Info

Stack figure 20-11 A simple illustration of normal stack operations

Stack figure 20-11 A simple illustration of normal stack operations

Notice that the first command-line parameter passed to the application is ultimately copied into a 10-character array named buf. While the program runs, it stores information temporarily on the stack, including the return address where processing should continue after the subroutine has completed and the variable is passed to the subroutine. The application works fine when fewer than 10 characters are passed to it. However, passing more than 10 characters will result in a buffer overflow.

Figure 20-12 shows that same application being deliberately attacked by providing input longer than 10 characters. When the line strcpy(buf, input); is run, the application attempts to store the string "hello-aaaaaaaa0066ACB1" into the 10-character array named buf. Because the input is too long, the input overwrites the contents of other information on the stack, including the stored address that the program will use to return control to main(). After the subroutine finishes running, the processor returns to the address stored in the stack. Because it has been modified, execution begins at memory address 0x0066ACB1, where the attacker has presumably stored malicious code. This code will run with the same privilege as the original application. After all, the operating system thinks the application called the code.

C:\test hello-aaaaaaaa0066ACB1

void sub(const char* input)

Populate return address

Was this article helpful?

0 0

Post a comment