Penetration Testing Basics by Ric Messier

Author:Ric Messier
Language: eng
Format: epub
Publisher: Apress, Berkeley, CA

In theory, this sounds easy. There can be a lot of work involved, however, in trying to locate the address in the stack where the new code is located in order to force the operating system to jump to that location. The location of the attacker’s code is necessary for the exploit to work. Ideally, the address will be the same each time you run the program, and in some cases this is true. Some programs are actually compiled with their preferred locations in memory already established. Since the operating system is using virtual memory, meaning the address the program knows about is different from the physical address, the program can believe anything it wants about where it is located. The operating system is going to do a translation anyway to get the real address before it goes to retrieve data from memory. Why not just let the program specify up front what address it wants? It simplifies compiling the program from source code to executable code and also simplifies the job of the operating system to provide a set of addresses. The problem with this approach is that it allows attackers to make use of known information to attack the program. One way to protect against a buffer overflow is to use a technique called address space layout randomization (ASLR) . This technique provides a different set of addresses to the program each time it runs so an attacker can’t guarantee what address they need to jump to ahead of time. Trying to determine it on the fly is much harder, if it can even be done at all. ASLR ends up being a reasonably effective way to protect against buffer overflow attacks.

Using ASLR doesn’t mean that attackers are out of luck, though. There are other techniques they can use. One of them is to take advantage of the fact that most programs use shared libraries. A shared library is a collection of functions that are available for multiple programs to make use of. These shared libraries are typically located at known addresses in memory, or at least at addresses that can be determined. Instead of trying to overwrite a buffer, the attacker will take advantage of the fact that the addresses of these shared libraries are known and jump to those locations in memory rather than to the location of the buffer overflow. This still requires that the attacker send in too much data to overflow the buffer in order to get to the return address and overwrite it. Instead of overwriting with an address in the stack with code provided by the attacker, the attacker will just send the execution of the program into one of the shared libraries, getting the library function to do the appropriate work. Typically, the attacker would probably make use of the system() function , which passes commands into the operating system. This would allow the attacker to execute commands in the operating system itself, bypassing the program altogether. This doesn’t mean that we are without protection against these attacks.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.