Buffer overflow on the Stack.
Before we jump right into the subject there are some pre-requirements you should know. The ram (memory) is separated into two areas: The kernel Space is where the kernel (i.e., the core of the operating system) executes (i.e., runs) and provides its services, The user space has different areas itself . The stack has registers dealing with our function such as the EIP (Extended instruction pointer), pointing into the return address of the function, in other words it points to the instruction it should be executed after the function ends.ESP (Extended stack pointer) points at the beginning of the stack. We find also in the stack call functions that calls the function’s parameters, and most importantly we find the static memory allocation, that means if a programmer knows how much data he needs before compiling the program he might make a static allocation(char buf[12]). Variables allocated on the stack are stored directly to the memory and access to this memory is very fast. The stack has a LIFO (last in first out) structure, the most recently reserved block is always the next block to be freed. This makes it really simple to keep track of the stack, freeing a block from the stack is nothing more than adjusting one pointer. the stack grows from memory with high addresses to low addresses. The heap made for dynamic memory allocation and limited by the size of virtual memory (malloc in C programmig) . The heap grows from low addresses to higher addresses on the ram. The data are where our initialized and uninitialized variables are (int a=5, int b ). The text segment contains executable instructions.
In this article I’ll be focusing on the buffer overflow that happens on the stack area.
The stack buffer overflow happens when the program allocates a static memory, and paste the user’s input into that static allocation without sanitization. So, if the user exceeds the space allocated, he’ll get access to some dangerous registers which in particular in the stack is the EIP which executes instructions. So if the attacker knows exactly the allocation of the EIP, he could point it into some malicious code that will get executed.
You will need kali linux, and brainpan from vulnhub. I’ll post a video on how to set up the lab environment afterwards on my Twitter (link bellow) .
The headlines of this lab are: Fuzzing and finding the offset, which basically consists of sending the program a large amount of bytes untill it crushes, and we know exactly where it crashes. Controlling the EIP, that means we know the allocation of the EIP so we could use it to point into some malicious code. Finding bad characters, those are characters that breaks our payload. Then, we ll search for some function that will jump back to the begining of our stack, we will generate our payload. Last but not least we will own the program.
Make sure to follow me on twitter, where I’ll be posting videoes of the lab. And, feel free to ask me questions there.
https://twitter.com/YoussefIchioui
