"0day" -2- stack overflow

Others 2019-07-06 02:07:50 views: null

Chapter 2 stack overflow

Article Directory

1. The principle of the system stack

1.1 The different uses of memory

No matter what kind of operating system, what kind of computer architecture, memory can be used by a process according to function roughly divided into the following four sections.

  1. Code area: This area stores the binary machine code to be executed is loaded, the processor to fetch and execute this area.
  2. Data area: means for storing global variables.
  3. Heap: The process can request a certain amount of memory in the dynamic heap, and returned to the heap after the run out. Dynamic allocation and deallocation of the heap area are characteristics.
  4. Stack Area: calling for dynamically stores the relation between the function to ensure that the called function returns to the master when returning function continues.

Binary level machine code snippet PE file is loaded into memory contains a code area (.text), a processor and an instruction operand removed to the area of ​​memory and fed to the arithmetic logic unit calculates ; If the code in the dynamic memory request open, will be assigned an appropriate size that is returned to the code used in the code region of the memory heap area; occurs when a function call, the function call relationship information stored in the memory dynamically stack area for the processor to execute the code when the completion of the called function, the function returns the parent.

CPU is to complete the work of the workers; the data area, the heap area, stack area, etc. are used to store raw materials; instruction code area is told what to do CPU. In addition to storing data stack, or "shop scheduling office director."

Buffer can be heap, stack area and data storage area static variables. Buffer overflow and buffer in the end using the method above belong to which memory areas are inseparable.

Stack and the system stack 1.2

This introduction to the stack data structure slightly.

The system stack may have been called the run-time stack in other literature, call stack and so on.

1.3 What happens when you call the function

Depending on the different compilers and compiler options of the operating system, code for different functions of the same file in memory distributed code area might adjacent, may far way off, may have ordered, it may disorder; but they are in a "festival" with the code of a PE file is mapped in. We can simply put them in the position of distributed memory code region understood to be scattered irrelevant.

Function call presentation slightly.

In actual operation, main function is not the first function is called, the program is loaded into memory before and some other operations.

1.4 registers and stack frame function

Memory space between the ESP and EBP for the current stack frame, EBP identifies the bottom of the current stack frame, ESP identifies the top of the current stack frame.

Function stack frame, typically comprising:

  • Local variables: local variables as a function of opening up memory space.
  • Stack frame status values: bottom before storage stack frame, the stack top of the front frame can be obtained through the stack balance calculation), for recovering the previous stack frame after the present frame is popped.
  • Function return address

Function stack frame size is not fixed, local variables are generally related to the number corresponding to the function.

Another vital registers are eip. [Section 4 of this chapter] (# 4. Code implants), we will introduce the principle of control and experimental EIP hijack the process.

1.5 function calling convention and related instructions

Function calling convention describes the technical details of the way to pass parameters and functions work together in the stack. Different operating systems, different languages, different compilers principle when implementing the function call, although basically the same, but the specific calling convention there are still differences. Including parameter passing mode, the parameter stack order is from left to right or right to left, to restore the balance of the stack operation is performed when the function returns the subfunction or functions in the parent.

C SysCall StdCall Basic Fortran Pascal
Order parameters onto the stack Right → Left Right → Left Right → Left Left → Right Left → Right Left → Right
Restore the stack balancing operation position Generating function Functions Functions Functions Functions Functions

For Visual C ++, you can support the following three kinds of function calling convention

Statement calling convention Order parameters onto the stack Stack restore equilibrium position
__cdecl Right → Left Generating function
__fastcall Right → Left Functions
__stdcall Right → Left Functions

If you want to explicitly use a certain kind of calling convention, you only need to add a statement calling convention before the function, or by default, VC will use the __stdcall calling mode.

Directions except for the parameter stack and restore the top of the stack balancing operation position, sometimes different transmission parameters. For example, a C ++ class for each member function has a thispointer, in the Windows platform, this is indicated by the indicator ECXregisters to pass, but if the GCCcompiler compiler, this pointer onto the stack as the last parameter.

The same code with different compiler options, different compiler links, the resulting executable file will be a lot different.

Function calls generally includes the following steps.

  1. Stacking arguments: the parameter sequentially from right to left pushing system stack.
  2. The return address stack: the current code region to call the next instruction address onto the stack for continued execution function returns.
  3. Jump code area: a processor to jump from the current code area at the entrance of the called function.
  4. Adjusting stack frame: comprises
    • Save the current stack frame state value,push ebp
    • Updating the bottom of the stack frame, the stack frame is switched to the new current stack frame,mov ebp,esp
    • To the new stack frame allocated space,sub esp,XXX

For __stdcallcalling convention, instruction sequence used when the function call is as follows.

         ;调用前      
push 参数 3      ;假设该函数有 3 个参数,将从右向左依次入栈 
push 参数 2 
push 参数 1 
call 函数地址;call 指令将同时完成两项工作:a)向栈中压入当前指令在内存 
                            ;中的位置,即保存返回地址。b)跳转到所调用函数的入口地址函 
                             ;数入口处 
push ebp                   ;保存旧栈帧的底部 
mov ebp,esp              ;设置新栈帧的底部(栈帧切换) 
sub esp,xxx              ;设置新栈帧的顶部(抬高栈顶,为新栈帧开辟空间)

About divided stack frame, different reference books have different conventions.

OllyDbg EBP values ​​before the stack frame belonging to either a stack frame, also belonging to the next stack frame, the stack frame is thus divided, the return address becomes the top of the data stack frame.

We as a stack frame in accordance with the section between the ESP and EBP principles divided enough.

Function returns the following steps:

  1. Return value: generally the function return value held in a register EAXin.
  2. Pop-up current stack frame to restore the stack frame. Including:
    • On the basis of the balance of the stack, add esp,XXXto reduce the stack, the recovery of space in the current stack frame;
    • pop ebp, Recovered on a stack frame;
    • Pop return address.
  3. Jump: jump back to the return address as a function of the parent function continues, restore code area before calling.
add esp XXX
pop ebp
retn ; 这条指令有两个功能:
		;a)弹出当前栈顶元素,即弹出栈帧中的返回地址。 至此;栈帧恢复工作完成。
		;b)让处理器跳转到弹出的返回地址,恢复调用前的代码区。

2. Modify the adjacent variable

2.1 modify the principle of adjacency variables

Local variables are arranged next to one another in the stack. If the local variables or the like with a buffer array, and array bounds defect exists in the program, then the bounds of the array elements, there may undermine the value of the stack adjacent to the variable, or even destruction of the stack frame stored EBPvalue, returns address and other important data.

In most cases, the distribution of local variables on the stack is adjacent to, but it is also possible for the compiler optimization need to vary the exception.

#include <stdio.h>
#include <string.h>
#define PASSWORD "1234567" 
int verify_password (char *password) 
{ 
           int authenticated; 
           char buffer[8];// add local buffto be overflowed 
           authenticated=strcmp(password,PASSWORD); 
           strcpy(buffer,password);//over flowed here! 
           return authenticated; 
}

The examples in the book, the local variables defined in the first stack frame authenticatedaddress than bufferhigh, by bufferthe verification is successful to cover this variable.

In addition, when the analysis to adapt to the small end storage.

3. Modify the function return address

More versatile, more powerful attacks by buffer overflow rewriting the goal is often not a single variable, but rather aimed at the bottom of the stack frame EBPand the function returns the address of the stack frame status value.

When the configuration address, can be used UltraEdithex edit mode, according to the small end of the reverse input memory 4 bytes.

4. code into

4.1 code into the principle of

By stack overflow allows implantation process execution input data code.

In the buffer contains the code ourselves want, and then let the program jump to the return address in the execution stack system, you can let the process go through the code had not.

We shellcodegenerally performed once MessageBox().

In fact, the system does not exist in the real MessagBoxfunction, to MessageBoxcall this kind of API calls in accordance with the system will eventually choose the type of category "A" function (ASCII) or "W" class functions (UNICODE) parameter string. Therefore, we call a function in assembly language should be MessageBoxA. In fact, after a direct call to achieve MessageBoxA only in the unusual setting of several parameters MessageBoxExA.

Assembly language to call MessageboxAthree steps. :

  1. Loading user32.dll. MessageBoxAIt is user32.dllexported functions. Most have a graphical user interface of the program have been loaded library.
  2. Calling this function in assembly language required to obtain entry address of the function.
  3. From right to left to the stack pushed in the order MessageBoxAof four parameters.

MessageBoxAInlet parameters can be user32.dllloaded in the system and a base address MessageBoxAobtained by adding the offset in the library. VC6.0 can use built-in gadgets Dependency Walker, the PE file can be dragged into it.

The method of assembly instructions extracted from the binary machine code will focus in Chapter 5.

Guess you like

Origin blog.csdn.net/Ga4ra/article/details/93721425
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com