search

Stack Smashing

A stack smashing attack is a specific type of security exploit that takes advantage of a buffer overflow vulnerability in a program to compromise its integrity and potentially execute arbitrary code.

What about writing the correct values to the stack?

  • Some value to RBP.

  • An address belonging to the process in RIP.

When the message ends the flow will be restored.

  • That is, stored RBP and stored RIP are loaded into the registers.

  • The stack frame will start at RBP.

  • Program jump to the address in RIP.

If the addresses aren't in a mapped area, the program will receive a SIGSEV.

hashtag
Practical Example: program_flow.c

void secret(){
    printf("Secret message\n");
    exit(0);
}
char foo(int size, char* arg){
    char buffer[8];
    memcpy(buffer, arg, size);
    return buffer[0];
}
int main(int argc, char* argv[]){
    char buffer[64];
    printf("%p\n", &secret);
    
    FILE *fp = fopen(argv[1], "r");
    int size = fread(buffer, 1, 64, fp);
    fclose(fp);
    
    foo(size, buffer);
    return 0;
}

Flow:

  • Reads data from file;

  • Calls foo function with size and buffer;

  • foo has an overflowing memcpy.

  • secret function is never called.

Attack: Overflow the buffer:

  • writing over stored $RBP.

  • writing over stored $RIP, placing &secret there.

Consider ASLR to be disabled.

Attack strategy:

  • Overwrite buffer over RBP/RIP

How to find the addresses?

  • If we have the source code: printf("%p\n", secret)

  • If we don't: gdb or bruteforce.

hashtag
Practical Example: return_to_libc.c

Instead of returning to a program function, it is possible to jump to other locations.

  • In theory, to any segment that is allocated to the program.

  • In practice, permission mechanisms limit the available segments.

Segments for libraries have several generic libraries.

  • In particular: system().

  • Is mostly executable.

The stack can be executable, but it isn't on recent systems.

Typical Flow

Return to libc

  • Build “fake” Stack frame and call system() with one argument.

    • The argument is the command to execute (e.g. a reverse shell).

  • Must take into consideration calling convention.

    • Which is architecture-dependent.

Arguments are passed in the stack.

  • Approach: store values to the stack so that the system is called with a payload.

    • Then call the system.

Last updated