0

Is it possible to do a buffer overflow (assuming no modern stack defenses like canaries, aslr, non-executable stack, etc. are on) by chaining stacks together? I tried to draw a diagram below to show what I mean:

(Edited; low address)

buffer A + ebp (8 bytes)

return address A

random memory (assume 40 bytes)

buffer B + ebp (40 bytes)

return address B

(high address)

Can I craft a payload like the following?
'A' * 8 + hex value for the start of buffer B + '\x90' * 50 + shellcode (assume 20 bytes)
The idea is that I return into a portion of the stack containing a nop sled and shellcode.

If I can execute the payload above, then as a follow up, what if I drop into random memory instead of buffer B? Will the nop sled carry me to my shellcode? Thank you!!!

Improve this question
3
  • The return address can't be at the start, that's not where the saved return address is on the stack. I don't understand what "chaining" you're talking about here; that sounds like just overwriting a return address normally to return into somewhere near your exploit payload, with the nop sled covering that area. If you know the approximate absolute address of the buffer, you know where to point the return address to hopefully hit inside the not sled. Commented Mar 13, 2021 at 10:30
  • Or is your diagram upside down, with lower addresses at the top? Commented Mar 13, 2021 at 10:31
  • I should have made it clear; lower addresses are at the top of the stack, and high addresses are at the bottom. Commented Mar 13, 2021 at 15:52

1 Answer 1

Reset to default
1

This is definitely possible, for the operating systems course I followed last year we even had to do this as an assignment. This is the entire reason the stack defenses you mention exist, so you usually can't do this. When you drop into random memory, then, if this portion is executable, writable etc etc. then you can indeed slide and run arbitrary shellcode in the process. However, even when the binary doesn't use these protective measures like canaries etc, the kernel has another trick up it's sleeve: address space randomization. It's usually pretty hard to figure out from the process you try to exploit where important functions are loaded and where important data is.

For the course this was our setup:


int main(int argc, char ** argv) {
    char buf[256];
    strcpy(buf, argv[1]);
    return 0;
}

void unused_function() {
    printf("exploit!");
}

Objective was of course to call unused_function. Address space randomization was turned off and stack protection as well.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

ok thank you!!! I was actually doing a binary exploit challenge with no defenses trying to use this method but it wasn't working so I just wanted to verify that the idea was possible.
Updated my answer with a little example, hope it might help you :)
Ehhh kind of? I was thinking more along the lines of something like int main(int argc, char ** argv) { char buf[4]; strcpy(buf, argv[1]); return 0; } int unused_function() { char buf[64]; return 0; }
@MathStudent: This call-unused-func type of exploit shown in this answer is more normally done with a ROP attack, where instead of returning into your own shellcode payload, you overwrite the return address with the address of unused_function (which in a non-PIE executable might be constant even if the stack is ASLRed... Defeating ROP attacks are why modern Linux distros use PIE executables and map .rodata as non-executable, to reduce the amount of possible ROP gadgets that you could usefully return to. Extending this, you can return to a sequence of a few insns that ends with a ret...)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.