Buffer Overflow
●
記憶體狀況 low address
int num1 int num2
char buf[0x10]
int num3
int num4
save rbp
return address
high address
Slide 29
Slide 29 text
Buffer Overflow
●
記憶體狀況
●
gets(buf)
●
gets 不會檢查輸入長度
low address
int num1 int num2
char buf[0x10]
int num3
int num4
save rbp
return address
high address
Slide 30
Slide 30 text
Buffer Overflow
●
記憶體狀況
●
gets(buf)
●
gets 不會檢查輸入長度
●
正常輸入範圍
low address
int num1 int num2
‘A’ * 0x10
int num3
int num4
save rbp
return address
high address
Slide 31
Slide 31 text
Buffer Overflow
●
記憶體狀況
●
gets(buf)
●
gets 不會檢查輸入長度
●
Overflow!!!!
low address
int num1 int num2
AAAAAAAAAAAAAAAA
AAAA
AAAA
save rbp
return address
high address
Slide 32
Slide 32 text
Overwrite Variable
●
透過 buffer Overflow 控制變數
●
int num3 = 0x12345678
●
int num4 = 0x90abcdef
low address
int num1 int num2
AAAAAAAAAAAA
0x12345678
0x90abcdef
save rbp
return address
high address
Slide 33
Slide 33 text
other vulnerable function
●
gets
●
scanf
●
strcpy
●
sprintf
●
memcpy
●
strcat
●
沒控制好 read 參數
●
涉及 memory/IO 的 function 皆有可能有狀況