segmentation violation. Lets see what its stack looks [like] when we call function:
bottom of top of
memory memory
buffer sfp ret *str
<------ [ ][ ][ ][ ]
top of bottom of
stack stack
What is going on here? Why do we get a segmentation violation? Simple. strcpy() is copying the contents of
*str (larger_string[]) into buffer[] until a null character is found on the string. As we can see buffer[] is much
smaller than *str. buffer[] is 16 bytes long, and we are trying to stuff it with 256 bytes. This means that all 250
[240] bytes after buffer in the stack are being overwritten. This includes the SFP, RET, and even *str! We had
filled large_string with the character 'A'. It's hex character value is 0x41. That means that the return
address is now 0x41414141. This is outside of the process address space. That is why when the function returns
and tries to read the next instruction from that address you get a segmentation violation. So a buffer overflow
allows us to change the return address of a function. In this way we can change the flow of execution of the
program. Lets go back to our first example and recall what the stack looked like:
bottom of top of
memory memory
buffer2 buffer1 sfp ret a b c
<------ [ ][ ][ ][ ][ ][ ][ ]
top of bottom of
stack stack
Lets try to modify our first example so that it overwrites the return address, and demonstrate how we can make
it execute arbitrary code. Just before buffer1[] on the stack is SFP, and before it, the return address. That is 4
bytes pass the end of buffer1[]. But remember that buffer1[] is really 2 word so its 8 bytes long. So the return
address is 12 bytes from the start of buffer1[]. We'll modify the return value in such a way that the assignment
statement 'x = 1;' after the function call will be jumped. To do so we add 8 bytes to the return address.
Our code is now: example3.c:
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
int *ret;
ret = buffer1 + 12;
(*ret) += 8;
}
void main() {
int x;
x = 0;
function(1,2,3);
x = 1;
printf("%d\n",x);
}
剩余24页未读,继续阅读
maimang09
- 粉丝: 363
- 资源: 60
我的内容管理
展开
最新资源
- Hadoop生态系统与MapReduce详解
- MDS系列三相整流桥模块技术规格与特性
- MFC编程:指针与句柄获取全面解析
- LM06:多模4G高速数据模块,支持GSM至TD-LTE
- 使用Gradle与Nexus构建私有仓库
- JAVA编程规范指南:命名规则与文件样式
- EMC VNX5500 存储系统日常维护指南
- 大数据驱动的互联网用户体验深度管理策略
- 改进型Booth算法:32位浮点阵列乘法器的高速设计与算法比较
- H3CNE网络认证重点知识整理
- Linux环境下MongoDB的详细安装教程
- 压缩文法的等价变换与多余规则删除
- BRMS入门指南:JBOSS安装与基础操作详解
- Win7环境下Android开发环境配置全攻略
- SHT10 C语言程序与LCD1602显示实例及精度校准
- 反垃圾邮件技术:现状与前景
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
