缓冲区溢出漏洞攻击原理.pdfVIP

[This was an ascii file in Phrack, Volume Seven, Issue Forty-Nine, November 08, 1996. ConvertedtoHTML,andminorcorrectionsmadebypmateti@.] .oOPhrack49Oo. VolumeSeven,IssueForty-NineFile14of16 BugTraq,r00t,andUnderground.Org bringyou SmashingTheStackFor FunAndProfit AlephOne aleph1@ `smash the stack` [C programming] n. On many C implementations it is possible to corrupt the executionstackbywriting pasttheendofanarraydeclaredautoin aroutine.Codethatdoesthisis said to smash the stack, and can cause return from the routine to jump to a random address. This can produce some of the most insidious data-dependentbugs known to mankind. Variants include trashthe stack,scribble the stack, mangle the stack; the term mung the stackis notused,as this is neverdoneintentionally.Seespam;seealso aliasbug,fandangooncore,memoryleak,precedence lossage,overrun screw. Introduction Over the last few months there has been a large increase of buffer overflow vulnerabilities being both discovered and exploited. Examples of these are syslog, splitvt, sendmail 8.7.5, Linux/FreeBSDmount,Xtlibrary,at,etc.Thispaperattemptstoexplainwhatbufferoverflowsare, andhowtheirexploitswork. Basicknowledgeofassembly isrequired.Anunderstandingofvirtual memory concepts,andexperiencewithgdb are very helpful butnotnecessary.We also assume we are working withan Intel x86 CPU, andthatthe operating system isLinux.Some basic definitions before we begin: A buffer is simply a contiguous block of computer memory that holds multiple instances of the same data type. C programmers normally associate with the word buffer arrays. Most commonly, character arrays. Arrays, like all variables in C, can be declared either static or dynamic. Static variables are allocated at load time on the data segment. Dynamic variables are allocatedatruntime on the stack.To overflow is to flow,or fill over the top,brims,or bounds.We will concernourselvesonly withtheoverflow ofdynamic buffers,otherwiseknownasstack-b