Re: Patch 4/6 randomize the stack pointer

Thu, 27 Jan 2005 12:21:14 -0800 

In other words, no :)

Here's self-exploiting code to discover its own return address offset
and exploit itself.  It'll lend some insight into how this stuff works.

Just a toy.

Arjan van de Ven wrote:
> On Thu, 2005-01-27 at 14:19 -0500, linux-os wrote:
> 
>>Gentlemen,
>>
>>Isn't the return address on the stack an offset in the
>>code (.text) segment?
>>
>>How would a random stack-pointer value help? I think you would
>>need to start a program at a random offset, not the stack!
>>No stack-smasher that worked would care about the value of
>>the stack-pointer.
> 
> 
> the simple stack exploit works by overflowing a buffer ON THE STACK with
> a "dirty payload and then also overwriting the return address to point
> back into that buffer.
> 
> (all the security guys on this list will now cringe about this over
> simplification; yes reality is more complex but lets keep the
> explenation simple for Richard) 
> 
> pointing back into that buffer needs the address of that buffer. That
> buffer is on the stack, which is now randomized.
> 
> 
> 

-- 
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.


#include <string.h>
#include <stdio.h>
#include <stdlib.h>

int payload();
int exploit(char *d);


int main() {
        int distance;
        char a[512] = {0};
        distance = exploit(NULL);
        memset(a, 0xFF, distance);
        /*Get our payload address*/
        *(void**)(a + distance) = &payload;
        *(void**)(a + distance + sizeof(void*)) = 0; /*cap*/
        /*exploit the payload*/
        exploit(a);
        /*we never reach this*/
        return 255;
}

/*
 * exploit()
 * This overflows its own buffers and causes the return to jump to payload()
 */
int exploit(char *d) {
        char a[400] = {0};
        void *i;
        int distance = 0;
        char payld[sizeof(void*) + 1];
        void *myret;
        void *z;

        if (!d) {
                myret = __builtin_return_address(0);
                /*find the distance between a and myret*/
                for (i = (void*)a; *(void**)i != myret; i++) {
                        distance++;
                }
                return distance;
        }
        /*We're passed a d buffer, so strcpy it unsafely*/
        strcpy(a,d);
        /*Return to payload()*/
        return 1;

}

int payload() {
        printf("Payload executed successfully!\n");
        /*0:  Unsafe; successful exploit*/
        _exit(0);
}

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to