Smashing the Stack for Fun and Profit

1
Smashing the Stack for Fun and Profit

• -by aleph1 circa 1996
• Presented by Dan Frohlich

2
Overview

• Memory and Stack basics.
• The buffer overflow vulnerability.
• Take control.
• Spawn a shell.
• Issues.
• Guesswork and Increasing your chance of success.
• Questions?

3
Memory Basics.

• The Code or Text section is usually read only,
  preventing self-modifying code.

4
A Stack Frame.

• Pushed to stack on function CALL
• The return address is copied to the CPU
  Instruction Pointer when the function returns and
  its stack frame is POPd.

5
The buffer overflow vulnerability.

• The user injected data writes beyond the
  unchecked buffer length, overwriting the stack
  frame return address!

6
Take control.

• The last byte of the buffer is the return
  address.
• To run arbitrary code of the users choice, set to
  the address of the buffer.

7
Spawn a shell.

• Write code such that a shell if spawned.
• provides platform independent code to spawn a
  shell.
• Shell command is executed in the programs
  security context .
• Allows user impersonation
• If program is running as root, the user now has
  total control of the host!

8
Issues.

• What to exploit?
• grep is your friend
• grep the source for strcpy, strcat, etc.
• What is the return address?
• Can not be known at runtime. Must be guessed.
• Dealing with small buffers.
• Place shell code in an environment variable.

9
Guesswork and Increasing your chance of success.

• Stack sizes are application dependant but 100 to
  1000 bytes are good guesses.
• Prolog your exploit with NOOPs!

10
Questions?

• aleph1 uses a combination of JMP and CALL in his
  buffer.
• Why is this necessary?
• Cant you just right buffer of NOOPs followed by
  the return address of the shell command
  environment variable?