buffer overflow
Summary
Premise
- user can input more data into a fixed sized buffer than it can hold
- vulnerable functions with no bounds checks, eg.
strcpy,gets
Attack
- send oversized input to overwrite adjacent memory: local variables, saved frame pointer, return address on stack, function pointers on heap
- overwrite return address to execute another function
Attacker’s goals
- arbitrary code execution/remote shell -> execution integrity
- leak data from memory -> confidientiality
- crash service -> execution integrity
Defense
- functions with bouds checks, eg.
strncpy,snprintf - compiler protections, eg. stack canaries, ASLR, NX/DEP
- ese high-level languages or memory-safe techniques
- detecting implementation bugs: code audits, fuzz testing, and runtime sanitizers
Concept
Buffer overflow
- exploit implementation bugs
- unsafe functions
- involves strings
pay attention to the null terminating character
Canary
- detect stack smashing
- secret inserted at selected memory locations at runtime
- checks to ensure that these values are not modified
ASLR
- address space layout randomization
- ensure that data and instructions are not always stored in the same memory locations
- eg. PIE -> position independent executables
usually the offsets for the instructions within a program remain unchanged
Application
Overflow local variables
c
int win() {
char* argv[3] = {"/bin/cat", "flag.txt", NULL};
printf("Good job!\n");
execve("/bin/cat", argv, NULL);
}
int vuln() {
char secret[0x10] = "[REDACTED]"; // 16 bytes
char buf[0x20] = ""; // 32 bytes
printf("Welcome to the bad stack, what would you like to input today?\n");
printf("Input whatever:\n");
gets(buf); // vulnerable to buffer overflow
if (!strncmp(buf, secret, 0x10)) {
printf("You found the secret activation!\n");
printf("Fine, here's the flag...\n");
win();
exit(0);
}
printf("Echo: %s", buf);
}
int main() {
vuln();
}
Overflow with canary and ASLR
Extra
Python pwntools basic template
python