Stack Buffer Overflows are an incredibly common attack and have only gained popularity as programmers, for some reason, refuse to sanitize user input. Though it is not considered to be a buffer overflow attack, the recent Heart Bleed vulnerability used unsanitized user input as code thus allowing the user to provide core data used by the program.
Stack Buffer Overflows occur when more data is written to an object than originally allocated. The data then leaks into other parts of adjacent data. This will eventually reach the return address portion. Once the return address is controlled by the user, he can use it to jump to any point in memory accessible by the program. There are many forms of mitigation of buffer overflow attacks such as ASLR (Address Space Layout Randomization), NX (Non-executable Stack), and DEP (Data Execution Prevention). Though they may hinder an attacker‟s success, they each have their problems and are far from being impenetrable. The following is an example of a stack buffer overflow:
Code:
#include <stdio.h> #
#include <string.h>
int main(){
printf("Enter a string: ");
char str[25]; //allocates 25 bytes on stack
scanf("%s", str); //allows for undetermined length of input
printf("You said ‘%s’\n", str);
}
s you can see, 25 bytes were allocated on the stack for the variable „str‟. Upon asking for user input, the user is able to provide much more than 25 bytes (essentially unlimited). The data is written to str and continues by overwriting the return address. Often times the return address provided by a string is invalid (For example, if the string “ABCD” is in the return address, it will attempt to return to 0x41424344 which is an invalid address). This may, however, be tailored to meet the attacker‟s needs. A common place to store code is in the variable itself in the ESP space.
-H
Houga@entropy.cat
