If the stack is 'flipped' can you still execute shell code using a buffer overflow?

1
votes

In this scenario, the stack starts at address 00000000 and grows down. Array access (char[6] at 00002301 and char[7] at 00002302).

ebp-> 00001904 .... esp-> 00002100 (top of stack is here)

You can still execute a buffer overflow if you use a bad input, my question is:
- Can you use exploit that overflow to execute some shell code (from input).

In a regular stack, you can overwrite the ebp to point to your shell code, can you still do this is the stack is 'flipped'.

2
csecuritybuffer-overflow
The votes to close are inappropriate because it is perfectly clear what the question is: If the stack pushes/grows to greater addresses instead of lesser addresses, is susceptibility to buffer exploits reduced? - Eric Postpischil
Answer was solved so it's not a issue for anyway. - samwise
The goal of StackOverflow is to be a repository for questions and answers, not just to answer questions for individuals. - Eric Postpischil
I understand the concept. My question was answered so it didn't matter that the question was closed. - samwise

2 Answers

2
votes

Short answer: yes.

  1. Function A allocates buffer on the stack for variable Q.
  2. A calls B passing address of Q as a parameter.
  3. B overflows the buffer nuking the return address back to A.

You also have to watch out for buffer underflows, or other attacks that could modify arbitrary memory (such as freeing an element from a double linked list).

1
votes

You can find this question perfectly solved in the O'Hallaron 's book CSAPP.

Here is the brief introduction:

  • Firstly, you get the idea that we can overwrite the ebp by using the buffer overflow. This can work because the call and ret instructions would use the address to put the return point in and pull it back.
  • And then, Linux has a kind of protection mechanism which is called stack randomize. This means you cannot find the exact address of ebp. But we can use the instruction names nop and this is called slop(maybe I guess).
  • At last, Linux has a last wall to protect: setting canary. This is a value in the (ebp+4) address which is set before calling a function. After return, you can check this one to find if the stack has been overflow attacked.

If you want to try this, you can checkout the ICS's Lab3, and you can get well exercised about this technique.