Jump to content

- - - - -

Exploitation, Stack Protection, and Randomized Addresses

  • Please log in to reply
1 reply to this topic

#1 0mega24


    DDP Fan club member

  • Members
  • 50 posts
  • Location:Where it's way to goddamn cold.

Posted 20 March 2009 - 10:42 AM

Hi Guys!
Recently I've been working through "Hacking the Art of Exploitation 2nd Ed.", an awesome book I would recommend it to anyone interested in learning the nuts and bolts of hacking. I've been working on learning stack based buffer overflows, which for those who are not familiar is when you find a buffer which does not check its bounds and write to it data much larger than itself, the goal being to overwrite either a function pointer or the EIP register with an address to some shellcode stored in the environment variable. I still have a lot of work and practice to do, but when trying it in my Ubuntu installation on my eee I learned a couple sad things.

First gcc now by default implements stack protection in all of its compiled programs, it does this by inserting a "canary" value into the stack and if it gets overwritten the program complains and terminates. If there was some way to figure out what this value was in advance and its location I could just overwrite it with its own value and everything would be hunky-dory. But even after researching it, I still have no idea on how to do that.

Also I guess the new Linux kernels randomize the address space upon executing the program, which I admit is a goddamn clever idea, but it obviously presents some difficulties if you want to overflow that particular program. I also have no idea how to circumvent this, I suspect its much easier on 32 bit systems than 64 but even then, still have no clue what to do with that.

So guys any suggestions on reading for these subjects?

#2 G-Brain


    mad 1337

  • Members
  • 127 posts
  • Gender:Male
  • Country:

Posted 20 March 2009 - 01:02 PM

For address space layout randomization:

ASLR Smack & Laugh Reference

BinRev is hosted by the great people at Lunarpages!