Memory Layout + Vulnerabilities Flashcards
What is the stack?
Used to collect items or elements with fixed origin and variable size
Initially, the size of the stack is zero and the stack pointer (%esp) points to the top of the stack
Items are added in last in first out order (higher to lower memory addresses)
What happens when a function is called?
Frame containing
- functions actual parameters
- return address to jump to at end of function
- pointer to previous frame
- functions local variables
is pushed onto the stack
What does function prologue consist of?
push %ebp
mov %esp, %ebp
sub $n, %esp
What does function epilogue include?
leave
mov %ebp, %esp
pop %ebp
ret
places value at top of stack (pointed to by %esp) in instruction pointer %eip
What are typical components of an injection vector in the context of remote buffer overflow vulnerability exploitation?
A NOP sled, the shellcode, and the sequence of addresses enough to overflow the buffer and overwrite a code pointer on the stack. These components may be in any order, but the NOP sled must precede the shellcode
What happens to data in excess copied in a buffer?
If buffer is allocated on the stack, overflows may cause the corruption of code pointers stored on the stack
Why might local memory corruption exploitations facilitate attack success?
Attackers don’t need to guess the shellcode address but can place the shellcode onto the environment (knowing how the kernel sets up the stack when the process starts would help to compute the precise address the shellcode will be)
A shellcode is a machine code that…
Ultimately, invokes one or more system calls attackers rely on to perform arbitrary actions
Why is it important to make sure we don’t have NULL bytes in our shellcode?
A vulnerability caused by strcpy-like functions terminate the copy upon encountering a NULL byte in the source operand
What code pointers can be overflowed?
return address, function pointers, GOT, destructors
