Buffer Overflow & Return Address Attack

#include <stdio.h>#include <stdlib.h>#include <string.h>void f2(char* buf,char* input){ strcpy(&buf[8],&input[0]); strcpy(&buf[-4],&input[0]);}void f1(char* input){ int i; char buf[8]; int j

printfi = 0xaaaaaaaa;j = 0xaaaaaaaa;f2(buf,input);printfint main(int argc, char *argv[]){

f1(argv[1]);return 0;}

i小

大

j buf

#include <stdio.h>void function(int a, int b, int c) { char buffer[5]; int *ret; ret = (int *)(buffer + 24); (*ret) += 7; }int main(){ int x = 0; function(1, 2, 3); x = 1; printf("\n\nx = %i \n\n", x); return 0; }

return address < main +35 >return address+7 < main +42 >

char buffer[5]; int *ret; ret = (int *)(buffer + 24); (*ret) += 7;

#include <string.h>#include <stdio.h>void foo() { char s[4]; int *ret; ret = (int *)(s + 24); (*ret) += 21;}int main(){ foo(); printf("\n\n\nreturned!\n\n\n"); return 0;}void bar() {printf("\n\n\nhacked!\n\n\n");}

return address + 21 < main + 35 >

return address < main +14 >

char s[4];int *ret;ret = (int *)(s + 24);(*ret) += 21;

Shellcode

Shellcode is defined as a set of instructions injected and then executed by an exploited program. Shellcode is used to directly manipulate registers and the function of a program, so it is generally written in assembler and translated into hexadecimal opcodes.

The term shellcode is derived from its original purpose—it was the specific portion of an exploit used to spawn a root shell.

Registers in stack(32bit)

EIP:儲存 cpu下次要執行的 instruction pointerEBP:儲存的是 Bottom of the stack pointer ESP:儲存的是 Top of the stack pointer