void overflow(char* pShellcode, int iLen) { Y1:char buffer[8]; Y2: memcpy(buffer, pShellcode, dwLen); Y3: „„ } Y4: int main() { Y5: „„ Y6: overflow("123456789123456789",18); Y7: „„ }main主程序调用执行overflow函数后,指令指针指向()
void overflow(char* pShellcode, int iLen) { Y1:char buffer[8]; Y2: memcpy(buffer, pShellcode, dwLen); Y3: „„ } Y4: int main() { Y5: „„ Y6: overflow("123456789123456789",18); Y7: „„ }main主程序调用执行overflow函数后,指令指针指向()
Y3
Y7
0x34353637
0x37363534
高地址 | push main函数的ebp | 4bytes | | |
| push 局部变量(无) | 0 | | |
| push para2: 18 | 4bytes | | |
| push para1: "123456789123456789" | 18bytes | | |
| push 返回地址(下一条指令) Y7 | 4bytes | 7 6 5 4 | 当前Y7 = 7654 |
| call overflow | | | |
| push overflow 的ebp | 4bytes | 3 2 1 9 | |
push overflow的局部变量 buf[8] | 8bytes | 8 7 6 5 4 3 2 1 | | |
| push memcpy的参数para3 iLen | 4bytes | | |
| push memcpy的para2 *pShellcode | 4bytes | | |
| push memcpy的para1 buf | 4bytes | | |
| push 返回地址 Y3 | 4bytes | | |
| call memcpy | | | |
| push memcpy 的 ebp | 4bytes | | |
低地址 | push memcpy的局部变量 | | | |
| | | | |