EP015

Episode 15 – And BOOM goes the dynamic input

Memory addresses are used as references all throughout programming. Remember that the Stack Frame Pointer and the Instruction pointer, and also used to reference variables all over without having copies of the values everywhere.

Speaking of memory, one thing to keep in mind is the order of things written to memory on common architectures like AMD and Intel CPUs is called little endian , and means it’s somewhat backwards from what we’re used to. if you put ABCD, it first gets translated into hexadecimal (x41, x42, x43, x44) and then stored from last character towards first, so DCBA or more accurately x44, x43, x42, x41

Since we’re going to talk about buffers first, it’s good to keep in mind that strings of characters don’t stop getting read until there’s a character return, which gets interpreted as a null character.

 

Buffer overflow in depth – run at level of privilege of app vulnerable. Buffer is allocated and not checked to see if it’s exceeded, which overwrites whatever comes next. This can be another variable or it can be a piece of executable code, both can have bad effects.

 

References:

Little Endian:http://people.cs.umass.edu/~verts/cs32/endian.html

Stack based buffer overflow: http://insecure.org/stf/smashstack.html

Heap based buffer overflow: http://cwe.mitre.org/data/definitions/122.html

NOP sled: http://en.wikipedia.org/wiki/Buffer_overflow#NOP_sled_technique

ASLR and NX bit protection: http://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work

Return to LibC and ROP: http://stackoverflow.com/questions/5568538/do-canaries-prevent-return-into-libc-and-return-oriented-programming-attacks

Microsoft BlueHat prize: http://www.microsoft.com/security/bluehatprize/

Jump Oriented Programming: http://www.comp.nus.edu/~liangzk/papers/asiaccs11.pdf

Format Strings:https://www.owasp.org/index.php/Format_string_attack

Null pointer dereferencing:

http://stackoverflow.com/questions/12645647/what-happens-in-os-when-we-dereference-a-null-pointer-in-c

Off by one: http://www.exploit-db.com/wp-content/themes/exploit/docs/28478.pdf

 

Leave a Comment