如何使用一个缓冲区溢出攻击来替换堆栈上的返回地址 [英] How to replace the return address on the stack using a buffer overflow attack

问题描述

有关家庭作业，我进行了一系列的缓冲区溢出攻击。我得到了一个程序反汇编，源$ C ​​$ C C语言为一个函数不正确调用获得（），源$ C ​​$ C其他几个功能那我应该强制程序来调用。对于任务之一，我必须：

For a homework assignment, I am performing a series of buffer overflow attacks. I was given a program to disassemble, the source code in C for a function that improperly calls gets(), and the source code for several other functions that I am supposed to force the program to call. For one of the tasks, I have to:

• 注入一些code，改变的值，然后


• 返回前述方法之一

这是我不明白的地方决定在何处返回时，程序会在栈的主要事情。在哪里保存在栈上的返回地址的方法？

The main thing that I don't understand where the program looks in the stack when determining where to return. Where is the return address for a method stored on the stack?

该计划是编译为86。

推荐答案

你需要知道什么：

• EIP是指向下一个指令执行的寄存器。



• 当调用一个函数，参数，然后EIP（因此被调用函数知道在哪里返回）都保存在栈中。

• EIP is a register that points at the next instruction to execute.

• When calling a function, the arguments and then EIP (so the called function knows where to return to) are saved on the stack.

在编译器已被告知（明确或暗示）使用帧指针，它然后保存帧指针（在EBP寄存器）堆栈上（这样它可以帧指针以后恢复到它的价值对调用函数），然后设置帧指针指向堆栈的当前顶部。这使得从引用（帧指针）已知点轻松访问参数和局部变量，并大大简化了调试。

When the compiler has been told (explicitly or implicitly) to use frame pointers, it then saves the frame pointer (in the EBP register) on the stack (so it can later restore the frame pointer to the value it had on the calling function), and then sets the frame pointer to point to the current top of the stack. This allows accessing easily arguments and local variables from a known point of reference (the frame pointer), and greatly simplifies debugging.

在x86函数调用看起来是这样的：

A function call on x86 looks something like:

                                        ...
int main()                              add  $-0x8,%esp ; alignment
{                                       push $0x2       ; arg 2
        ...                             push $0x1       ; arg 1
        func(1, 2);                     call func       ; function call
        ...                             add  $0x10,%esp ; pop args from stack
}                                       ...

和调用的函数看起来是这样的：

And the called function looks something like:

void func(int arg1, int arg2)           push %ebp       ;\
{                                       mov  %esp,%ebp  ;/ create stack frame
        int local1;                     sub  $0x18,%esp ; reserves space
        ...                             ...
}                                       mov  %ebp,%esp  ;\
                                        pop  %ebp       ;/ destroys frame
                                        ret             ; returns

因此​​，堆栈将类似于：

So, the stack will look similar to:

          :           :
          +-----------+
          : alignment :
          +-----------+
12(%ebp)  |   arg2    |
          +-----------+
 8(%ebp)  |   arg1    |
          +-----------+
 4(%ebp)  |    ret    | -----> return address
          +-----------+
  (%ebp)  |    ebp    | -----> previous ebp
          +-----------+
-4(%ebp)  |  local1   | -----> local vars
          +-----------+
          : alignment :
          +-----------+
          :           :

（下地址在ASCII艺术更低）

(Lower addresses are lower on the ASCII-art)

这篇关于如何使用一个缓冲区溢出攻击来替换堆栈上的返回地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！