hồ sơ khác nhau. Bằng cách đó, bạn có thể khám phá ra làm thế nào để thao tác các dữ liệu bên ngoài của ứng dụng mà nó được dự tiện ích khác trước nhiều UNIX hiện đại và hệ điều hành UNIX-clone, xuất hiện ban đầu trong việc thực hiện UNIX | Buffer Overflow Chapter 8 295 Building the Exploit Since we examined the stack of a compiled program we know that to take control of the EIP register we must overwrite the 8 bytes of the buffer then 4 bytes of a saved EBP register and then 4 bytes of saved EIP. This means that we have 12 bytes of filler that must be filled with something. In this case we ve chosen to use 0x90 which is the hex value for the Intel NOP is an implementation of a NOP sled but we won t need to slide in this case because we know where we need to go and can avoid is just filler that we can use to overwrite the buffer and EBP on the set this up using the memset C library call to set the first 12 bytes of the buffer to 0x90. memset writeme 0x90 12 set my local string to nops Finding a Jump Point Next we need to write out where we want the EIP to go. As mentioned before there are numerous ways to get the EIP to point to our code. Typically I put a debugging break point at the end of the function that returns so I can see what the state of the registers are when we are right before the vulnerable functions ret instruction. In examining the registers in this case EAX 00000001 EBX 7FFDF000 ECX 00423AF8 EDX 00000000 ESI 00000000 EDI 0012FF80 ESP 0012FF30 EBP 90909090 We notice that the ESP points right into the stack right after where the saved EIP should be. After this ret the ESP will move up 4 bytes and what is there should be moved to the EIP. Also control should continue from there. This means that if we can get the contents of the ESP register into the EIP we can execute code at that point. Also notice how in the function epilogue the saved EBP was restored but this time with our 0x90 string instead of its original contents. So now we examine the memory space of the attacked program for useful pieces of code that would allow us to get the EIP register to point to the ESP. Since we have already written findjmp we ll use that to find an effective place to get .