标签:
What is off-by-one bug?
Copying source string into destination buffer could result in off-by-one when
When source string length is equal to destination buffer length, a single NULL byte gets copied just above the destination buffer. Here since the destination buffer is located in stack, the single NULL byte could overwrite the least significant bit (LSB) of caller’s EBP stored in the stack and this could lead to arbitrary code execution.(在栈上,NULL覆盖了ebp的LSB)
How arbitrary code execution is achieved?
Arbitrary code execution is achieved using a technique called “EBP overwrite”. If callers’s EBP is located just above the destination buffer then after strcpy, a single NULL byte would have overwritten the LSB of caller’s EBP.
对齐
gcc -fno-stack-protector -z execstack –mpreferred -stack-boundary=2 -o vuln vuln.c
Test Step 1: Is EBP overwrite and thus return address overwrite possible?
Test Step 2: What is the offset from destination buffer.
用python的subprocess的call打开程序时和直接在终端运行程序时,栈地址是不一样的
子进程会导致 栈偏移
linux(x86) exploit 开发系列3:off-by-one
标签:
原文地址:http://www.cnblogs.com/junmoxiao/p/5293811.html