1

I understand that overflow exploitation requires three steps:

1.Injecting arbitrary code (shellcode) into target process memory space.

2.Taking control over eip.

3.Set eip to execute arbitrary code.

I read ben hawkens articles about heap exploitation and understood few tactics about how to ultimatly override a function pointer to point to my code.

In other words, I understand step 2.

I do not understand step 1 and 3.

  1. How do I inject my code to the process memory space ?

  2. During step 3 I override a function pointer with a Pointer to my shellcode, How can I calculate\know what address Was my injected code injected into ? (This problem is solved In stackoverflow by using "jmp esp).

Improve this question

3 Answers 3

Reset to default
3

In a heap overflow, supposing that the system does not have ASLR activated, you will know the address of the memory chunks (aka, the buffers) you use in the overflow.

One option is to place the shellcode where the buffer is, given that you can control the contents of the buffer (as the application user). Once you have placed the shellcode bytes in the buffer, you only have to jump to that buffer address.

One way to perform that jump is by, for example, overwriting a .dtors entry. Once the vulnerable program finishes, the shellcode - placed in the buffer - will be executed. The complicated part is the .dtors overwriting. For that you will have to use the published heap exploiting techniques.

The prerequisites are that ASLR is deactivated (to know the address of the buffer before executing the vulnerable program) and that the memory region where the buffer is placed must be executable.

On more thing, steps 2 and 3 are the same. If you control eip, it's logic that you will point it to the shellcode (the arbitrary code).

P.S.: Bypassing ASLR is more complex.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Step 1 requires a vulnerability in the attacked code. Common vulnerabilites include:

  • buffer overflow (common i C code, happens if the program reads an arbitrary long string into a fixed buffer)
  • evaluation of unsanitized data (common in SQL and script languages, but can occur in other languages as well)

Step 3 requires detailed knowledge of the target architecture.

Improve this answer

3 Comments

I understand. Can you please give me an example abouthow to find the shellcode address in case of heap overflow ?
No, I'm not in the habit of creating viruses, so I've never bothered to do it.
There are plenty of ways listed online. as an example. sometimes you can't control exactly where the eip goes to, so people use "nop sleds" with overwriting large quantities of memory ( search the term) with the hope that when they randomly switch the memory, they hit the nop sled sliding down to the exploit. Sometimes heap exploits ( not just overflow) can result in a arbitrary write 4 bytes.. ( so if you know the stack address you can just overwrite the returned eip). Heap exploits are a little more involved as an exploit compared to buffer overflows.
1

  1. How do I inject my code into process space?

    This is quite a statement/question. It requires an 'exploitable' region of code in said process space. For example, Windows is currently rewriting most strcpy() to strncpy() if at all possible. I say if possible

    because not all areas of code that use strcpy can successfully be changed over to strncpy. Why? BECAUSE ~@ of this crux in difference shown below;

    strcpy($buffer, $copied);

    or

    strncpy($buffer, $copied, sizeof($copied));

    This is what makes strncpy so difficult to implement in real world scenarios. There has to be installed a 'magic number' on most strncpy operations (the sizeof() operator creates this magic number)

    As coders' we are taught using hard coded values such as a strict compliance with a char buffer[1024]; is really bad coding practise.

    BUT ~ in comparison - using buffer[]=""; or buffer[1024]=""; is the heart of the exploit. HOWEVER, if for example we change this code to the latter we get another exploit introduced into the system...

    char * buffer;
char * copied;

strcpy(buffer, copied);//overflow this right here...

    OR THIS:

    int size = 1024;

char buffer[size];
char copied[size];

strncpy(buffer,copied, size);

    This will stop overflows, but introduce a exploitable region in RAM due to size being predictable and structured into 1024 blocks of code/data.

    Therefore, original poster, looking for strcpy for example, in a program's address space, will make the program exploitable if strcpy is present.

    There are many reasons why strcpy is favoured by programmers over strncpy. Magic numbers, variable input/output data size...programming styles...etc...

  2. HOW DO I FIND MYSELF IN MY CODE (MY LOCATION)

    Check various hacker books for examples of this ~

    BUT, try;

    label:
pop eax
pop eax
call pointer

jmp label
pointer:
mov esp, eax
jmp $

    This is an example that is non-working due to the fact that I do NOT want to be held responsible for writing the next Morris Worm! But, any decent programmer will get the jist of this code and know immediately what I am talking about here.

    I hope your overflow techniques work in the future, my son!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.