Utilization of Stack Overflow
We proceed to the above stack overflow principle to explain the use of stack overflow, first of all we do not follow the previous article on the example to explain, I will write a C language example to explain. Let's talk about the stack overflow theory again. A more familiar stack overflow principle allows us to make better use of stack overflows.
The following example code is as follows: (the code is very simple I do not explain)
#include <stdio.h>#include<string.h>#definePASSWORD "QQQQQQQ"intVerify_password (Char*password) { intauthenticated; Charbuffer[8]; Authenticated=strcmp (Password,password); strcpy (Buffer,password); //Construction Stack Overflow returnauthenticated;}intMain () {intvalid_flag=0; Charpassword[1024x768]; while(1) {printf ("Please input password:"); scanf ("%s", password); Valid_flag=Verify_password (password); if(Valid_flag) {printf ("Incorrect password!\n\n"); } Else{printf ("congratulation! you passed the verification!\n"); Break; }} getchar (); Chari; scanf ("%s",&i);}
As can be seen from the above example is a password validation of the example, is to enter the password to verify whether the password is entered correctly, first we now run the next program.
By entering the correct password and the difference between the incorrect password;
Enter the stack state when 7 ' Q ' programs are running correctly.
If you can see the inside of the stack:
If you continue to increase the characters that you enter, characters that exceed the buffer[8] boundary will then drown authenticated, the front stack frame EBP, and the return address in turn. In other words, controlling the length of the string allows the ASCII code of the corresponding position character in the string to overwrite the stack frame state values.
According to the above analysis of the stack frame, the following conclusions can be drawn:
(1) Enter 11 ' Q ', 第9-11个 characters with a null terminator to scour authenticated to 0x00717171.
(2) Enter 15 ' Q ', the 第9-12个 character flushes authenticated to 0x71717171; the 第13-15个 character, along with the null terminator, flushes the front frame ebp to 0x00717171.
(3) Enter 19 ' Q ', 第9-12 character will authenticated scour to 0x71717171; 第13-16个 character with null terminator flushes front frame EBP to 0x71717171 The 第17-19个 character, along with a null terminator, flushes the return address to 0x00717171.
Here, use 19 characters as input to see what effect the flooded return address will have on the program. For the purpose of double-word alignment, the string we enter is organized as "4321" for a unit, and the last string entered is "4321432143214321432" (test).
< with ollydbg the loader, observing the stack state after the string copy function call ends. >
Below for analysis:
When a 7 q is entered, the contents of the stack are returned by the watcher.
Execute this code below: 4321432143214321432
The actual memory condition is consistent with the conclusion of our analysis, at which point the stack status is shown. See the following table for details:
Next we use OD to debug the program's running process:
The return address is used to redirect the program's code when the current function returns. When the "RETN" instruction returned by the function executes, the top element of the stack happens to be the return address. The "RETN" command bounces the return address into the EIP register and then jumps to the address to execute.
In this example, the return address would have been 0X040FACB, corresponding to the instruction in the code area of the main function, and now we have covered the address with the ASCII code of the character 0x00323334.
We can see what happened in the computer from the display in the debugger.
(1) The return address is loaded into the EIP register when the function returns.
(2) The processor is referred to as the address 0x00323334 of the EIP register.
(3) Memory 0x00323334 There is no legal instructions, the processor does not know how to deal with the error.
Because 0x00323334 is an invalid instruction address, the processor crashes when it takes a finger to make a mistake. But if we give a valid command address here, we can get the processor to jump to any command area to execute (such as jumping directly to the part of the program validation), that is, we can flood the return address and control the execution of the process.
At this time we will think that this code is to verify the password, if the right to display the correct information, if not pop-up error message, then we can modify the function to return the address, directly execute the correct information so that we achieve the purpose; next we need to make some improvements to the program.
The program code looks like this:
#include <stdio.h>#definePASSWORD "1234567"intVerify_password (Char*password) { intauthenticated; Charbuffer[8]; Authenticated=strcmp (Password,password); strcpy (Buffer,password);//Over flowed here! returnauthenticated;} Main () {intvalid_flag=0; Charpassword[1024x768]; FILE*FP; if(! (Fp=fopen ("Password.txt","rw+")) {exit (0); } fscanf (FP,"%s", password); Valid_flag=Verify_password (password); if(Valid_flag) {printf ("Incorrect password!\n"); } Else{printf ("congratulation! you have passed the verification!\n"); } fclose (FP);}
The main improvement of this code is that the password is read from the TXT file is not a manual input, the advantage is that you can use the UE input some 16 to modify the data; First we load the program into OD, see where we want to jump where the address, we look at the following picture, We can clearly see that the address we're going to return should be 0x401122.
At this time we are in the same directory under the program to create a password.txt first thing can be entered casually, or 4321432143214321 after this will be input 0x401122 as shown:
This time you can look at the stack frame situation, the stack frame as shown in the case:
Run the program and look at the results.
Ok we can see the effect we want, of course, this modification will be problematic, because there is no way to deal with, there are some illegal instructions in the code because we have modified the program's return address. Because the stack is overwritten with an invalid value, the stack cannot be balanced when the program exits, resulting in a crash. Nonetheless, we have successfully flooded the return address and let the processor jump directly to the branch that prompted validation to pass on when the function returns, as we envisioned.
If there is a wrong place, I hope you will correct me in time.
Utilization of Stack Overflow