文档介绍：安全编程之缓冲区溢出
内容
缓冲区溢出初步(标准栈溢出)
总结& 提问
深入了解缓冲区溢出
总结& 提问
安全编程防止缓冲区溢出(一些实例)
拓展:非x86平台上的缓冲区溢出
总结& 提问
History
1988 : Robert Morris Worms
BSD fingerd buffer overflow Vulnerability
/2/
1996 : Smashing The Stack for Fun and Profit
Aleph One
1999 : w00w00 on heap/bss overflow
2001 : free()
2002 : Integer overflow
Kernel Buffer overflow, Misc shellcode, worm,……
pushl $68732f 'sh\0'
pushl $6e69622f '/bin'
movl sp, r10
pushl $0
pushl $0
pushl r10
pushl $3
movl sp, ap
chmk $3b
Why we learn it?
Black Hat & White Hat
Inform the vendor before expose the vul.
No exploit in the advisory
Concept code always
Write the exploit yourself in your hacking
Security base knowledge
Deep into your world
Secure programming
A simple sample
#include <>
#include <>
void foo(const char* input){
char stack[10];
strcpy(stack,input);
}
void bar(){
printf("\nAh,I've been hacked!\n");
}
void main(int argc,char *argv[]){
foo(argv[1]);
}
main:
pushl %ebp
movl %esp,%ebp
subl $8,%esp
addl $-12,%esp
movl 12(%ebp),%eax
addl $4,%eax
movl (%eax),%edx
pushl %edx
call foo
addl $16,%esp
.L4:
leave
ret
foo:
pushl %ebp
movl %esp,%ebp
subl $24,%esp
addl $-8,%esp
movl 8(%ebp),%eax
pushl %eax
leal -12(%ebp),%eax
pushl %eax
call strcpy
addl $16,%esp
.L2:
leave
ret
How the program works
call
Pushes Instruction Pointer (and Code Segment for far calls) onto stack and loads Instruction Pointer with the address of proc-name. Code continues with execution at CS:IP.
ret
Transfers control from a procedure back to the instruction address saved on the stack. "n bytes" is an optional number of bytes to release. Far returns pop the IP followed by the CS, while near returns pop only the IP register.
strcpy
copy a string without boundary check
Activation record (stack based)
Frame pointer
Stack pointer
Return address
Grow downwards
buffer
Grow upwards
How to exploit it
Cover the return address with your shellcode address.
When the foo return, it will execute your shellc