Stack Smashing

A stack smashing attack is a specific type of security exploit that takes advantage of a buffer overflow vulnerability in a program to compromise its integrity and potentially execute arbitrary code.

What about writing the correct values to the stack?

Some value to RBP.
An address belonging to the process in RIP.

When the message ends the flow will be restored.

That is, stored RBP and stored RIP are loaded into the registers.
The stack frame will start at RBP.
Program jump to the address in RIP.

If the addresses aren't in a mapped area, the program will receive a SIGSEV.

Practical Example: program_flow.c

void secret(){
    printf("Secret message\n");
    exit(0);
}
char foo(int size, char* arg){
    char buffer[8];
    memcpy(buffer, arg, size);
    return buffer[0];
}
int main(int argc, char* argv[]){
    char buffer[64];
    printf("%p\n", &secret);
    
    FILE *fp = fopen(argv[1], "r");
    int size = fread(buffer, 1, 64, fp);
    fclose(fp);
    
    foo(size, buffer);
    return 0;
}

Flow:

Reads data from file;
Calls foo function with size and buffer;
foo has an overflowing memcpy.
secret function is never called.

Attack: Overflow the buffer:

writing over stored $RBP.
writing over stored $RIP, placing &secret there.

Consider ASLR to be disabled.

Attack strategy:

Overwrite buffer over RBP/RIP

How to find the addresses?

If we have the source code: printf("%p\n", secret)
If we don't: gdb or bruteforce.

Practical Example: return_to_libc.c

Instead of returning to a program function, it is possible to jump to other locations.

In theory, to any segment that is allocated to the program.
In practice, permission mechanisms limit the available segments.

Segments for libraries have several generic libraries.

In particular: system().
Is mostly executable.

The stack can be executable, but it isn't on recent systems.

Return to libc

Build “fake” Stack frame and call system() with one argument.
- The argument is the command to execute (e.g. a reverse shell).
Must take into consideration calling convention.
- Which is architecture-dependent.

Arguments are passed in the stack.

Approach: store values to the stack so that the system is called with a payload.
- Then call the system.

Last updated 1 year ago

Stack Smashing

A stack smashing attack is a specific type of security exploit that takes advantage of a buffer overflow vulnerability in a program to compromise its integrity and potentially execute arbitrary code.

What about writing the correct values to the stack?

Some value to RBP.
An address belonging to the process in RIP.

When the message ends the flow will be restored.

That is, stored RBP and stored RIP are loaded into the registers.
The stack frame will start at RBP.
Program jump to the address in RIP.

If the addresses aren't in a mapped area, the program will receive a SIGSEV.

Practical Example: program_flow.c

void secret(){
    printf("Secret message\n");
    exit(0);
}
char foo(int size, char* arg){
    char buffer[8];
    memcpy(buffer, arg, size);
    return buffer[0];
}
int main(int argc, char* argv[]){
    char buffer[64];
    printf("%p\n", &secret);
    
    FILE *fp = fopen(argv[1], "r");
    int size = fread(buffer, 1, 64, fp);
    fclose(fp);
    
    foo(size, buffer);
    return 0;
}

Flow:

Reads data from file;
Calls foo function with size and buffer;
foo has an overflowing memcpy.
secret function is never called.

Attack: Overflow the buffer:

writing over stored $RBP.
writing over stored $RIP, placing &secret there.

Consider ASLR to be disabled.

Attack strategy:

Overwrite buffer over RBP/RIP

How to find the addresses?

If we have the source code: printf("%p\n", secret)
If we don't: gdb or bruteforce.

Practical Example: return_to_libc.c

Instead of returning to a program function, it is possible to jump to other locations.

In theory, to any segment that is allocated to the program.
In practice, permission mechanisms limit the available segments.

Segments for libraries have several generic libraries.

In particular: system().
Is mostly executable.

The stack can be executable, but it isn't on recent systems.

Return to libc

Build “fake” Stack frame and call system() with one argument.
- The argument is the command to execute (e.g. a reverse shell).
Must take into consideration calling convention.
- Which is architecture-dependent.

Arguments are passed in the stack.

Approach: store values to the stack so that the system is called with a payload.
- Then call the system.

Last updated 1 year ago