Preliminary debugging of stack buffer

This experiment includes 64 Bit and 32 Bit disassembly analysis , The main content is to debug and verify the changes of stack data after stack buffer overflow 、 Change of execution process

The tools used in this experiment include IDA pro as well as x64dbg and x32dbg （ useless ollydbg Because of analysis x64 The disassembly of is too complicated ）

Compile stack overflow experimental code

Here is a classic code that appears frequently in various software security textbooks

//stack_over_ret.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define PASSWORD "1234567"
int verify_password (char *password)
{
    
	int authenticated;
	char buffer[8];
	authenticated=strcmp(password,PASSWORD);
	strcpy(buffer,password);//over flowed here! 
	return authenticated;
}
main()
{
    
	int valid_flag=0;
	char password[1024];
	FILE * fp;
	if(!(fp=fopen("password.txt","r")))
	{
    
		exit(0);
	}
	fscanf(fp,"%s",password);
	valid_flag = verify_password(password);
	if(valid_flag)
	{
    
		printf("incorrect password!\n");
	}
	else
	{
    
		printf("Congratulation! You have passed the verification!\n");
	}
	fclose(fp);
	system("pause");
}

IDA analysis

This code needs to have a password.txt File as input
Let's experiment first , If the correct password is in the file , The window prompt is correct ,

Compile the file , Drag onto IDA in reverse , The jump process of various functions is very clear

It is found that there is a branch of the judgment statement at the place of the arrow

Dynamic debugging

After finding the branch location , Go to x64dbg Internal debugging , Direct positioning to the positioning position

mov     [rbp+6B0h+var_6AC], eax ;eax Save the return value of the password detection function 
cmp     [rbp+6B0h+var_6AC], 0   ; Sum the return value of the function with 0 Compare 
jz      short loc_140011AD8     ; If it is 0 Right , No 0 It's a mistake 

After knowing the position of this judgment , You can dynamically modify the branch of judgment , Bypass this branch of judgment
So let's take this je Change to jne The wrong password can also be verified

We changed the password file to the wrong 5555555

Locate the je Command Division , hold je Machine code from 74 0E Edit as 75 0E namely jne

Successfully bypassed

Use stack overflow to control the execution process

take password.txt Change the content to 7777777, Easy to locate

Find the stack 7777777 The location of

We let password Overrun overflow , Execute the program and see what happens

The program just crashed

We can see , Transgressive “7” Directly back filled

Let's change the next part to x86,32 Bit program for analysis （ because 64 Bit program function calls are not like 32 Bit directly into the stack , The parameter exceeds ）

Let's put it first IDA Inside

stay x64dbg Find the most critical verify_pasword Function entrance , Write a note

password.txt use 010 editor open , Later use nop namely 0x90 fill , Fill until near the return address

nop It's close to the return address

Then fill it back , Fill the return address with 00D81182

You can see that the return address has been changed to what you want 00D81182 了

Stack overflow protection mechanism

If the reader follows the operation steps of the notes step by step , You will find that in the end, no matter what, the experiment will not succeed , This is because the system and compiler will enable some protection mechanisms against stack overflow by default when compiling programs , The vulnerability of stack overflow is not so easy to exploit . About these protection mechanisms , We will continue to discuss in the next issue of notes .