#include "stdafx.h"
#include <string>
void func(char *str)
{
char buffer[16];
strcpy(buffer,str);
}
int main(int argc, char* argv[])
{
char large[256];
int i;
for (i=0;i<256;i++)
{
large[i] = 'A';
}
func(large);
return 0;
}
压堆栈顺序
···············buffer
···············EBP
···············返回地址
···············large
一进入函数就压入了返回地址 等到出来时就弹出
溢出点查找:
for (i=0;i<256;i++)
{
large[i] = 100 + i%10;//这里 i 的个位为6-9
}
爆出错误窗口 提示
106 - 109
for (i=0;i<256;i++)
{
large[i] = 100 + i/10;//这里 i 为10+几
}
爆出错误窗口 提示
101
得出 字符 16 -19 为溢出点
接着就可以把它赋值为其他值 应该是返回地址吧···································
large[16] = 0x11;
large[17] = 0x11;
large[18] = 0x11;
large[19] = 0x11;
看到返回地址就是溢出点
jmp esp
与下面相同:
push esp
ret
`````````````````
call esp
window 2003
CS.NET 2003 /GS 实现安全COOKIE对堆栈溢出的保护溢出
···
EBP
安全COOKIE//当覆盖就认为溢出发生
RET
···