Buffer Overflow Attack Format

Question

Buffer Overflow Attack Format

Usually we see the main buffer overflow format, which has: - NOPs + shellcode + return_address

Why don't we use NOPs + return_address + shellcode? , where do we make the return address point to the beginning of the shellcode?

I assume this is due to the fact that we can try to write data outside the stack segment if the vulnerability is in main (). I'm right? If I am, is that the only reason?

Oh, and yes, I do not mean other types of attacks that use return-to-libc, ptrace, etc .; I just want to know why the most basic buffer overflow attack is shown first and not the second time.

+7

c security x86 shellcode buffer-overflow

user277465 Mar 13 '11 at 6:28

source share

1 answer

rook · Accepted Answer · 2011-03-13T09:42:05+0000

The return address may appear before shellcode+nop sled or after. For example, if you are writing a variable, close the top of the stack, you may need to write nop sled+shell code through the return address (EIP), because there may not be enough space.

However, the NOP sled will always be next to the shell code. The reason is because you use nop sled to make the goal of your shell code as possible. If your EIP specifies + = 100 bytes from your shell code, you need to use nop sled over 100 bytes to ensure that you hit the target. Thus, NOPs + return_address + shellcode is invalid. A typical exploit line would look like this:

JUNK + return_address + NOPs + shellcode

And of course, the "return-to-libc" style attack does not require shellcode or nop sled.

This simplified stack-based buffer overflow exploit will not work on a modern system. Alpeh-One Smashing The Stack For Fun and Profit no longer works due to NX zones, stack canaries and ASLRs, all of which work by default on Windows and Linux.

You should receive a copy of:

Buffer Overflow Attack Format

More articles: