Address Overwrite the first parameter of the main function to write the main parameter of the main function to the position in the stack to return to the __lib_start_main function to return the process of writing the return address of the FOO function to the main function to return the return address of the MAIN function. When the MAIN function performs the end of the return, you will be jumped to the FOO function (overflow)
Execution Process 1, __ lib_start_main Create a stack space write back address 2 for the main function, the main function executes the address output Now in main execution end return (jump) to the FOO function 3, the FOO function output JUMP Here execute the shell End Return to _ _LIB_START_MAIN function calls Main's next command 4, __ lib_start_main function continues to execute, end the program
The LEN can be set to 1 or 2. When compiling, open up 4 or 8 bytes of space directly in the top, and when setting it to other values, there will be some bytes of spaces at the top of the stack to the data. It is not easy to get functions. Return address
Assembly code:
Main function dump of assembler code for function main: 0x8048568
foo function Dump of assembler code for function foo__Fv: 0x8048540
ESP -> Offset 0 [BUF [0]] Offset 1 [BUF [1]] EBP -> Offset 2 [Old EBP (__2_start_main)] Offset 3 [Main Return Address] Offset 4 [ Argc = 1 main function running parameters]
The stack structure is executed when
Offset 0 [Local Variable Space] ESP -> Offset 1 [Local Variable Space] Offset 2 [Local Variable Space] EBP -> Offset 3 [Old EBP (Main)] Offset 4 [Main Return Address] Source code #include
Void foo ("jump here"); system ("/ bin / sh");} # define len 2int main () {int buf [len]; * (int *) (buf len 2 ) = * (BUF LEN 1); * (int *) (buf LEN 1) = (int) ((void (*)) foo); PUTS ("now in main"); Return }
Under the shell # g -g test.c # lsa.out test.c # ./a.outnow in mainjump hersh-2.05a # lsa.out test.csh-2.05a # ExitXit #
