.oO Phrack 49 Oo.
Volume Seven, Issue Forty-Nine
File 14 of 16
BugTraq, r00t, and Underground.Org
bring you
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Smashing The Stack For Fun And Profit
溢出堆栈的乐趣和意义
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
by Aleph One
`smash the stack` [C programming] n. On many C implementations
it is possible to corrupt the execution stack by writing past
the end of an array declared auto in a routine. Code that does
this is said to smash the stack, and can cause return from the
strcmp was not declared in routine to jump to a random address. This can produce some of
the most insidious data-dependent bugs known to mankind.
Variants include trash the stack, scribble the stack, mangle
the stack; the term mung the stack is not used, as this is
never done intentionally. See spam; see also alias bug,
fandango on core, memory leak, precedence lossage, overrun screw.
Introduction
~~~~~~~~~~~~
Over the last few months there has been a large increase of buffer
overflow vulnerabilities being both discovered and exploited. Examples
of these are syslog, splitvt, sendmail 8.7.5, Linux/FreeBSD mount, Xt
library, at, etc. This paper attempts to explain what buffer overflows
are, and how their exploits work.
{在过去的几个月里已经有大量增加的缓冲区
溢出漏洞被发现和利用。例子
这些syslog,splitvt sendmail 8.7.5,Linux / FreeBSD,Xt
图书馆,等。本文试图解释缓冲区溢出
是,他们是如何工作的。}
Basic knowledge of assembly is required. An understanding of virtual
memory concepts, and experience with gdb are very helpful but not necessary.
We also assume we are working with an Intel x86 CPU, and that the operating
system is Linux.
{装配的基本知识是必需的。了解虚拟
内存的概念,与gdb和经验非常有用但不是必要的。
我们还假设我们正在与Intel x86处理器,和操作
Linux系统。}
Some basic definitions before we begin: A buffer is simply a contiguous
block of computer memory that holds multiple instances of the same data
type. C programmers normally associate with the word buffer arrays. Most
commonly, character arrays. Arrays, like all variables in C, can be
declared either static or dynamic. Static variables are allocated at load
time on the data segment. Dynamic variables are allocated at run time on
the stack. To overflow is to flow, or fill over the top, brims, or bounds.
We will concern ourselves only with the overflow of dynamic buffers, otherwise
known as stack-based buffer overflows.
{我们开始前的一些基本定义:缓冲区是一个连续的
计算机内存块拥有相同数据的多个实例
类型。C程序员通常与这个词缓冲区数组。大多数
通常,字符数组。数组,像所有变量在C语言中,可以
声明静态或动态的。静态变量分配负载
时间在数据段。在运行时动态分配的变量
堆栈。溢出流,或填补,边或界限。
我们将只关注动态缓冲区溢出,否则
被称为基于堆栈缓冲区溢出。}
Process Memory Organization
进程内存的组织
~~~~~~~~~~~~~~~~~~~~~~~~~~~
To understand what stack buffers are we must first understand how a
process is organized in memory. Processes are divided into three regions:
Text, Data, and Stack. We will concentrate on the stack region, but first
a small overview of the other regions is in order.
{了解堆栈缓冲区,我们必须先了解
过程是组织在内存中。流程分为三个区域:
文字、数据和堆栈。我们将专注于堆栈区域,但第一
其他地区的一个小概述。}
The text region is fixed by the program and includes code (instructions)
and read-only data. This region corresponds to the text section of the
executable file. This region is normally marked read-only and any attempt to
write to it will result in a segmentation violation.
{文本区域是固定的程序,包括代码(指令)
和只读数据。这一地区对应的文本部分
可执行文件。这个地区通常是标记为只读,任何企图
写会导致分割违反。}
The data region contains initialized and uninitialized data. Static
variables are stored in this region. The data region corresponds to the
data-bss sections of the executable file. Its size can be changed with the
brk(2) system call. If the expansion of the bss data or the user stack
exhausts available memory, the process is blocked and is rescheduled to
run again with a larger memory space. New memory is added between the data
and stack segments.
{数据区域包含初始化的和未初始化的数据。静态
变量存储在这个地区。区域对应的数据
data-bss部分的可执行文件。它的大小可以被改变
brk(2)系统调用。如果bss的扩张数据或用户堆栈
发表评论