码迷,mamicode.com
首页 > 系统相关 > 详细

linux(x86) exploit 开发系列3:off-by-one

时间:2016-03-18 23:28:09      阅读:313      评论:0      收藏:0      [点我收藏+]

标签:

What is off-by-one bug?

Copying source string into destination buffer could result in off-by-one when

  1. Source string length is equal to destination buffer length.

 

When source string length is equal to destination buffer length, a single NULL byte gets copied just above the destination buffer. Here since the destination buffer is located in stack, the single NULL byte could overwrite the least significant bit (LSB) of caller’s EBP stored in the stack and this could lead to arbitrary code execution.(在栈上,NULL覆盖了ebp的LSB)

 

How arbitrary code execution is achieved?

Arbitrary code execution is achieved using a technique called “EBP overwrite”. If callers’s EBP is located just above the destination buffer then after strcpy, a single NULL byte would have overwritten the LSB of caller’s EBP.

 

对齐

gcc -fno-stack-protector -z execstack –mpreferred -stack-boundary=2 -o vuln vuln.c

 

Test Step 1: Is EBP overwrite and thus return address overwrite possible?

Test Step 2: What is the offset from destination buffer.

 

用python的subprocess的call打开程序时和直接在终端运行程序时,栈地址是不一样的

子进程会导致    栈偏移

linux(x86) exploit 开发系列3:off-by-one

标签:

原文地址:http://www.cnblogs.com/junmoxiao/p/5293811.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!