Transparently speaking, overflow attacks

Technical Basis of Buffer Overflow
To improve your technical skills, to better understand the technology we are discussing, and to build this forum into a better forum, I will introduce a series of complete overflow problems for you, overflow Attack Article . Let everyone better understand the things that are said every day but not quite clear about what is going on. I think, after reading this, you will not ask again. Why is it useless if I use this tool?
I would like to emphasize that to fully understand this article, at least a certain degree of assembly language, C language, and Linux are required.
Buffer overflow can be interpreted as buffer overflow, buffer overrun, smash
Stack, trash the stack, scribble the stack, mangle the stack, memory
Leak, overrun screw;
What we usually call "overflow" refers to Buffer Overflow (nonsense, otherwise it will overflow from there !) First, let's explain what a buffer is. The buffer is the place where data is stored in the memory. Program A continuous block in the memory of the computer during runtime, which stores the specified type of data. The problem arises with the dynamic allocation of variables. To avoid too much memory, a program with dynamic Variable Allocation decides the amount of memory allocated to them only when the program is running. A buffer overflow occurs when the program tries to place data somewhere in the computer's memory but does not have enough space. In other words, what happens when the program puts too much data in the dynamically allocated buffer zone? It overflows and leaks to other places.
A buffer overflow application uses this overflow data to convert the Assembly LanguageCode Put it in the computer's memory, usually where the root permission is generated. Buffer overflow alone does not cause security issues. Only the overflow will be sent to the region where the command can be run with the root permission. In this way, a buffer Utilization Program places commands that can be run in the memory with root permissions. Once these commands are run, the computer is controlled with root permissions.
Therefore, buffer overflow is a means of system attacks. By writing content beyond its length to the buffer zone of the program, the buffer overflow occurs, in this way, the program stack is destroyed, and other commands are executed by the program in order to attack the program. According to statistics, buffer overflow attacks account for more than 80% of all system attacks.
The world's first buffer overflow attack, the famous Morris worm, occurred 10 years ago and caused paralysis of more than 6000 network servers around the world. I am the earliest known buffer overflow attack program.
Remember, the cause of buffer overflow is that the program did not carefully check user input parameters !!!
The following is the most common and simplest overflow.
Void function (char * Str ){
Char buffer [16];
Strcpy (buffer, STR );
}
In this example, the buffer length is limited to 16, and strcpy () directly copies the content in STR to the buffer. In this way, as long as the STR length is greater than 16, it will cause buffer overflow and cause program running errors. So, we say this program overflows.
In C, static variables are allocated to data segments and dynamic variables are allocated to stack segments. Buffer overflow uses the overflow of stack segments. A normal program is usually divided into program segments, data terminals, and stacks in the memory. The program segment contains the program's machine code and read-only data. This segment is usually read-only and Its write operations are illegal. The data segment contains static data in the program. Dynamic data is stored through stacks. In memory, their locations are as follows:
/---\ Low-end memory
Program Section
―――――――――
Data Segment
―――――――――
Stack
\--/High-end memory
A stack is a continuous block in the memory. A register called a stack pointer (SP) points to the top of the stack. The bottom of the stack is a fixed address. A feature of a stack is that the stack goes first, first, and foremost. That is to say, the first data to be put is retrieved. It supports two operations: Push and pop. Push puts data at the top of the stack, and pop pulls the data at the top of the stack.
In advanced languages, temporary variables in program function calls and functions are used in stacks. Why? Because when calling a function, we need to protect the current operation, and after the function is executed, the program can find the correct place to continue the execution, therefore, the stack is also used for parameter passing and return values. Generally, local variables are referenced by giving their offset to the SP. There is also a base address pointer (FP, Which is BP in Intel chips), which many compilers actually use to reference local variables and parameters. Generally, the offset of the parameter relative FP is positive, and the local variable is negative.
When a function call occurs in the program, the computer first presses the parameter into the stack, and then saves the content in the instruction register (IP) as the return address (RET ); the third place in the stack is the base address register (FP). Then, the current stack pointer (SP) is copied to the FP as the new base address. Finally, some space is reserved for the local variable, subtract the appropriate value from the SP.
For example, the following program:
Void function (int A, int B, int c ){
Char buffer1 [10];
Char buffer2 [15];
}
Void main (){
Function (1, 2, 3 );
}
In Linux, we use GCC to compile the source code and generate the assembly code output:
$ Gcc-S-O example1.s example1.c
Look at the part in the output file that calls the function:
Pushl $3
Pushl $2
Pushl $1
Call Function

This pushes the three parameters into the stack and calls function (). The instruction call will push the instruction pointer IP address into the stack. The stored IP address is used by RET when the returned result is returned. In functions, the first thing to do is to perform some necessary processing. Every function must have these processes (to protect them, otherwise they will not be found .) :
Pushl % EBP
Movl % ESP, % EBP
Subl $20, % ESP
These commands put the EBP and base address pointer into the stack. Then copy the current SP to EBP. Then, allocate space for local variables and reduce their size from the SP. Since memory allocation is in the unit of words, here buffer1 uses 8 bytes (2 words, 4 bytes for one word ). Buffer2 uses 12 bytes (3 characters ). Therefore, ESP is reduced by 20. Now, the stack looks like this.
Low-end memory, high-end memory
Buffer2 buffer1 SFP RET A B C
<------ [] [] [] [] [] [] [] []
Top stack bottom
What causes overflow? Buffer overflow refers to writing too much data in a buffer zone. How can we use it? Take a look at the following program:
Void function (char * Str ){
Char buffer [16];
Strcpy (buffer, STR );
}
Void main (){
Char large_string [256];
Int I;
For (I = 0; I <255; I ++)
Large_string [I] = 'a ';
Function (large_string );
}
| This program is a classic Buffer Overflow Encoding Error. The function copies a string to another memory area without passing the boundary check. When a function () is called, the stack is as follows:
Low memory end high memory end
Buffer sfp ret * Str
<------ [] [] [] []
Top stack bottom
Obviously, the program execution result is "segmentation fault (Core
Dumped) "or similar error information. Because the first 256 bytes starting from buffer will be overwritten by the * STR content 'A', including SFP,
RET, or even * Str. The hexadecimal value of 'A' is 0x41, so the return address of the function is 0x41414141,
This exceeds the address space of the program, so a segment error occurs. It can be seen that buffer overflow allows us to change the return address of a function. In this example, we can change the entry address after the program returns by modifying 0x41414141. In this way, you can change the execution sequence of the program.
Standard Functions with problems such as strcpy include strcat (), sprintf (), vsprintf (), gets (), scanf (), and GETC () in the loop (), fgetc (), getchar (), etc.
Technical Basis of Buffer Overflow
To improve your technical skills, to better understand the technology we are discussing, and to build this forum into a better forum, I will introduce a series of complete overflow problems for you, overflow Attack article. Let everyone better understand the things that are said every day but not quite clear about what is going on. I think, after reading this, you will not ask again. Why is it useless if I use this tool?
I would like to emphasize that to fully understand this article, at least a certain degree of assembly language, C language, and Linux are required.
Buffer overflow can be interpreted as buffer overflow, buffer overrun, smash
Stack, trash the stack, scribble the stack, mangle the stack, memory
Leak, overrun screw;
What we usually call "overflow" refers to Buffer Overflow (nonsense, otherwise it will overflow from there !) First, let's explain what a buffer is. The buffer is the place where data is stored in the memory. It is a continuous block in the computer memory when the program is running. It stores the given type of data. The problem arises with the dynamic allocation of variables. To avoid too much memory, a program with dynamic Variable Allocation decides the amount of memory allocated to them only when the program is running. A buffer overflow occurs when the program tries to place data somewhere in the computer's memory but does not have enough space. In other words, what happens when the program puts too much data in the dynamically allocated buffer zone? It overflows and leaks to other places.
A buffer overflow application uses this overflow data to store assembly language code in the computer's memory, usually where root permissions are generated. Buffer overflow alone does not cause security issues. Only the overflow will be sent to the region where the command can be run with the root permission. In this way, a buffer Utilization Program places commands that can be run in the memory with root permissions. Once these commands are run, the computer is controlled with root permissions.
Therefore, buffer overflow is a means of system attacks. By writing content beyond its length to the buffer zone of the program, the buffer overflow occurs, in this way, the program stack is destroyed, and other commands are executed by the program in order to attack the program. According to statistics, buffer overflow attacks account for more than 80% of all system attacks.
The world's first buffer overflow attack, the famous Morris worm, occurred 10 years ago and caused paralysis of more than 6000 network servers around the world. I am the earliest known buffer overflow attack program.
Remember, the cause of buffer overflow is that the program did not carefully check user input parameters !!!
The following is the most common and simplest overflow.
Void function (char * Str ){
Char buffer [16];
Strcpy (buffer, STR );
}
In this example, the buffer length is limited to 16, and strcpy () directly copies the content in STR to the buffer. In this way, as long as the STR length is greater than 16, it will cause buffer overflow and cause program running errors. So, we say this program overflows.
In C, static variables are allocated to data segments and dynamic variables are allocated to stack segments. Buffer overflow uses the overflow of stack segments. A normal program is usually divided into program segments, data terminals, and stacks in the memory. The program segment contains the program's machine code and read-only data. This segment is usually read-only and Its write operations are illegal. The data segment contains static data in the program. Dynamic data is stored through stacks. In memory, their locations are as follows:
/---\ Low-end memory
Program Section
―――――――――
Data Segment
―――――――――
Stack
\--/High-end memory
A stack is a continuous block in the memory. A register called a stack pointer (SP) points to the top of the stack. The bottom of the stack is a fixed address. A feature of a stack is that the stack goes first, first, and foremost. That is to say, the first data to be put is retrieved. It supports two operations: Push and pop. Push puts data at the top of the stack, and pop pulls the data at the top of the stack.
In advanced languages, temporary variables in program function calls and functions are used in stacks. Why? Because when calling a function, we need to protect the current operation, and after the function is executed, the program can find the correct place to continue the execution, therefore, the stack is also used for parameter passing and return values. Generally, local variables are referenced by giving their offset to the SP. There is also a base address pointer (FP, Which is BP in Intel chips), which many compilers actually use to reference local variables and parameters. Generally, the offset of the parameter relative FP is positive, and the local variable is negative.
When a function call occurs in the program, the computer first presses the parameter into the stack, and then saves the content in the instruction register (IP) as the return address (RET ); the third place in the stack is the base address register (FP). Then, the current stack pointer (SP) is copied to the FP as the new base address. Finally, some space is reserved for the local variable, subtract the appropriate value from the SP.
For example, the following program:
Void function (int A, int B, int c ){
Char buffer1 [10];
Char buffer2 [15];
}
Void main (){
Function (1, 2, 3 );
}
In Linux, we use GCC to compile the source code and generate the assembly code output:
$ Gcc-S-O example1.s example1.c
Look at the part in the output file that calls the function:
Pushl $3
Pushl $2
Pushl $1
Call Function
This pushes the three parameters into the stack and calls function (). The instruction call will push the instruction pointer IP address into the stack. The stored IP address is used by RET when the returned result is returned. In functions, the first thing to do is to perform some necessary processing. Every function must have these processes (to protect them, otherwise they will not be found .) :
Pushl % EBP
Movl % ESP, % EBP
Subl $20, % ESP
These commands put the EBP and base address pointer into the stack. Then copy the current SP to EBP. Then, allocate space for local variables and reduce their size from the SP. Since memory allocation is in the unit of words, here buffer1 uses 8 bytes (2 words, 4 bytes for one word ). Buffer2 uses 12 bytes (3 characters ). Therefore, ESP is reduced by 20. Now, the stack looks like this.
Low-end memory, high-end memory
Buffer2 buffer1 SFP RET A B C
<------ [] [] [] [] [] [] [] []
Top stack bottom
What causes overflow? Buffer overflow refers to writing too much data in a buffer zone. How can we use it? Take a look at the following program:
Void function (char * Str ){
Char buffer [16];
Strcpy (buffer, STR );
}
Void main (){
Char large_string [256];
Int I;
For (I = 0; I <255; I ++)
Large_string [I] = 'a ';
Function (large_string );
}
This program is a classic Buffer Overflow Encoding Error. The function copies a string to another memory area without passing the boundary check. When a function () is called, the stack is as follows:
Low memory end high memory end
Buffer sfp ret * Str
<------ [] [] [] []
Top stack bottom
Obviously, the program execution result is "segmentation fault (Core
Dumped) "or similar error information. Because the first 256 bytes starting from the buffer will be overwritten by the * STR content 'A', including SFP,
RET, or even * Str. The hexadecimal value of 'A' is 0x41, so the return address of the function is 0x41414141,
This exceeds the address space of the program, so a segment error occurs. It can be seen that buffer overflow allows us to change the return address of a function. In this example, we can change the entry address after the program returns by modifying 0x41414141. In this way, you can change the execution sequence of the program.
Standard Functions with problems such as strcpy include strcat (), sprintf (), vsprintf (), gets (), scanf (), and GETC () in the loop (), fgetc (), getchar (), etc.