导致安全漏洞的缓冲区溢出示例 [英] Example of a buffer overflow leading to a security leak

问题描述

我阅读了许多有关不安全功能(例如strcpy，memcpy等)的文章，这些功能在处理外部数据(例如文件的内容或来自套接字的数据)时可能导致安全问题.这听起来可能很愚蠢，但是我编写了一个易受攻击的程序，但没有设法对其进行黑客"操作.

I read many articles about unsafe functions like strcpy, memcpy, etc. which may lead to security problems when processing external data, like the content of a file or data coming from sockets. This may sound stupid, but I wrote a vulnerable program but I did not manage to "hack" it.

我了解缓冲区溢出的问题.请看以下示例代码:

I understand the problem of buffer overflow. Take this example code:

int main() {
   char buffer[1];
   int var = 0;

   scan("%s", &buffer);
   printf("var = 0x%x\n", var);
   return 0;
}

当我执行程序并键入"abcde"时，程序输出0x65646362，即十六进制+ little-endian的"edcb".但是我读到您可以修改被压入堆栈的eip值，以使程序执行一些不需要的代码(例如，在调用system()函数之前).

When I execute the program and type "abcde", the program outputs 0x65646362 which is "edcb" in hexadecimal + little-endian. However I read that you could modify the eip value that was pushed on the stack in order to make the program execute some unwanted code (eg. right before a call to the system() function).

但是，函数的汇编是这样开始的:

However the function's assembly starts like this:

push %ebp
mov %ebp, %esp
and $0xfffffff0, %esp
sub $0x20, %esp

由于％esp的值在函数开始时是随机的，并且由于存在"and"，因此似乎没有可靠的方法将精确值写入推入的eip值.

Since the value of %esp is random at the start of the function and because of this "and", there seems to be no reliable way to write a precise value into the pushed eip value.

此外，我读到可以执行您在缓冲区中编写的代码(此处缓冲区只有1个字节长，但实际上它足以存储一些代码)，但是您要赋予的值是多少eip这样做(考虑缓冲区的位置是随机的)?

Moreover, I read that it was possible to execute the code you wrote in the buffer (here the buffer is only 1 byte long, but in reality it would be large enough to store some code) but what value would you give to eip in order to do so (considering the location of the buffer is random)?

那么，为什么开发人员如此担心安全问题(除非程序可能崩溃)?您是否有一个易受攻击的程序的示例，以及如何入侵"该程序以执行不需要的代码?我在linux上尝试过，Windows安全性较低吗?

So why are developpers so worried about security problems (except that the program could crash) ? Do you have an example of a vulnerable program and how to "hack" it to execute unwanted code? I tried this on linux, is Windows less safe?

推荐答案

阅读Aleph One的精彩文章:粉碎堆栈以获得乐趣和收益.

Read the excellent article by Aleph One: Smashing the Stack for Fun and Profit.

这篇关于导致安全漏洞的缓冲区溢出示例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！