Buffer Overflow - Theory

Question 1

How does a process creation works on Linux?

Answer 1

First, the kernel creates the virtual address space in which the program runs. Information is loaded from execution file to the newly allocated address space. And finally the kernel sets up the stack and heap and jumps at the entry point of the program.

Question 2

What are the characteristics of the stack and the data allocated in it?

Answer 2

The data allocated in it corresponds to statically allocated local variables (including environments).

An important characteristic is that it grows towards the lower addresses (gross down).

Question 3

What are the characteristics of the heap and the data allocated in it?

Answer 3

A contains the executable code, the uninitialized data, the initialized data (global variables) and the dynamically allocated data

An Important characteristic is that gross toward higher addresses (grows up)

Question 4

What does the EIP register does

Answer 4

Contains the address of the next machining instruction to be executed

Question 5

How does the call instruction works?

Answer 5

Based on the fact that the call instruction leads the stack pointer to another address, it needs to save the current EIP in order to be able to come back once the other function is over. It also needs to push the parameters to the stock.

Question 6

What is the function prologue?

Answer 6

Since the CPU needs to remember where the caller frame is located on the stack (so that it can be restored once the call it function is over) function prologue pushes the current stock base address to the stack, moves the current top address to the base address (the new base of the stack is the old top of the stock), and moves the stack top pointer down giving room for the next instructions

Question 7

What is the function epilogue?

Answer 7

They are the commands that resets the configurations from before the call function.

It includes leave and ret instructions, which corresponds to moving back the top stack pointer to the base pointer of the current called function frame, restore the saved base pointer (the pointer of the caller), pop the saved EIP and jump there.

Question 8

What is the main idea of the stack smashing?

Answer 8

To use the memory writing characteristics and a buffer without size checking to override the instruction pointer of a called function

Question 9

While using a stack smashing strategy what is the content to put in the instruction pointer of the called function, in other words, where do we jump?

Answer 9

We need to jump to a valid memory location that contains, or can be filled with, valid executable machine code

Some of the solutions are: environment variable, built-in existing functions, memory that we can control (the buffer itself, some other variable)

Question 10

How do we guess the buffer location when using the buffer itself as the valid executable memory location in the stack smashing

Answer 10

We can use a debugger or read from a process in order to output the ESP value, but the results of the solutions differ from the real values, leading to a problem of precision

Question 11

How do we deal with the problem of precision when using a debugger or a read from a process to output the ESP value in order to access the buffer itself content on a stack smashing strategy usage?

Answer 11

We can use the NOP sled. Which is a sequence of no operations at the beginning of the buffer which eventually leads us to the area of the executable code

Question 12

What can we place as executable cold while using these stack smashing approach?

Answer 12

The main goal is to spawn a privileged shell. In order to do that we need to execute a system call, which is achieved by executing a software interrupt through the int instruction passing the 0x80 value.

Question 13

How can we call the interrupt function successfully?

Answer 13

First, we need to write anywhere in the memory the “/bin/sh\0” content, then discover its address and create a buffer with it (address) as the first position and with a NULL value as the second position

Then we need to move the address of the string previously created, and placed in the first member of our buffer, in the register EBX, and using offsets pass the NULL value to the EDX register

Question 14

How do we get the exact address of “/bin/sh\0”?

Answer 14

We execute a jump to a call instruction to which the next instruction is the creation of this content. This way the exact address is saved into the stack and we just pop it into our ESI register.

Question 15

Why there is a problem leaving the 0x00 values in the assembly code?

Answer 15

Because they represent a “\0” which is a string term. String related operation will stop at the first “\0” found

Question 16

What are the substitutions in order to be taking an assembly code without “\0”?

Answer 16

In the place of jump, we use a jump short ()

Add some X-Or operations

Question 17

What are the pros and cons of using the buffer itself as the valid executable memory?

Answer 17

Pros: can be done remotely

Cons: buffer could not be large enough, memory must be marked as executable, need to guess the address reliably

Question 18

What are the pros and cons of using the environment variables as the valid memory, executable location?

Answer 18

Pros: easy to implement, easy to target (we can know precisely address)

Cons: works for local exploiting only, the program may wipe the environment, memory must be marked as executable

Question 19

How can we use environment variables as the valid executable memory location while using the stack smashing strategy

Answer 19

We are located an area of memory that contains the exploit. Put the contents of that memory in the environment variable. Finally, we have to overwrite the EIP with the address of the environment variable by filling the buffer.

Question 20

Point out the main difference in the content of the buffer when using the environment variables as the valid executable memory location

Answer 20

We can repetitively feel the buffer with the approximate environment, variable location until the EIP and the NOP sled is implemented there

Question 21

What are the pros and cons of using built in existing functions as the valid executable memory address?

Answer 21

Pros: works remotely and reliably, no need for executable stack

Cons: needs to prepare the stack frame carefully

Question 22

How is it done the stack smashing strategy when using the built in existing functions as the valid executable memory location

Answer 22

We overwrite EIP with the address of the library system call, the register over it corresponds to the return address for the system call (parameter of the function) which for us is not important, and a address over it is the argument for the system call in which we need to place the address of the “/bin/sh\0” content (that can also be placed at the library)

Question 23

What are some of the defenses that can be implemented in order to avoid stack smashing

Answer 23

The source called level we can find and remove vulnerabilities

At the compiler level, we can make the vulnerabilities non-exploitable

And the operating system level, we can difficult the attack

Question 24

Describe the defenses at source code level

Answer 24

First we may aim at not causing buffer overflows, which can be achieved by education, testing, and use of source code analyzers

We can also use safer libraries

Or even use the languages with dynamic memory management that makes them more resilient to these issues

Question 25

Describe the compiler level defenses

Answer 25

Warnings at compile time

Randomized re-ordering of stack variables

Embedding stack protection mechanisms at compile time, such as the canary mechanism, which is a variable inserted randomly between the local variables and a value, when the function returns the canary is checked, and if it was modified, the program is killed

Question 26

Define the OS level defenses

Answer 26

No executable stack

Address space layout randomization (ASLR). Which reposition the stack, among other things, at each execution at random, which makes impossible to guess return addresses correctly