Bugtraq mailing list archives
"Function pointer" attacks.
From: vendicator () USA NET (vendicator () USA NET)
Date: Mon, 1 Nov 1999 21:14:07 -0000
I don't know is this tecnique is already known but since I added a protection for it in Stack Shield I decided to post it. This is a "stack smashing" technique that allows to beat StackGuard and Stack Shield (before the version 0.6). It is simple: if a function with an overflowable buffer contains call with a function pointer declared before the buffer the attacker may overwrite the pointer with the address of the shellcode (or in the NOP block) without altering the RET address in the stack. Even if the RET is altered the shellcode is executed before the function epilog causing StackGuard and the old Stack Shield not to detect it. Here is an example: #include <stdio.h> #include <stdlib.h> void dummy(void) { printf("Hello world!\n"); } int main(int argc, char **argv) { void (*dummyptr)(); char buffer[200]; if (argc < 2) exit(EXIT_FAILURE); dummyptr=dummy; strcpy(buffer, argv[1]); /* Vulnerability */ (*dummyptr)(); exit(EXIT_SUCCESS); } If we put in the command line a parameter of at least 210 bytes we can force the program to execute the shellcode without changing the RET address. StackGuard and the old Stack Shield cannot detect this. The new Stack Shield 0.6 beta has a new protection mechanism that checks on non-costant calls if the call is in the TEXT segment. This could cause problems for programs that execute code from the DATA or STACK segment, howewer this stops this kind of attack. Vendicator
Current thread:
- Stack Shield 0.6 beta relased vendicator () USA NET (Nov 01)
- "Function pointer" attacks. vendicator () USA NET (Nov 01)
- Re: "Function pointer" attacks. Crispin Cowan (Nov 02)
- Re: "Function pointer" attacks. Mariusz Woloszyn (Nov 03)
- Re: Stack Shield 0.6 beta relased Crispin Cowan (Nov 01)
- "Function pointer" attacks. vendicator () USA NET (Nov 01)