.. | ||
README.md | ||
ret2shellcode.md | ||
ret2win.md | ||
rop-return-oriented-programing.md |
Stack Overflow
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
What is a Stack Overflow
A stack overflow is a vulnerability that occurs when a program writes more data to the stack than it is allocated to hold. This excess data will overwrite adjacent memory space, leading to the corruption of valid data, control flow disruption, and potentially the execution of malicious code. This issue often arises due to the use of unsafe functions that do not perform bounds checking on input.
The main problem of this overwrite is that the EIP and EBP pointers to return to the previos function are stored in the stack. Therefore, an attacker will be able to overwrite those and control the execution flow of the program.
The vulnerability usually arises because a function copies inside the stack more bytes than the amount allocated for it, therefore being able to overwrite other parts of the stack.
Some common functions vulnerable to this are: strcpy
, strcat
, sprintf
, gets
, fgets
...
For example, the following functions could be vulnerable:
void vulnerable() {
char buffer[128];
printf("Enter some text: ");
gets(buffer); // This is where the vulnerability lies
printf("You entered: %s\n", buffer);
}
Finding Stack Overflows
The most common way to find stack overflows is to give a very big input of A
s (e.g. python3 -c 'print("A"*1000)'
) and expected a Segmentation Fault
indicating that the address 0x41414141
was tried to be accessed.
Moreover, once you found that there is Stack Overflow vulnerability you will need to find the offset until it's possible to overwrite the EIP pointer, for this it's usually used a De Bruijn sequence. Which for a given alphabet of size k and subsequences of length n is a cyclic sequence in which every possible subsequence of length n appears exactly once as a contiguous subsequence.
This way, instead of needing to figure out which offset is overwriting the EIP by hand, it's possible to use as padding one of these sequences and then find the offset of the bytes that ended overwriting it.
It's possible to use pwntools for this:
from pwn import *
# Generate a De Bruijn sequence of length 1000 with an alphabet size of 256 (byte values)
pattern = cyclic(1000)
# This is an example value that you'd have found in the EIP/IP register upon crash
eip_value = p32(0x6161616c)
offset = cyclic_find(eip_value) # Finds the offset of the sequence in the De Bruijn pattern
print(f"The offset is: {offset}")
or GEF:
#Patterns
pattern create 200 #Generate length 200 pattern
pattern search "avaaawaa" #Search for the offset of that substring
pattern search $rsp #Search the offset given the content of $rsp
Exploiting Stack Overflows
During an overflow (supposing the overflow size if big enough) you will be able to overwrite values of other variables inside the stack until reaching the EBP and EIP (or even more).
The most common way to abuse this type of vulnerability is by modifying the EIP pointer so when the function ends the control flow will be redirected wherever the user specified in this pointer.
However, in other scenarios maybe just overwriting some variables values in the stack might be enough for the exploitation (like in easy CTF challenges).
Ret2win
In this type of CTF challenges, there is a function inside the binary that is never called and that you need to call in order to win. For these challenges you just need to find the offset to overwrite the EIP and find the address of the function to call (usually ASLR would be disabled) so when the vulnerable function returns, the hidden function will be called:
{% content-ref url="ret2win.md" %} ret2win.md {% endcontent-ref %}
Ret2Shellcode
Types of protections
{% content-ref url="../common-binary-protections/" %} common-binary-protections {% endcontent-ref %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.