收藏
下载资源

缓冲区溢出实验报告

上传人:鲁** 文档编号:564951584 上传时间:2024-01-19 格式:DOCX 页数:5 大小:98.79KB
返回 下载 相关 举报
缓冲区溢出实验报告_第1页
第1页 / 共5页
缓冲区溢出实验报告_第2页
第2页 / 共5页
缓冲区溢出实验报告_第3页
第3页 / 共5页
缓冲区溢出实验报告_第4页
第4页 / 共5页
缓冲区溢出实验报告_第5页
第5页 / 共5页
亲,该文档总共5页,全部预览完了,如果喜欢就下载吧!
资源描述

《缓冲区溢出实验报告》由会员分享,可在线阅读,更多相关《缓冲区溢出实验报告(5页珍藏版)》请在金锄头文库上搜索。

1、网络安全实验报告一、实验题目缓冲区溢出二、实验平台及工具Windows xp sp3、OllyDbg 反编译软件、实验程序 stackoverflow.exe 及源码 stackoverflow.c三、实验过程打开 OllyDbg 程序,载入实验程序 stackoverflow_debug.exe如图1,定位到程序的密码验证代码段,分析得EBP-4的值是否为0作为是密码能否验 证通过的关键(地址004010F1),而EBP-4的值来源于EAX (地址004010EE),所以下一步 需要分析EAX的值的来源;80401 OBE.68 88504200004010C3.E8 B8028OOO004

2、010C8.83CU 0480401OCB.8D8D FCFBFFFI004010D1.51004010D2.68 84504200004010D7.E8 4402800000401ODC.83C4 08004010DF.8D95 FCFBFFFI094010E5.52004010E6.E8 IfiFFFFFF004010EB.83CU 04004010EE.8945 FC094010F1.837D FC 00 00401BF5-v0F /X004010F7.68 6tfU2O0004010FC.E-*?F020OO000401101,*8304 0400401-v EB OFwmw68 28

3、50420000401 OBE 004010C3 004010C8 00401OCB 004010D1 004010D2 004010D7 00401ODC 004010DF 004010E5 004010E6 004010EB 00401 BEE 004010F1 00401 OF5 004010F7 00401 OFC 00401101 00401104 0040110668 88504208E8 B8O2OO0Q83C4 048D8D FCFBFFFI5168 84504200E8 4402000883C4 088D95 FCFBFFFI52E8 1AFFFFFF83C4 048945

4、FC837D FC 0074 OF68 68504200E8 7F02OO0B83C4 04EB 0F68 28504200PUSH stackoue.06425088CALL stackoup.00401380ADD ESP,4LEA ECX,DUORD PTR SS:EBP-404PUSH ECXPUSH stackoue.33425084CALL stackoue.00481328ADD ESP,8LEA EDX,DUORD PTR SS:EBP-404PUSH EDXCALL stackoue.00401 80SADD ESP,4MDU DWORD PTR SS:即1-EH*Smp p

5、tr ddhEdp-订匸 IJE SHORT stackoue.00401106PUSH stackoue.00425868CALL stackoue.00401380ADD ESP,4J MP SHORT stackoue.00401115PUSH stackoue.00425028PUSH stackove.88425 088CALL stackoue.00401386ADD ESP,4LEA ECX,DWORD PTR SS:EBP-404 PUSH ECXPUSH stackoue.00425084CALL stackoue.80401320ADD ESP,8LEA EDX,DWORD

6、 PTR SS:EBP-404PUSH EDXCALL stackoue.80401005ADD ESP?4MOU DWORD PTR SS: EBP-4jCMP DWORD PTR SS:EBP-4,0Jt SHUKI Stackoue.UU4W11H6PUSH stackoue.00425068CALL Stackoue.00401380ADD ESP?4JMP SHORT stackoue.00401115PUSH stackoue.80425028rArgl 00425688 ASCII please input password: Lstackoue.00461380Arg2Arg1

7、 = 00425 084 ASCII 喘stackoue.00401320rfirgl = 80425068 ASCII incorrect password?“Lstackoue.00401380pArg! = 60425028 ASCII Congratulation* You haue passed the ueriFication! Arg1 = 00425888 ASCII please input password: stackoue.08401380Arg2Arg1 = 03425084 ASCII %sstackoue.00401328rArgl = 00425868 ASCI

8、I incorrect passuordfIILstackoue.08401380pArgl = 00425028 ASCIICongratulation* You haup passed the uerification! 如图2,回溯代码,发现在这段代码中有几处函数调用,EAX的值最有可能来源于最后 调用的函数,通过跳转,定位到此函数(地址00401020);LEA ECX,DIFORD PTR SS:EBP-404 PUSH ECXPUSH stackoue.00425084CALL stackoue.00401320ADD ESP,8LEA EDX,DIFORD PTR SS:EBP-

9、404 PUSH EDX|CALL stackoue.00401005ADD tSH,4MOU DIFORD PTR SS:EBP-4CMP DIFORD PTR SS:EBP-4JE SHORT stackoue.0040110600401005 $vrE9 16000000 JMP stackoue .I8B4B1B2B如图3,在此函数中(地址00401020),同样发现有几处函数调用,继续定位最后一个 被调用的函数(地址004012E0):00401 020r U55PUSH EBP00401021.8BECMOV EBP,ESP00401023.83EC 4CSUB ESP.4C004

10、01026.53PUSH EBX00401027.56PUSH ESI00401028.57PUSH EDI00401029.8D7D B4LEA EDI,DUORD PTR SS:EBP-4C0040102C.B9 13000000MOV ECX,1300401031.B8 CCCCCCCCMOV EAX,CCCCCCCC00401036.F3:ABREP STOS DWORD PTR ES:EDI00401038.68 1C504200PUSH stackoue.0042501C0040103D.8B45 08MOV EAX,DUORD PTR SS:EBP+800401040.50PUS

11、H EAX00401041.E8 0A020000CALL stackoue.0040125000401046.83C4 08ADD ESP,800401049.8945 FCMOV DUORD PTR SS:EBP-4,EfiX0040104C.8B4D 08MOV ECX,DUORD PTR SS:EBP+80040104F.51PUSH ECX00401 050.8D55 F4LEA EDX,DUORD PTR SS:EBP-C00401053.52PUSH EDX00401 054.E8 07010000CALL stackoue.0040116000401059.83C4 08ADD

12、 ESP,80040105C.8B45 FCMOV EAX,DUORD PTR SS:EBP-40040105F.5FPOP EDI00401 060.5EPOP ESI00401061.5BPOP EBX00401062.83C4 4CADD ESP,4C00401065.3BECCMP EBPEEP00401067.E8 74020000CALL stackoue.004012E0 |0040106C.8BE5MUU tSr.tBH0040106E.5DPOP EBP0040106FL. C3RET图3如图4,分析发现,这个被调用的函数(地址004012E0)在运行前对EAX进行了入栈保

13、存,并没有改变原始的EAX值;.004012E0r$.f75 01JNZ SHORT stackoue.004012E3004012E2.C3RET004012E3 L55PUSH EBP004012E4.8BECMOU EBP,ESP004012E6.83EC 00SUB ESP,0004012E9.50PUSH EAX004012EA.52PUSH EDX004012EB.53PUSH EBX004012EC.56PUSH ESI004012ED.SIPUSH EDI图4如图5,回到上一步中的函数,从最后一个被调用的函数处向上回溯,发现了改变EAX值的代码(地址0040105C)00401 020r55PUSH EBP004010218BECMOU EBP,ESP0040102383EC 4CSUB ESP,4C0040102653PUSH EBX0040102756PUSH ESI0040102857PUSH EDI004010298D7D B4LEA EDI,DHORD PTR SS:EBP-4C0040102CB9 13000000MOU ECX,1300401031B8 CCCCCCCCMOU EAX,CCCCCCCC00401036F3:ABREP STOS DUORD PTR ES:EDI0040103868 1C5042

展开阅读全文
相关资源
相关搜索

当前位置:首页 > 学术论文 > 其它学术论文

电脑版 |金锄头文库版权所有
经营许可证:蜀ICP备13022795号 | 川公网安备 51140202000112号