references:
"Hacker attack and defense technology Collection - combat system"
"Assembly language"
On the one we already have a clear understanding of a stack, this section to explain the following points from stack overflow:
1) Stack Buffer Overflow
2) control EIP
3) using the vulnerability to gain privileges
4) victory over non-executable stack
I. stack buffer overflow
After this section we look too much into the data buffer, the buffer is what happens, in the understanding of these changes, we can use a buffer overflow to do some of the operations show
First look at a chestnut:
#include <stdio.h> #include <stdlib.h> void return_input(void) { char array[30]; gets(array); printf("%s \n", array); } void main() { return_input(); return; }
编译:
gcc -mpreferred-stack-boundary=2 -g -o overflow overflow.c
Will appear warning:
overflow.c: In function ‘return_input’:
overflow.c:14:5: warning: ‘gets’ is deprecated (declared at /usr/include/stdio.h:638) [-Wdeprecated-declarations]
gets(array);
Tip function is obsolete, there are some problems, here we are not concerned about this first, to compile the normal success
Here we run the program:
ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss *** stack smashing detected ***: ./overflow terminated 已放弃 (核心已转储)
And we expect the results of the investigation small, normal for this period there will be an error core, then why prompt overflow, the core dump it? ? ? ?
After the check information to know that the message is provided by gcc stack overflow protection mechanism detects the presence of the printed message when a buffer overflow program. We can think, I ran a bit of code in linux system, will be able to build up and collapse, and that the system would not be obvious too fragile, and that gcc provides stack overflow protection mechanism what is it?
View gcc manual, we can know the mechanism for gcc newspaper -fstack-protector of the range of options offered by buffer overflow detection mechanism. Here are the principle mechanism for this:
When -fstack-protector is enabled when it detects buffer overflows (eg, buffer overflow attacks) will immediately terminate the program being executed when a problem is detected and prompts its existing buffer overflow. This mechanism is under attack by a goal in the function of protection easily add context variables to complete. These functions include the use of functions and function allcoa 8bytes buffer size is exceeded (herein is not very clear, the above examples of the same buffer size is 5 to trigger the mechanism). These variables protection when entering the initialization function, to detect when the function exits, if certain variables test fails, it will print an error message and terminate the current process.
It also provides a -fstack-protector-all option, which is interpreted as: its function is similar -fstack-protector, but it was all functions to perform stack overflow detection, so we have compiled the best time to be able to add this option, avoid system problems
Closer to home, we look at why the prompt information overflow?
We look at the gdb disassembly
1 (gdb) disassemble return_input 2 Dump of assembler code for function return_input: 3 0x00000000004005ed <+0>: push %rbp 4 0x00000000004005ee <+1>: mov %rsp,%rbp 5 0x00000000004005f1 <+4>: sub $0x30,%rsp 6 0x00000000004005f5 <+8>: mov %fs:0x28,%rax 7 0x00000000004005fe <+17>: mov %rax,-0x8(%rbp) 8 0x0000000000400602 <+21>: xor %eax,%eax 9 0x0000000000400604 <+23>: lea -0x30(%rbp),%rax 10 0x0000000000400608 <+27>: mov %rax,%rdi 11 0x000000000040060b <+30>: callq 0x4004f0 <gets@plt> 12 0x0000000000400610 <+35>: lea -0x30(%rbp),%rax 13 0x0000000000400614 <+39>: mov %rax,%rsi 14 0x0000000000400617 <+42>: mov $0x4006d4,%edi 15 0x000000000040061c <+47>: mov $0x0,%eax 16 0x0000000000400621 <+52>: callq 0x4004c0 <printf@plt> 17 0x0000000000400626 <+57>: mov -0x8(%rbp),%rax 18 0x000000000040062a <+61>: xor %fs:0x28,%rax 19 0x0000000000400633 <+70>: je 0x40063a <return_input+77> 20 0x0000000000400635 <+72>: callq 0x4004b0 <__stack_chk_fail@plt> 21 0x000000000040063a <+77>: leaveq 22 0x000000000040063b <+78>: retq 23 End of assembler dump.
We can see that there are three instruction calls in <+30> <+52> <+72>, the first two are the printf and gets
We set a breakpoint look at what gets () and retq?
to be continued. .