2. Tech
  3. Buffer overflow vulnerability entry introduction

Buffer overflow vulnerability entry introduction

zhaozj2021-02-16  46

Buffer overflow vulnerability entry introduction

Wen / Hokersome

First, in the introduction, whether you believe it, in decades, the buffer overflow has always caused many serious security issues. Even disassessive says that there is at least 50% of the problem of at least 50% of the new buffer overflow. It is far from saying that an impact wave virus has already talked out. As a hacker, it is a must-have course for the buffer overflow vulnerability. There are a lot of articles on overflowing vulnerabilities, but most of them are too deep or concentrated in one topic, not suitable for beginners to do general understanding. To this end, I wrote this article, mainly for beginners, general introduction to the buffer overflow vulnerability. The buffer overflow vulnerability is so much, it is that it is so simple. As long as the C / C programmer relaxs a little, his code may have a buffer overflow vulnerability, even if the code carefully checked, there will be buffer overflow vulnerabilities.

Second, overflow listening to me said these nonsense, you must know how to overflow vulnerabilities in the buffer, how to overflow happened. Ok, now let's take a clear what is overflow. The following, I will assume that you have a little understanding of C language programming, a little bit is enough, of course, the better. Although buffer overflows also occurs on non-C / C languages, considering the extent of various languages, we can some extent, buffer overflow is a patent of C / C . Believe me, if you find overflow vulnerabilities in a program written in VB, you will be famous. Back to C / C , in these two use very wide language, there is no boundary to check the quotation of arrays and pointers, the purpose of doing efficiency, and unfortunately, this also left serious Security Question. First look at the following simple code: #include void main () {char buf [8]; gets (buf);} When you run, if you enter "Hello", or "Kitty", then Everything is normal, but if you enter "Today Is A Good Day", then I have to inform you that the program has overflow. Obviously, the buf is only applied to 8 bytes of memory space, while the characters entered exceeds this, so excess characters will occupy their own memory. Because the C / C language does not check the boundary, the program will seem to continue to run. If the memory being occupied by the overflow is not important, or a memory that is not used, then the program will continue to seem to have a normal run until the end. However, if the overflow part occupies the memory of the program's important data, then everything will be unimaginable. In fact, the buffer overflows usually have two, the stack overflow and stack overflow. Although the two are essentially the same, I will introduce below because of the way. But before introducing, or to do some necessary knowledge preparations.

Third, knowledge preparation should understand the essence of most buffers overflow, first of all, it is first to understand how memory in the machine is allocated. On many systems, each process has its own virtual address space, which is mapped to the actual memory in some way. We don't have to care about describing the exact mechanism used to map virtual address spaces into basic architectures, while only care theory to address the process of addressing large-scale continuous memory. When the program is running, the memory generally contains these parts: 1) Program parameters and program environment; 2) Program stack, it usually grows during execution, in general, it grows downwards. 3) Heap, it also increases when the program is executed, in contrast, it will grow up towards the stack growth; 4) BSS segment, which contains uninitialized globally available data (eg, global variables); 5) Data segments, it contains initialization The overall data (usually global variable); 6) text segment, which contains read-only program code. BSS, data, and text segments constitute static memory: The size of these segments has been fixed before the program is running. Although individual variables can be changed while running, data cannot be assigned to these segments. Here, take a simple example to illustrate something that looks dizziness: #include char buf [3] = "abc"; int i; void main () {i = 1 return;} I belongs to the BBS segment, and the BUF belongs to the data segment. Both are static memory because they can change the value in the program, but their assigned memory size is fixed, such as the data of the BUF greater than three characters, will overwrite other data. In contrast to static memory, the stacks and stacks are dynamic, and the size can be changed when the program is running. The programs of the stack varies from the language. In the C language, the heap is accessed via malloc () and other related functions, while the New operator in C is the programmer interface of the heap. The stack is special, mainly to save the scene when calling the function, so that the function will continue to run after the function returns. Fourth, the thoughts of the overflows are very simple, covering important variables to achieve their own purpose. This is more difficult to actually operate, especially when the source code is invisible. First, you must determine which variable is an important variable; second, you must find a memory address with a low overflow point of the target variable; third, in the specific purpose, you must also let the target variables in the middle After overwriting other variables, the program can still run. The procedure as seen by a source code is given a demonstration of how to happen a simple pile of overflow: #include "malloc.h" #include "string.h" #include "stdio.h" void main () {char * large_str = (Char *) malloc (sizeof (char) * 1024); char * important = (char *) malloc (sizeof (char) * 6); char * str = (char *) Malloc (sizeof (char) * 4) Strcpy (Important, "Abcdef"); // Give IMPORTANT assignment // The following two lines of code are to see the STR and Important's address Printf ("% D / N", STR); Printf ("% D / N) ", important);

Gets (Large_Str); // Enter a string strcpy (Str, Large_STR); // The code is intended to copy the input string to strprintf ("% s / n", important);} In practical applications, such The code is of course not existed, this is just a simplest experimental program. Now our goal is that Important This string becomes "HACKER". The address of the STR and Important is not necessarily in different environments. I am 7868032 and 7868080. Very good, the address of the Important is larger than the STR, which is possible for overflow. Calculate you can know that the two are divided by 48 bytes, so you can enter 48 arbitrary characters when entering overflow string, then enter the HAKCER Enter, haha, out, IMPORTANT is "Hacker". 5. A key issue that stack overflows is difficult to find a so-called important variable, and the stack overflow does not have this problem because it will overwrite a very important thing --- function return address. When the function is called, the breakpoint or the return address will be saved to the stack so that the function will continue to run after the function. The idea of ​​stack overflow is to find an overflow point in the function, overwritten the return address inside the stack, replace it into a place you specified, and in that place, we will put some carefully attacked code. Some assembly knowledge is required because of the writing of the attack code, here I will not intend to involve. The goal here is to write a stack overflow show that allows the program to perform another function by overlaying the stack. Because the stack is increasing down, then the address of the stack will be entered, which is possible to find the overflow point in the function. Imagine, and the stack is increasing, we will never find an overflow point to override the address in the function. Start starting with a simplest example: Void Test (INT i) {Char BUF [12];} void main () {test (1);} Test function has a local parameter and a static allocated buffer. To view the memory addresses in which these two variables (with each other), we will be slightly modified to the code: Void test (int i) {char buf [12]; printf ("& i =% d / n", & i PRINTF ("& BUF [0] =% D / N", BUF);} void main () {test (1);} What to explain is that due to personal habits, I output the address result into 10 Form, I hope this does not affect the narrative of the article. In my here, the following output is produced: & i = 6684072 & buf [0] = 6684052. Here I added it. When a function is called, the first is the parameter into the stack, then the address is returned. Also, these data are in pair, because the return address is 4 bytes, so it is known that the return address should be saved from 6684068 to 6684071. Because the data is poured, it is actually returned to the address is: BUF [19] * 256 * 256 * 256 BUF [18] * 256 * 256 buf [17] * 256 buf [16]. Our goals have not been reached, let's continue. On the basis of the above program, modify: #include void main () {Void Test (INT i); test (1);}

Void test (int i) {void com (); char buf [12]; // Used to occur an array int Addr [4]; int K = (int) & I- (int) buf; // calculating parameters to The distance INT GO = (int) & com) between the overflow array; // Since the EIP address is in pair, first separate the address of the COME () function into byte ADDR [0] = (GO << 24)> > 24; addr [1] = (GO << 16) >> 24; addr [2] = (GO << 8) >> 24; addr [3] = GO >> 24; // with a come () function Address coverage EIP for (int J = 0; j <4; j ) {buf [kJ-1] = addr [3-j];}} void com () {printf ("Success!");} Everything ! After running, "Success!" Successfully printed! However, since this program destroys the stack, the system will prompt the program to be closed. But this is not tight, because at least we have taken the first step in the Long March. 2003.10.6 Night - 10.7 morning

转载请注明原文地址:https://www.9cbs.com/read-25969.html

9cbs

New Post(0)