Re^4: Finding stack addresses

I could go into a lot of detail here, but I guess it would be mostly off-topic.

However generally a successful buffer overflow attack requires two things:

A static buffer (keeping things simple) being overwritten such that a function return address on the stack can be modified.
A piece of shellcode somewhere in the processes address-space.

Once you've written past the end of the buffer to be overflowed, and modified the saved "return address" value you want to write the address of your shellcode there. The net result is that once the buffer is overflown your own code gets executed, and you win!

Traditionally this is done by saving the code to execute in an environmental variable - which will exist in all processes spawned by a parent shell, and which won't move around.

So the process becomes:

run /bin/sh
setup the $EGG variable via "export EGG=shellcode..." (remember that environmental variables can contain binary data)
Construct an overly long argument/parameter/fileinputand feed it to your vulnerable program - attempting to cause the overritten return address/EIP to be set to getenv( "EGG")
Profit!

Or you could cheat and use a pre-made tool to do all the work ..

Steve
--

Comment on Re^4: Finding stack addresses

Replies are listed 'Best First'.
Re^5: Finding stack addresses by Joost (Canon) on Sep 18, 2006 at 21:24 UTC
Oh, interesting. I always assumed that environment variables were copied instead of passed on directly. In any case, Devel::Peek should be up to the job, I think. "What should it profit a man, if he should win a flame war, yet lose his cool?"	[reply]