![]() ![]() Another example of a machine-specific detail that can affect the choice of exploitation techniques is the fact that most RISC-style machine architectures will not allow unaligned access to memory. This means that any overwritten return address will not be used until a later unwinding of the call stack. Some machine architectures store the top-level return address of the call stack in a register. #include #include void foo ( char * bar ) Platform-related differences Ī number of platforms have subtle differences in their implementation of the call stack that can affect the way a stack buffer overflow exploit will work. This is illustrated with strcpy() in the following example: ![]() The canonical method for exploiting a stack-based buffer overflow is to overwrite the function return address with a pointer to attacker-controlled data (usually on the stack itself). This is one of the oldest and more reliable methods for attackers to gain unauthorized access to a computer. If the stack buffer is filled with data supplied from an untrusted user then that user can corrupt the stack in such a way as to inject executable code into the running program and take control of the process. ![]() a webserver) then the bug is a potential security vulnerability. ![]() If the affected program is running with special privileges, or accepts data from untrusted network hosts (e.g. Overfilling a buffer on the stack is more likely to derail program execution than overfilling a buffer on the heap because the stack contains the return addresses for all active function calls.Ī stack buffer overflow can be caused deliberately as part of an attack known as stack smashing. Stack buffer overflow is a type of the more general programming malfunction known as buffer overflow (or buffer overrun). This almost always results in corruption of adjacent data on the stack, and in cases where the overflow was triggered by mistake, will often cause the program to crash or operate incorrectly. Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer. In software, a stack buffer overflow or stack buffer overrun occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer. Modifying those values can often be leveraged into a "write-what-where" condition.For other uses, see Stack overflow (disambiguation). Other important data commonly on the stack include the stack pointer and frame pointer, two values that indicate offsets for computing memory addresses. This is often called a return into libc exploit, since the attacker generally forces the program to jump at return time into an interesting routine in the C standard library (libc). Alternately, the attacker can supply the address of an important call, for instance the POSIX system() call, leaving arguments to the call on the stack. The attacker can overwrite this value with some memory address to which the attacker also has write access, into which they place arbitrary code to be run with the full privileges of the vulnerable program. The most prominent is the stored return address, the memory address at which execution should continue once the current function is finished executing. There are generally several security-critical data on an execution stack that can lead to arbitrary code execution. ![]()
0 Comments
Leave a Reply. |