Professional Documents
Culture Documents
Avoiding exploitation
Recall the steps of a stack smashing attack:
0xbdf
02 8d e2
10
%ebp
%eip
&arg1
canary
Canary values
From StackGuard [Wagle & Cowan]
1. Terminator canaries (CR, LF, NULL, -1)
2. Random canaries
Return-to-libc
padding
%eip
Text
... 00 00 00 00
known
good
location
guess
0xbdf
0x17f
%ebp %eip
No need to
know the return
address
nop
nop nop
0x20d
&arg1
buffer
libc
...
exec()
printf()
libc
...
/bin/sh
...
Return-to-libc, thwarted
padding
%eip
Text
... 00 00 00 00
unknown
locations
%ebp %eip
???
&arg1
???
buffer
libc
...
exec()
printf()
libc
...
/bin/sh
...
ASLR today
Available on modern operating systems!
Caveats: