【IERG4130学习笔记】Smashing the stack for fun and profit中souce code加上一点儿注释
来源:互联网 发布:淘宝小卖家怎么定位 编辑:程序博客网 时间:2024/05/22 16:56
vulnerable.c
Any program using strcpy() or other poorly written function that does not check for the stack overflow program are vulnerable to this stack overflow attack. Here is an example program.
void main(int argc, char *argv[]) { char buffer[512]; if (argc > 1) strcpy(buffer,argv[1]);}
Above is the content of a simple vulnerable program, the stack of the above program at run time would be like
Description
Memory
BUFFER[0]
BUFFER[1]
BUFFER[2]
BUFFER[3]
.
.
.
.
BUFFER[509]
BUFFER[510]
BUFFER[511]
Stack pointer
Return address
TEXT SEGMENT
TEXT SEGMENT
|argv[1][0]|
|argv[1][1]|
|argv[1][2]|
|argv[1][3]|
|argv[1][4]|
|argv[1][5]|
|. |
|ORIGINAL|
|ORIGINAL|
|ORIGINAL|
|ORIGINAL|
|ORIGINAL|
|ORIGINAL|
|ORIGINAL|
|ORIGINAL|
If the argument is maliciously designed to contain some bad code, and will cause buffer overflow problem, then the stack will be like
Description
Memory
BUFFER[0]
BUFFER[1]
BUFFER[2]
BUFFER[3]
.
.
.
.
BUFFER[509]
BUFFER[510]
BUFFER[511]
Stack pointer
Return address
TEXT SEGMENT
TEXT SEGMENT
|argv[1][0]|
|argv[1][1]|
|argv[1][2]|
|argv[1][3]|
|argv[1][4]|
|argv[1][5]|
|.|
|.|
|argv[1][509]|
|argv[1][510]|
|argv[1][511]|
|argv[1][512 - 515]|
|argv[1][516 - 520]|
|ORIGINAL|
|ORIGINAL|
And thus the program will not just return 0 when the main function reach the 'return 0;' statement, but goto where argv[1][516 - 520] is pointing to and begin to execute the code there.
expliot3.c
Here is the expliot3.c program with some comment added by me in smashing the stack for fun and profit.
Generally expliot3.c will try to find at what address the program’s stack will start (thanks to virtual memory, different programs' stacks may start at the same address), and organize a well-designed content (say $EGG) that will be used as the input of some other program (say, vulnerable.c ).
If the vulnerable.c stupidly used strcpy() (or other dangerous function) without checking whether $EGG is longer than the variable that will stored the $EGG, then the carefully designed malicious content in $EGG will be overwriting the content in process vulnerable's stack, and letting vulnerable to start execute the machine code contained in $EGG.
- 【IERG4130学习笔记】Smashing the stack for fun and profit中souce code加上一点儿注释
- Smashing The Stack For Fun And Profit
- Smashing The Stack For Fun And Profit
- 笔记学习Smashing The Stack for Fun and Profit example 3--怎样修改返回地址。
- [转载]Smashing The Stack For Fun And Profit
- [译文]Smashing The Stack For Fun And Profit
- 堆栈溢出:Smashing The Stack For Fun And Profit
- 堆栈溢出:smashing the stack for fun and profit[译文]
- Smashing the Stack for Fun and Profit by Aleph One
- 《Smashing The Stack For Fun And Profit》解读
- smashing the stack for fun and profit 译文
- 溢出的经典文章:Smashing The Stack For Fun And Profit [En]
- 溢出的经典文章:Smashing The Stack For Fun And Profit[译文]
- 为了娱乐和利益粉碎栈(Smashing The Stack For Fun And Profit)
- 缓存溢出——Smashing The Stack For Fun And Profit
- Abuse of the Linux Kernel for Fun and Profit
- Distributed system for fun and profit笔记1
- Method Replacement for Fun and Profit
- 使用python测测你的系统最多能创建多少个线程
- Yii内部的文件上传
- Java连接Mysql数据库
- 交换链表结点
- AOP思考
- 【IERG4130学习笔记】Smashing the stack for fun and profit中souce code加上一点儿注释
- 调度子系统3_周期调度器
- ArcGIS Explorer SDK简介
- mysql数据库表结构导出
- svn文件图标不能正常显示,在Lable Decorations 勾选其中的 SVN 项后一会儿又不显示了
- 如何在图像上用鼠标绘画矩形并且能够显示出来
- 利用BeanUtils在对象间复制属性
- git 如何让单个文件回退到指定的版本
- Android自定义主题