Week 10 - Memory Based Attacks

Question 1

Where does the EIP point to?

Answer 1

The current instruction being executed in memory

Question 2

Where does the ESP point to?

Answer 2

The top of the stack

Question 3

Where does the EBP point to?

Answer 3

The base of the current stack frame

Question 4

What happens in the stack when a function is called?

Answer 4

The current EIP and current EBP values are pushed onto the stack. A new stack frame is created at the top of the stack.

Question 5

What is the NX-bit defence against buffer overflow attacks?

Answer 5

The NX-bit provides a hardware distinction between the text and the stack. If the EIP ever points to the stack the program crashes. This makes it so data in memory can either be executable, or be read/written from/to, but it can not be both.

Question 6

What is one way of getting around the NX-bit?

Answer 6

To find code in the text you want to execute (such as open the shell), and use a buffer overflow attack to make the EIP point to that code.

Question 7

How does a buffer overflow attack work?

Answer 7

Write data into a buffer so that the data overflows into the EIP and EBP values stored on the stack. When the current function finishes executing, the overwritten EIP and EBP values will be loaded. This makes it possible to change where the code will resume from.