Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Buffer overflow
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Stack-based exploitation=== {{Main|Stack buffer overflow}} There are several ways in which one can manipulate a program by exploiting stack-based buffer overflows: * Changing program behavior by overwriting a local variable located near the vulnerable buffer on the stack; * By overwriting the return address in a [[stack frame]] to point to code selected by the attacker, usually called the [[shellcode]]. Once the function returns, execution will resume at the attacker's shellcode; * By overwriting a [[function pointer]]<ref>{{cite web |url=http://www.securityfocus.com/archive/1/462728/30/150/threaded |title=CORE-2007-0219: OpenBSD's IPv6 mbufs remote kernel buffer overflow |access-date=2007-05-15}}</ref> or [[exception handler]] to point to the shellcode, which is subsequently executed; * By overwriting a local variable (or pointer) of a different stack frame, which will later be used by the function that owns that frame.<ref>{{cite web |url=http://packetstormsecurity.com/files/download/121751/ModernOverflowTargets.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://packetstormsecurity.com/files/download/121751/ModernOverflowTargets.pdf |archive-date=2022-10-09 |url-status=live |title=Modern Overflow Targets |access-date=2013-07-05}}</ref> The attacker designs data to cause one of these exploits, then places this data in a buffer supplied to users by the vulnerable code. If the address of the user-supplied data used to affect the stack buffer overflow is unpredictable, exploiting a stack buffer overflow to cause remote code execution becomes much more difficult. One technique that can be used to exploit such a buffer overflow is called "[[trampolining (computing)|trampolining]]". Here, an attacker will find a pointer to the vulnerable stack buffer and compute the location of their [[shellcode]] relative to that pointer. The attacker will then use the overwrite to jump to an [[Opcode|instruction]] already in memory which will make a second jump, this time relative to the pointer. That second jump will branch execution into the shellcode. Suitable instructions are often present in large code. The [[Metasploit Project]], for example, maintains a database of suitable opcodes, though it lists only those found in the [[Windows]] operating system.<ref>{{cite web|url=http://metasploit.com/users/opcode/msfopcode.cgi |title=The Metasploit Opcode Database |access-date=2007-05-15 |url-status=dead |archive-url=https://web.archive.org/web/20070512195939/http://www.metasploit.com/users/opcode/msfopcode.cgi |archive-date=12 May 2007 }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)