Stack-based buffer overflows, part 2

  • Published on

  • View

  • Download

Embed Size (px)


Stack-based buffer overflows, part 2. Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Overview. Code injection. Code injection. Finding the inserted code is sometimes a problem - PowerPoint PPT Presentation


  • Stack-based buffer overflows, part 2Yves YounanDistriNet, Department of Computer ScienceKatholieke Universiteit

  • OverviewCode injection

  • Code injectionFinding the inserted code is sometimes a problemOften an attacker will fill a buffer with nops and place the shellcode at the endIf he misses the address he may end up in the nops

  • Gdb introCompile code with -g for debugging informationGdb programbreak main -> tells the debugger to stop when main is reachedrun -> run programx buffer -> prints out the contents of buffer (and address)If the shellcode is stored in the buffer, that address will be what to overwrite the return address with

  • ExecveExecve allows execution of a programint execve(const char *filename, char *const argv [], char *const envp[]);Must pass an array of arguments, note that the program name is argument 0, terminated with NULLMust also pass an array of environment variables, terminated with NULL

  • Execve#include Int main (int argc, char **argv) { char *execargv[3] = { "/bin/ls", "--color=always", NULL }; char *env[2] = { "TEST=1", NULL }; execve(execargv[0],execargv,env); }

  • Finding inserted codeGenerally (on kernels < 2.6) the stack will start at a static addressFinding shell code means running the program with a fixed set of arguments/fixed environmentThis will result in the same addressNot very precise, small change can result in different location of codeNot mandatory to put shellcode in buffer used to overflowPass as environment variable

  • Controlling the environmentProgram nameHigh addrLow addr0,0,0,0Stack start:0xBFFFFFFFEnv var nEnv var n-1Env var 0Arg nArg n-1Arg 0Passing shellcode as environment variable:Stack start - 4 null bytes strlen(program name) - null byte (program name) strlen(shellcode)0xBFFFFFFF - 4 strlen(program name) - 1 strlen(shellcode)

  • ConclusionFollow Geras Insecure Programming by example: for the computers: cstudy/distrinet


View more >