Original address: https://ctf-wiki.github.io/ctf-wiki/pwn/linux/stackoverflow/stackoverflow-basic-zh/
My own understanding:
Stack overflow refers to the number of bytes that the program writes to a variable in the stack exceeds the number of bytes applied for by the variable itself, thus causing the value of the variable in the adjacent stack to be changed.
Two parallel conditions: the program must write data to the operated stack & write data is not well controlled by the program!
The most typical use of stack overflow is to overwrite the return address of the program to an address controlled by the attacker. Of course , it is necessary to ensure that the segment where this address is located has executable permissions.
PIE (Position Independent Executable): is a protection technology for fixed addresses such as code segment .text, data segment .*data, .bss, etc. Like ASLR, the program that uses PIE will change the load base address every time it loads
Little-endian storage: Little-endian mode means that the high byte of data is stored in the high address of the memory, and the low byte of data is stored in the low address of the memory.
Pwntools: Reference link: https://xz.aliyun.com/t/3944
Payload : "payload, payload, payload " ---------In layman's terms, in the world of programs, payload (payload) is data that is useful to the receiver !
Small summary:
By looking for dangerous functions, we can quickly determine whether the program is likely to overflow.
Common dangerous functions:
enter:
gets, read one line directly, ignore'\x00'
scanf,
vscanf
Output:
sprintf
String:
strcpy, string copy, stop when encountering'\x00'
strcat, string splicing, stop when encountering'\x00'
bcopy
Determine the padding length: The common method of operation is to open IDA and calculate the offset according to its given address.
Three ways to get the address:
1. The index relative to the stack base address can be obtained directly by viewing the relative offset of EBP
2. The index corresponding to the pointer on the top of the stack generally needs to be debugged, and then it will be converted to the first type .
3. Direct address index is equivalent to directly given address.
Generally speaking, we will have the following coverage requirements
- Override the return address of the function , at this time just look at EBP directly. (Ebp is used for addressing in the stack)
- To overwrite the contents of a variable on the stack, more detailed calculations are required at this time.
- Overwrite the content of a variable in the bss segment . (The bss segment belongs to static memory allocation, and usually refers to a memory area used to store uninitialized global variables in the program.)
- According to the actual implementation, overwrite the content of a specific variable or address.
The reason why we want to overwrite an address is because we want to directly or indirectly control the program execution flow by overwriting the address .