Episode 15 – And BOOM goes the dynamic input
Memory addresses are used as references all throughout programming. Remember that the Stack Frame Pointer and the Instruction pointer, and also used to reference variables all over without having copies of the values everywhere.
Speaking of memory, one thing to keep in mind is the order of things written to memory on common architectures like AMD and Intel CPUs is called little endian , and means it’s somewhat backwards from what we’re used to. if you put ABCD, it first gets translated into hexadecimal (x41, x42, x43, x44) and then stored from last character towards first, so DCBA or more accurately x44, x43, x42, x41
Since we’re going to talk about buffers first, it’s good to keep in mind that strings of characters don’t stop getting read until there’s a character return, which gets interpreted as a null character.
Buffer overflow in depth – run at level of privilege of app vulnerable. Buffer is allocated and not checked to see if it’s exceeded, which overwrites whatever comes next. This can be another variable or it can be a piece of executable code, both can have bad effects.
References:
Little Endian:https://people.cs.umass.edu/~verts/cs32/endian.html
Stack based buffer overflow: https://insecure.org/stf/smashstack.html
Heap based buffer overflow: https://cwe.mitre.org/data/definitions/122.html
NOP sled: https://en.wikipedia.org/wiki/Buffer_overflow#NOP_sled_technique
ASLR and NX bit protection: https://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work
Return to LibC and ROP: https://stackoverflow.com/questions/5568538/do-canaries-prevent-return-into-libc-and-return-oriented-programming-attacks
Microsoft BlueHat prize: https://www.microsoft.com/security/bluehatprize/
Jump Oriented Programming: https://www.comp.nus.edu/~liangzk/papers/asiaccs11.pdf
Format Strings:https://www.owasp.org/index.php/Format_string_attack
Null pointer dereferencing:
Off by one: https://www.exploit-db.com/wp-content/themes/exploit/docs/28478.pdf