发表新帖
发表新帖

Understanding and doing Code Injection in C

后端 未结
关注
3 1191
孤城傲影
孤城傲影 2021-01-04 22:19

I am a bit confused in the idea of code injection in C. If somebody could explain it and show how its done I would appreciate it.

So lets say in C you have some Cha

相关标签:
3条回答
  • 逝去的感伤
    2021-01-04 23:05

    If you allocate a buffer on the stack, and it overflows, it writes onto the stack. The stack contains the return pointer for the function that allocated the buffer. So, if you overflow a buffer on the stack, you can set the return pointer to something arbitrary; thereby giving you control of the thread of execution.

    As to actually injecting the code, that depends. The stack - or rather, the page containing it - is often set not to allow code execution; but historically it would have been possible to store small malicious programs in the buffer itself on the stack. Return oriented programming is a fairly new variant of the return-to-libc attack, both of which work around NX bits.

    0 讨论(0)
  • 后悔当初
    2021-01-04 23:13

    A typical stack for each subroutine might look like this:

    • parameters (values which were passed as parameters to this subroutine)
    • return address (address of code from which this routine was called)
    • saved register values
    • local variables

    If a subroutine has a local variable, and somehow write past the end of the local variable, then it overwriting values (on the stack) like the return address, i.e. the address of the code which will be executed at the end of the subroutine when the subroutine does a "return".

    0 讨论(0)
  • 一整个雨季
    2021-01-04 23:19

    The general trick has to do with how the program's code and variables are layed out in memory. For example, when a function is called the program (code inserted by the compiler) must store the address of the instruction to return to. So if this is the 32 bit word just before the beginning of the stack, one could do:

     void foo()
 {
    int array[5];
    int var = 0;
    int var2 = 0;

    // read in user input
    printf("Enter index and value to write:");
    scanf("%i", var);
    scanf("%i", var2);

    // malicious user might set var to -1 and var2 to an address to execute
    // if say the 32-bit value before the stack variables is the instruction to
    // return to
    array[var] = var2

    // return now goes to malicious code
 }

    (So your job is to construct code so that such a thing is not possible. :) )

    The rules for how a function call is implemented, stack variables allocated, values passed, and return values returned back is called the calling convention. I reccomend reading the attached article for a good indepth coverage of C calling conventionts.

    0 讨论(0)
 看不清?
提交回复
热议问题