Security _Checks in Everett
Function prolog:
sub esp, 24h
mov eax, dword ptr =>[security_cookie (408040h)]
mov dword ptr[esp+20h], eax
Attacks Everett couldn't prevent
Attacks using parameters
Attacks against failure detection
typedef void (*func_ptr)(char*);
void ulnerable(char* cp, func_ptr fp)
{
char buf[10];
strcpy( buf, cp );
fp( buf );
}
The stack should be something like this:
Security _checks in Whidbey
Function prolog:
sub esp, 24h
move eax, dword ptr ==> [security_cookie(408040h)]
xor eax, esp
mov dword ptr[esp+20h], eax
Function epilog:
mov ecx, dword ptr[esp+20h]
xor ecx, esp
add esp, 24h
jmp _security_check_cookie
The stack should like this:
| Previous function’s stack frame |
| Function arguments |
| Return address |
| Frame pointer |
| Cookie |
| EH frame |
| Locally declared buffers |
| Local variables and copies of vulnerable parameters |
| Calle save registers |
| Garbage |
Do you notice "Frame pointer"? I'll discuss "Frame pointer omission optimization" in another thread
You can also refer to http://www.codeproject.com/tips/seccheck.asp
| Previous function’s stack frame |
| Function arguments |
| Return address |
| Frame pointer |
| Cookie |
| EH frame |
| Locally declared buffers |
| Local variables |
| Callee save registers |
| Garbage |
扫一扫
837
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
