Vulnerability Development mailing list archives

Re: regarding phrack49's stack smashing tutorial

From: 11a () GMX NET (Bluefish)
Date: Sun, 14 May 2000 04:30:44 +0200

Why does it and more specific *where*? I wrote some test programs and
saw that is always 0xbffff6c6 +- 0xff. But it changes sometimes.
What is so special about this 0xbffffffff address and by the way
this address never fits into my 64M memory.... !


Virtual adresses and physical adresses are two entirely different topics.
You have some funky stuff like TLB's and stuff to decode between them.
(TLB's decode between Virtual adresses and physical adresses)

If anybody know other documents which explains buffer overflows I would
appreciate any information.


uhmm.... If I may use my theoretic knowledge (credits to my computer
security course tought at my uni, no practical experience ;)

Lets say you have a function f() which is something like:

  void f() {
    char s[512];
    gets(s)
  }

once executed the stack will be filled with:

====================================================
|  s[0]..s[511], unitilized   ||   return adress   |
====================================================

Now the attacker sends a 'carefully crafted' malicious string, containing
512 bytes of code plus a 32 bit return adress which should be pointing to
s[0]. (in other words, &s) We then have:

===========================================================
|  s[0]..s[511], malicious code  ||   return adress, &s   |
===========================================================

And now, the function exit by doing a RET. Ka-ching! EIP is &s and the
processor is executing the malicious code.

Now, there's of course more to it, like how to get passed situations like
a no-exec stack and such. But as long as you are able to overwrite the
return adresses, you can modify the executation in ways the programmer
did not think of. In some programs, jumping to into code which actually
isn't malicious could be very bad indeed. Like skipping the entire
authentication process in a daemon. (I have never heard of this being done
though, anyone that have?)

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

Current thread:

Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Knud Erik Højgaard (Apr 14)
- <Possible follow-ups>
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Harmer, Mike (May 12)
  - regarding phrack49's stack smashing tutorial Christian Hammers (May 13)
    - Re: regarding phrack49's stack smashing tutorial Precious Roy (May 13)
    - Re: regarding phrack49's stack smashing tutorial Bluefish (May 13)
    - QPOP2.5* exploit ?? Ryan Sweat (May 14)
    - Re: QPOP2.5* exploit ?? H D Moore (May 14)
    - Re: QPOP2.5* exploit ?? jms (May 13)
    - Napster Fix optik (May 14)
    - Re: QPOP2.5* exploit ?? Maurycy Prodeus (May 15)
    - Re: QPOP2.5* exploit ?? jms (May 14)
    - Re: QPOP2.5* exploit ?? Eric LeBlanc (May 15)
    - hi sparc qpop info sp00n () GMX DE (May 14)
    - Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)
    - Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)

(Thread continues...)