 
When we follow up on F11, we will find that the top pointer of the esp stack will follow the changes, because we have pressed the four bytes of data such as 12345678 to the stack, and the pointer will be reduced by four bytes.


 
When we pop, we will find that the top pointer of the stack has become the original one. This tells us that the top pointer of the stack becomes smaller when the middle-pressure data of the stack is used, and the top pointer of the stack increases when the stack pops up. That is, the stack base address is higher than the stack top address.

Next, we will demonstrate the call process of the function stack.


 
The ebp and esp are both worthwhile when they are not included in the overflow function. It indicates that the main function has stack implementation. Let's look at the implementation of the specific stack in disassembly. F11 will jump to the function overflow by taking one step.


 
At this time, we will run F11 in a single step.

00401020   push        ebp00401021   mov         ebp,esp00401023   sub         esp,44h00401026   push        ebx00401027   push        esi00401028   push        edi00401029   lea         edi,[ebp-44h]0040102C   mov         ecx,11h00401031   mov         eax,0CCCCCCCCh00401036   rep stos    dword ptr [edi]5:        int our=0;00401038   mov         dword ptr [ebp-4],06:        return;

We will see the above Code. At this time, we will further analyze it. First, it presses the ebp pointer into the stack and gives the address pointed to by the current esp to ebp. At this time, the esp is reduced by 44 h, at this time, a new stack space with a length of 44h is opened in the stack. From our analysis we can find that the dwordptr [ebp-4], the local variable 0 is stored in the new stack space. Ebp-4 is much smaller than the size of 44h space. Local variables are stored in the stack.

Through this example, we can conclude that:

What is the data stored in the stack?

If the program needs to call a function, the computer will automatically push the command address that is executed after the function is returned to the stack, and wait until the function is called and then extract it from the stack.

Cause of overflow?

Because the address that is first put into the stack is in front, and the data that is put into the stack is too long, it will overwrite the address in front, which will lead to program errors.
The following example demonstrates stack overflow;

#include#include#includevoid overflow(char *buf) {        char des[5]="";        strcpy(des,buf);        return;} void main(int argc,char *argc[]){     LoadLibrary("user32.dll");     char longbuf[100]="aaaaaaaaaaaabbbbcccccccccccc";     overflow(longbuf);     return;}

The program stops working as soon as it is run:


 
Next let's take a look at the program:


 
First, press the next address and parameter of the function into the stack:


 
At this time, but do not run strcopy here: we will find that the parameter value is placed in the register edx, see the figure below: 48 FF 18 00


 
At this time, when the program runs to ret, it is found that the program is overwritten by strcopy.


 

The return address is changed to 62626262;

This is because the returned address is incorrect, so an error message such as the memory unreadable will pop up.

The next operation is to jump the overflow address to a place and then let it execute the operation we want to perform. After the execution, jump back to the real return address to achieve our goal.

We will talk about it in two steps. The above describes the principle of stack overflow. The following section is used to exploit stack overflow.