100 likes | 206 Views
Smashing the Stack for Fun and Profit. -by aleph1 circa 1996 Presented by Dan Frohlich. Overview. Memory and Stack basics. The buffer overflow vulnerability. Take control. Spawn a shell. Issues. Guesswork and Increasing your chance of success. Questions?. Memory Basics.
E N D
Smashing the Stack for Fun and Profit -by aleph1 circa 1996 Presented by Dan Frohlich
Overview • Memory and Stack basics. • The buffer overflow vulnerability. • Take control. • Spawn a shell. • Issues. • Guesswork and Increasing your chance of success. • Questions?
Memory Basics. • The Code or Text section is usually read only, preventing self-modifying code.
A Stack Frame. • Pushed to stack on function CALL • The return address is copied to the CPU Instruction Pointer when the function returns and it’s stack frame is POP’d.
The buffer overflow vulnerability. • The user injected data writes beyond the unchecked buffer length, overwriting the stack frame return address!
Take control. • The last byte of the buffer is the return address. • To run arbitrary code of the users choice, set to the address of the buffer.
Spawn a shell. • Write code such that a shell if spawned. • provides platform independent code to spawn a shell. • Shell command is executed in the program’s security context . • Allows user impersonation • If program is running as root, the user now has total control of the host!
Issues. • What to exploit? • grep is your friend • grep the source for strcpy, strcat, etc. • What is the return address? • Can not be known at runtime. Must be guessed. • Dealing with small buffers. • Place shell code in an environment variable.
Guesswork and Increasing your chance of success. • Stack sizes are application dependant but 100 to 1000 bytes are good guesses. • Prolog your exploit with NOOPs!
Questions? • aleph1 uses a combination of JMP and CALL in his buffer. • Why is this necessary? • Can’t you just right buffer of NOOPs followed by the return address of the shell command environment variable?