Stack overflow is a type of buffer overflow vulnerability. When we pour water in a glass more than its capacity the water spills or overflow, similarly when we enter data in a buffer more than its capacity the data overflows to adjacent memory location causing program to crash. This is know as buffer overflow1.
The stack has a Last-in, First-out (LIFO) design which means that we can only pop the last argument we pushed on the stack.
Example:
Imagine someone want to put 20 bytes of data into a buffer that had only been allocated 8 bytes of space, that type of action is allowed, even though it will most likely cause the program to crash. We can see that the 20 bytes that we sent overwrited the other existing values. The program will crash because the fucntion will try to return to the address of eip which is 0x1234565. But this value no longer existed. This is known as a buffer overrun or buffer overflow, since the extra 12 bytes of data will overflow and spill out of the allocated memory, overwriting whatever happens to come next. If a critical piece of data is overwritten, the program will crash.
If we determine exactly the number of bytes we have to send before reaching eip/rip we will be able to put after this string a shellcode for our program to execute. Or If we calculate our input precisely, we can place a valid address in the location of eip. So after that the program is overwritted it will return to the adress that we have put.
The Buffer Overflow attack is defined by 6 steps:
- Crash the binary
- Take control of
eip/rip - Determine the lenght of our shellcode
- Identify the bad characters
- Generating the shellcode
- Identification of the return adress
All these steps are explained here.
This vulnerability can be more or less difficult to exploit depending on the security put on the binary. The securities can be:
- Canaries
- Address Space Layout Randomization (ASLR)
- Data Execution Prevention (DEP)
- No eXecution (NX) is the equivalent of DEP in Linux
- Relocation Read-Only (RELRO)
- Position Independent Executable (PIE)
Writeup about the Stack-Based Buffer Overflows on Linux x86 module of HackThebox Academy. The module was made by Cry0l1t3. In this writeup you will learn how I exploit a binary with a simple stack-based buffer overflow without any bypassing to do etc. And may be learn new things about stack-based buffer overflow.
- Skill Assessment
- Stack Based Buffer Overflow
- Take Control of EIP
- Determine the lenght of shellcode
- Identification of bad characters
- Generating shellcode
- Reverse shell
Assembly:
- https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md#x86_64-64_bit
- https://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture
- https://cs.lmu.edu/~ray/notes/nasmtutorial/
- https://www.nasm.us/xdoc/2.15.05/html/nasmdoc0.html
- https://guyinatuxedo.github.io/01-intro_assembly/assembly/index.html
- https://www.youtube.com/watch?v=VQAKkuLL31g&list=PLetF-YjXm-sCH6FrTz4AQhfH6INDQvQSn
- https://www.tutorialspoint.com/assembly_programming/assembly_introduction.htm
- https://riptutorial.com/assembly
- https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf
C (GNU linux system):
Rop techniques to bypass mitigations:
- ret2mprotect call sys_mprotect (NX)
- ret2libc (NX)
- call sys_execve with /bin/sh argument (NX and ASLR)
A couple of images in the writeup that you have seen are providing from the HTB Academy website and the buffer images were modified by me for illustrate what I were doing
Academy, H. T. B. (n.d.). HTB Academy : Cyber security training. Cyber Security Training : HTB Academy. Retrieved December 14, 2021, from https://academy.hackthebox.com/module/details/318
Copyright © Birby 2022. The Stack-Based-Buffer-Overflows by B1rby is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Footnotes
-
Thakur, A. S. (2019, December 4). Stack overflow vulnerability. Hacker Noon. Retrieved December 14, 2021, from https://hackernoon.com/stack-overflow-vulnerability-xou2bbm ↩