Click here to get back home

Stack smashing/buffer overflow research
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Stack smashing/buffer overflow research =?iso-8859-1?q?Erik_Wikstr=F6m 05-15-2007
Posted by =?iso-8859-1?q?Erik_Wikstr=F6m on May 15, 2007, 2:23 am
Please log in for more thread options
 Hi, let me start by apologising if these are the wrong groups to post
these kinds of messages to (I've cross-posted) but after searching the
web and not finding any good material I thought there might be someone
here who know.

I'm a student and I'm currently working on a small project dealing
with stack smashing/buffer overflows and protection mechanisms in
modern OSes, the idea is to make a survey of the different techniques
that can be used to protect an application against these kinds of
attacks. On the Windows side I have identified three mechanisms that
I'm focusing on, the /GS flag in Visual Studio 2005, ASLR (Address
Space Layout Randomization) and DEP (Data Execution Prevention).

Since I'm not a security expert I can't see any way that I might be
able to circumvent any of those (even less so all of them together)
but I know there are people working with these kinds of things
(whatever their intentions are) so what I'm asking is, if there are
any known and published stack smashing/buffer overflow attacks that
can successfully circumvent the techniques mentioned above (either
just one of them or a combination).

Any information will be greatly appreciated.

PS: Mind the cross-posting when replying

--
Erik Wikstr=F6m


Posted by Michal Bucko on May 15, 2007, 3:10 am
Please log in for more thread options
>I'm focusing on, the /GS flag in Visual Studio 2005, ASLR (Address
>Space Layout Randomization) and DEP (Data Execution Prevention).

>Since I'm not a security expert I can't see any way that I might be
>able to circumvent any of those (even less so all of them together)
>but I know there are people working with these kinds of things
>(whatever their intentions are) so what I'm asking is, if there are
>any known and published stack smashing/buffer overflow attacks that
>can successfully circumvent the techniques mentioned above (either
>just one of them or a combination).



1. /GS stackguard protection places canary before frame pointer/stack
pointer.
Canary value change results in security error.
The issue: /GS protects arrayas ONLY, you can also exploit BO's that are not
on the stack

2. ASLR - changes mapping of DLL, stack, heap (randomness)
Hardcoded address-based attacks prevention technique. How do we pass ASLR?
We take advantage of so-called heap spraying (suggested reading!)

3. ASLR and DEP bypassing - usage of heap spraying, exploit jumps to
existing DEP disable
code, payload is executed

If You have any doubts, please, feel free to contact me at:
sapheal<at>hack<dot>pl.


Hope I helped,


Michal Bucko

sapheal.hack.pl
HACKPL Security Labs


Posted by Michal Bucko on May 15, 2007, 3:22 am
Please log in for more thread options
By the way, I assumed that you already know what SEH overwrite technique is
;-)


mb


Posted by Michal Bucko on May 25, 2007, 5:34 pm
Please log in for more thread options
By the way, lately I posted a short article about the exploitation
techniques
under Windows. You might be interested:
http://sapheal.hack.pl/arts/Introduction2Exploitation.pdf

The article isn't , however, even giving an overall view on the subject -
it is more like a bunch of thoughts and notes made in a rush ;-)

Hope I could help,

Michal


Similar ThreadsPosted
Buffer Overrun vs. Buffer Overflow August 9, 2006, 12:04 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap