安全编程之缓冲区溢出.ppt

安全编程之缓冲区溢出 内容 缓冲区溢出初步(标准栈溢出) 总结 提问 深入了解缓冲区溢出 总结 提问 安全编程防止缓冲区溢出(一些实例) 拓展:非x86平台上的缓冲区溢出 总结 提问 History 1988 : Robert Morris Internet Worms BSD fingerd buffer overflow Vulnerability /bid/2/ 1996 : Smashing The Stack for Fun and Profit Aleph One 1999 : w00w00 on heap/bss overflow 2001 : free() 2002 : Integer overflow Kernel Buffer overflow, Misc shellcode, worm,…… Why we learn it? Black Hat White Hat Inform the vendor before expose the vul. No exploit in the advisory Concept code always Write the exploit yourself in your hacking Security base knowledge Deep into your world Secure programming A simple sample How the program works call Pushes Instruction Pointer (and Code Segment for far calls) onto stack and loads Instruction Pointer with the address of proc-name. Code continues with execution at CS:IP. ret Transfers control from a procedure back to the instruction address saved on the stack. n bytes is an optional number of bytes to release. Far returns pop the IP followed by the CS, while near returns pop only the IP register. strcpy copy a string without boundary check Activation record (stack based) Frame pointer Stack pointer Return address Grow downwards buffer Grow upwards How to exploit it Cover the return address with your shellcode address. When the foo return, it will execute your shellcode. Shellcode ?? It may be the var function which print “Ive been hacked” on the screen. En, let’s continue Shellcode Binary code (Machine code) The CPU can execute it directly. Generally, it return a shell like bash$, or bind a shell with a special TCP/UDP port … Please refer to Smashing the stack for fun and profit for details Summary Buffer grows upwards while the stack grows downwards. (buffer may overwrite the activation record) Protect the activation record. String functions in lib do not check the array boundary. Safe string functions like strncpy The shellcode executes on stack. Non-executable stack Question Answers Next : Inside the buffer overflow Inside the