Buffer Overflow Dictionary

https://steflan-security.com/complete-guide-to-stack-buffer-overflow-oscp/

Stack buffer overflow is a memory corruption vulnerability that occurs when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer, therefore overflowing to a memory address that is outside of the intended data structure.

This will often cause the program to crash, and if certain conditions are met, it could allow an attacker to gain remote control of the machine with privileges as high as the user running the program, by redirecting the flow execution of the application to malicious code.

Source: https://gabrieletolomei.wordpress.com/miscellanea/operating-systems/in-memory-layout/

All variables in memory are stored using either little endian (for intel x86 processors) or big endian (for PowerPC) format.

In little endian, the bytes are stored in reverse order. So for example:

  • 0x032CFBE8 will be stored as “E8FB2C03”

  • 0x7734BC0D will be stored as “0DBC3477”

  • 0x0BADF00D will be stored as “0DF0AD0B”

The Stack

The stack is a section of memory that stores temporary data, that is executed when a function is called.

The stack always grows downwards towards lower values as new information is added to it. The ESP CPU register points to the lowest part of the stack and anything below it is free memory that can be overwritten, which is why it is often exploited by injecting malicious code into it.

CPU Registers

  • stores single records

  • registers hold pointers which has directions (memory addresses) that has instructions for each program. We can exploit it by using a jump instruction to move to where malicious code is embedded.

Microsoft Register

ESP - top of the stack

EIP - stores a pointer of the instruction the program is currently executing

FLAGS - stores meta data about the previous operations.

Pointers

A pointer is, a variable that stores a memory address as its value, which will correspond to a certain instruction the program will have to perform. The value of the memory address can be obtained by “dereferencing” the pointer.

They are used in buffer overflow attacks to redirect the execution flow to malicious code through a pointer that points at a JMP instruction.

EIP offset - this is where we need to find where the program crashes

PreviousBoF Brainstorm WriteupNextpof of Hewlett-Packard (HP) Buffer Overflow

Last updated