buffer overflow & return address attack
TRANSCRIPT
Buffer Overflow & Return Address Attack
#include <stdio.h>#include <stdlib.h>#include <string.h>void f2(char* buf,char* input){ strcpy(&buf[8],&input[0]); strcpy(&buf[-4],&input[0]);}void f1(char* input){ int i; char buf[8]; int j
printfi = 0xaaaaaaaa;j = 0xaaaaaaaa;f2(buf,input);printfint main(int argc, char *argv[]){
f1(argv[1]);return 0;}
i小
大
j buf
#include <stdio.h>void function(int a, int b, int c) { char buffer[5]; int *ret; ret = (int *)(buffer + 24); (*ret) += 7; }int main(){ int x = 0; function(1, 2, 3); x = 1; printf("\n\nx = %i \n\n", x); return 0; }
return address < main +35 >return address+7 < main +42 >
char buffer[5]; int *ret; ret = (int *)(buffer + 24); (*ret) += 7;
#include <string.h>#include <stdio.h>void foo() { char s[4]; int *ret; ret = (int *)(s + 24); (*ret) += 21;}int main(){ foo(); printf("\n\n\nreturned!\n\n\n"); return 0;}void bar() {printf("\n\n\nhacked!\n\n\n");}
return address + 21 < main + 35 >
return address < main +14 >
char s[4];int *ret;ret = (int *)(s + 24);(*ret) += 21;
Shellcode
Shellcode is defined as a set of instructions injected and then executed by an exploited program. Shellcode is used to directly manipulate registers and the function of a program, so it is generally written in assembler and translated into hexadecimal opcodes.
The term shellcode is derived from its original purpose—it was the specific portion of an exploit used to spawn a root shell.
Registers in stack(32bit)
EIP:儲存 cpu下次要執行的 instruction pointerEBP:儲存的是 Bottom of the stack pointer ESP:儲存的是 Top of the stack pointer