Stack Buffer Overflow - Exploiting Stack Buffer Overflows

Exploiting Stack Buffer Overflows

The canonical method for exploiting a stack based buffer overflow is to overwrite the function return address with a pointer to attacker-controlled data (usually on the stack itself). This is illustrated in the example below:

An example with strcpy
#include void foo (char *bar) { char c; strcpy(c, bar); // no bounds checking... } int main (int argc, char **argv) { foo(argv); }

This code takes an argument from the command line and copies it to a local stack variable c. This works fine for command line arguments smaller than 12 characters (as you can see in figure B below). Any arguments larger than 11 characters long will result in corruption of the stack. (The maximum number of characters that is safe is one less than the size of the buffer here because in the C programming language strings are terminated by a zero byte character. A twelve-character input thus requires thirteen bytes to store, the input followed by the sentinel zero byte. The zero byte then ends up overwriting a memory location that's one byte beyond the end of the buffer.)

The program stack in foo with various inputs

Notice in figure C above, when an argument larger than 11 bytes is supplied on the command line foo overwrites local stack data, the saved frame pointer, and most importantly, the return address. When foo returns it pops the return address off the stack and jumps to that address (i.e. starts executing instructions from that address). Thus, the attacker has overwritten the return address with a pointer to the stack buffer char c, which now contains attacker-supplied data. In an actual stack buffer overflow exploit the string of "A"'s would instead be shellcode suitable to the platform and desired function. If this program had special privileges (e.g. the SUID bit set to run as the superuser), then the attacker could use this vulnerability to gain superuser privileges on the affected machine.

The attacker can also modify internal variable values to exploit some bugs. With this example :

#include #include void foo (char *bar) { float My_Float = 10.5; // Addr = 0x0023FF4C char c; // Addr = 0x0023FF30 // Will print 10.500000 printf("My Float value = %f\n", My_Float); /* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Memory map: @ : c allocated memory # : My_Float allocated memory *c *My_Float 0x0023FF30 0x0023FF4C | | @@@@@@@@@@@@@@@@@@@@@@@@@@@@##### foo("my string is too long !!!!! XXXXX"); memcpy will put 0x1010C042 (little endian) in My_Float value. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ memcpy(c, bar, strlen(bar)); // no bounds checking... // Will print 96.031372 printf("My Float value = %f\n", My_Float); } int main (int argc, char **argv) { foo("my string is too long !!!!! \x10\x10\xc0\x42"); return 0; }

Read more about this topic:  Stack Buffer Overflow

Famous quotes containing the words stack and/or overflows:

    “Farewell to barn and stack and tree,
    Farewell to Severn shore.
    Terence, look your last at me,
    For I come home no more.
    —A.E. (Alfred Edward)

    Surely among a rich man’s flowering lawns,
    Amid the rustle of his planted hills,
    Life overflows without ambitious pains;
    And rains down life until the basin spills,
    And mounts more dizzy high the more it rains
    As though to choose whatever shape it wills....
    William Butler Yeats (1865–1939)