Professional Documents
Culture Documents
Buffer Overflow Attacks
Buffer Overflow Attacks
Buffer Overflows -
Attacks and Mitigations
Abhishek Bichhawat 13/01/2023
Crashing the Stack
UVWX
void function (char *str){
char buffer[16]; QRST
strcpy (buffer, str); MNOP
} IJKL
EFGH
int main (int argc, char* argv[]){ ABCD
function (argv[1]);
}
3
Corrupt the Stack
c (4 bytes)
● Instead of crashing, can an adversary take advantage of it?
b (4 bytes)
void doSomething(int a, int b, int c){
char buffer1[5]; a (4 bytes)
char buffer2[10];
int *r; ret (4 bytes)
r = buffer1 + 12;
sfp (4 bytes)
(*r) += 8; …
}
buffer1 (8 bytes)
int main(){
int x = 0;
doSomething(1,2,3); buffer2 (12 bytes)
x = 1;
printf(“%d\n”, x);
}
4
Corrupt the Stack
c (4 bytes)
● Some systems will skip the assignment of 1 to x
b (4 bytes)
void function(int a, int b, int c){
char buffer1[5]; a (4 bytes)
char buffer2[10];
int *r; ret +8
r = buffer1 + 12;
sfp (4 bytes)
(*r) += 8;
}
buffer1 (8 bytes)
int main(){
int x = 0;
function(1,2,3); buffer2 (12 bytes)
x = 1;
printf(“%d\n”, x);
r (4 bytes)
}
5
Real Exploits
6
Real Exploits jmp 0x1F
popl %esi
movl %esi, 0x8(%esi)
c (0x03) #include stdio.h xorl %eax, %eax
movb %eax, 0x7(%esi)
8
Stack Smashing
10
Stack Smashing
./a.out xyz.............leaf
12
Format String Vulnerabilities
./a.out ./a.out
test %x.%x.%x.%x.
test 120a8.0.17a846ac.559d5578. 14
Integer Memory Safety Vulnerabilities
● Function pointers
○ void (*foo)()
● longjmp buffers
○ Used with setjmp as checkpoint/rollback
○ Corrupted buffer jumps to arbitrary location
● Manipulating environment variables
○ getenv
● Use-after-free
○ Dangling pointers
● Off-by-one
16