Stack Attacks

Question 1

In 64 bit where are the arguments for a function past?

Answer 1

The first 6 go into registers, after that they go into the stack.

Question 1

In 32 bit, where are the arguments for a function past?

Answer 1

The stack

Question 2

Name the 6 registers in order that function arguments are passed into in x64

Answer 2

RDI
RSI
RDX
RCX
R8
R9

Question 3

Which registers are function results returned in?

Answer 3

RAX and RDX

Question 4

What is the RAX register?

Answer 4

The accumulator

Question 5

What is the RIP register?

Answer 5

The instruction point

Question 6

What does the RSP register point to?

Answer 6

The top of the stack

Question 7

What does the RBP register point to?

Answer 7

The bottom of the stack

Question 8

Which registers are floating point function arguments pass into?

Answer 8

XMM0 to XMM7

Question 9

Describe what happens in memory when a function is called?

Answer 9

Arguments are put into registers
The function updates the RSP and RBP values to make new stack space
The old instruction pointer is pushed onto the stack
The old RBP is pushed onto the stack

Question 10

What is a buffer overflow attack?

Answer 10

When you write data that is large than the size of a buffer into a buffer, causing it to overflow and overwrite the old instruction pointer. Allowing you to change where the program resumes from after the function finishes.

Question 11

How does the NX-bit defend against buffer overflow attacks?

Answer 11

The NX-bit provides a hardware distinction between the text and the stack. Code should only be in the text, and never the stack. If the instruction pointer ever points to the stack it will crash.

Question 12

How does address space layout randomisation (ASLR) protect against buffer overflow attacks?

Answer 12

ASLR adds a random offset to the stack and code bases each time a program runs. This makes it harder for an attacker to know the address of particular pieces of code.

Question 13

How does do stack canaries protect against buffer overflow attacks?

Answer 13

A stack canary is a random value from the heap that is written to the base of the stack. When the function finishes the value on stack is compared to the value on the heap, if they are different the program crashes.

Question 14

What is use after free?

Answer 14

This is when a memory address is freed by a program and then the program accesses the address later. This allows another program to gain control of the memory address and change the value stored there.

Question 15

What is double free?

Answer 15

When the same memory address is freed twice, which means it will be reallocated twice. Which means 2 variables later in the program may point to the same address.

Question 16

Where do canaries go on the stack?

Answer 16

Before the old stack base pointer and instruction pointer

Question 17

What is a format string vulnerability?

Answer 17

There is no check in the number of % signs in a string inputted by the user. You can then input a string with many %p to get register values and values from the stack.

Question 18

What is a return to libc attack?

Answer 18

The standard c library is almost always loaded. It contains many useful functions that can be pointed to, such as system, that allows you to run any command.

Question 19

In x64 calls to libc what must you remember?

Answer 19

The RSP must end with 0

Question 20

What is a ROP attack?

Answer 20

When you chain together instruction pointer values in the stack that point to single instructions in the text to allow arbitrary code execution.