Network Information Security of Nanjing University of Posts and Telecommunications-Software Vulnerability Analysis and Prevention (Experiment One-Stack Overflow and gs Protection Mechanism)

Preface

The code of example 2 of this experiment is not given, so it has not been done for the time being. If it is to be done later, it will be added, including the GS protection part.

lab environment

Since the experiment requires Windows and Ubuntu environments, I prepared two environments here.

• Windows：Visual Studio+Win10+IDA+Ollydbg+gcc
• Ubuntu ： Ubuntu 18.04 + Vmware + IDA

Experiment code

Example 1 (for Windows environment testing)

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
void function2() {
	printf("Get Flags!");
}
void function1(char* str) {
	char buffer[5];
	strcpy(buffer, str);
}
int main(int argc, char* argv[]) {
	function1(argv[1]);
	printf("Wrong!");
}

Example 2

experiment procedure

Example one

Compile

My suggestion here is to use the GCC compiler to compile directly. I have tried to compile with Visual Studio, but the compilation effect is not very good. The reasons are as follows:

• Visual optimizes the unused code and directly optimizes the code of Function
• GS protection is enabled by default

I tried to remove the GS protection and optimization options, but it didn't work. For convenience, let's use GCC to compile it directly. The commands compiled by GCC are as follows

gcc -m32 -fno-stack-protector 源.cpp

Where the parameters are

• m32: Force gcc to compile 32-bit executable files
• -fno-stack-protector: Turn off the GS protection mechanism

Analysis procedure

Open our static analysis tool IDA and find the address of the corresponding function1.
Here try to confirm the padding size without dynamic debugging.
Information seen through disassembly:

• The entire program stack size is 0x28
  
• The GCC compiler allocates buffer local variables in this place of EBP-0D
  
• 4 bytes under EBP store the return address (little endian storage)

Based on the above information, you can draw the stack structure diagram

through the stack protection mechanism.
The size of padding is: d+4=11H bytes.
So the structure of the entire payload is:
According to this structure, the program flow can be hijacked. There are two things to pay attention to.

• Bytes like 0x15 cannot be typed through the keyboard. The solution is to print it out and copy it through the program.
• The address of Function2 is the address I compiled locally, and different people may not be the same.

Try payload

I am here to give my own payload (0x21 characters are not in the CSDN character set support range), different people have different answers, all roads lead to Rome.

11111111111112222`0x21@

Facts have proved that our speculation is correct.