Buffer Overflow Prep
Learning practical bufof
Last updated
Learning practical bufof
Last updated
A stack is a limited access data structure – elements can be added and removed from the stack only at the top. It works on LIFO(last-in-first-out) principle.
Stack supports two operations push and pop. Push: Adds an item to the top of the stack. Pop: Removes an item from the top of the stack.
Stack can be visualised as:
Text: Contains program code to be executed. Data: Contains global information for program. Stack: Contains function parameters, return addresses and the local variables of the function are stored. It’s a LIFO structure. It grows downward in memory (from higher address space to lower address space) as new function calls are made.
EIP instruction pointer
ESP stack pointer
EBP base pointer
ESI source index
EDI destination index
EAX accumulator
EBX base
ECX counter
EDX data
EBP points to higher memory address at the bottom of the stack.
ESP points to the top of the stack at lower memory location.
EIP holds the address of next instruction to be executed. Our prime focus is on EIP register since we need to hijack execution flow. EIP read only register, so we cannot assign the memory address of the instruction to be executed to it.
In programming, Prologue is what happens at the beginning of a function. Its responsibility is to set up the stack frame of the called function. "Machine" allocates multiple blocks to a thread and assigns pointer to ensure flow. Let's call it the execution model.
128 bytes get reserved for myVar variable
An EBP address is saved in the immediate next block
EIP address is saved in the immediate next block which points to the next instruction
Pointer to CLI input (irrelevant to our cause)
ESP => Always points to the top of stack
When strcpy() runs, it starts writing data downwards like this:
Now, when we input data > 128 bytes, buffer gets overflowed
VERY IMPORTANT: The prologue is what happens at the beginning of a function. Its responsibility is to set up the stack frame of the called function. The epilogue is the exact opposite: it is what happens last in a function, and its purpose is to restore the stack frame of the calling (parent) function.
Here, after the input has been taken, epilogue makes the ESP move/point to the location stored in EIP (Saved EIP block). And through our input buffer, we have the control of EIP! This is the basis of stack based buffer overflow!
Now that we have access to EIP, we can use this to manipulate ESP into running our code. We will add our shellcode to a location where ESP directly points at. Windows binaries utilise DLLs that have various instructions. "JMP ESP" is a fairly common assembly instruction that makes an ESP point to these intructions for a program to work efficiently.
What we will do? => Since we have control of the EIP, we can make EIP point to the address of JMP ESP and add our shellcode to this location in order for ESP to execute it.
NOPSled => During execution, addresses may move slightly here and there due to unprecedented errors. Therefore we add some No Operations (OPCode =>\x90) which means do nothing and move to the next bye. That will make a slide for the ESP. Wherever ESP lands on this NOPSled, it will eventually reach our shellcode and execute it.
Now, practical demonstration can be found here:
BONUS: In recent GCC compilers, there is a default protection mechanism for buffer overflows hence, to compile your vulnerable binary use this command:
Here, C program's name is overflow.c and output binary is bufferoverflow
gcc -g -fno-stack-protector -z execstack -o bufferoverflow overflow.c