Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- security:memory-corruption:exploitation:nop-sled [2018/01/28 17:39]
nufan
+++ security:memory-corruption:exploitation:nop-sled [2023/04/19 01:09] (aktuell)
nufan
@@ Zeile 62: / Zeile 62: @@
 <code c nop/execve.c>
-// gcc -g -O0 -m32 -no-pie -fno-pie -mpreferred-stack-boundary=2 execve.c
+// gcc -g -O0 -m32 -no-pie -fno-pie -mpreferred-stack-boundary=2 -fno-stack-protector -z execstack execve.c
 #include <stdio.h>
 #include <string.h>
@@ Zeile 85: / Zeile 85: @@
 Inspecting the code above, you will notice that the only difference to our example from the [[.basic#arbitrary_code_execution|buffer overflow introduction]] is the size of the buffer. Back then, it was of utmost importance to correctly overwrite the return address and exactly know the address to jump to. By adding a sequence of NOPs directly before the shellcode, we can loosen the second constraint. This sequence of NOPs is commonly called a "NOP sled"((Jon Erickson (2008). Hacking: The Art of Exploitation <nowiki>(2nd edition)</nowiki>)). Returning to anywhere in this sequence is equally fine as to land exactly at the beginning of the shellcode. In case the NOPs are hit, the processor spends some cycles doing nothing until it reaches the real shellcode.
-In this example we have a buffer of size 128 while our shellcode takes up only 28 bytes. Thus we have 100 bytes of space left for the NOP sled. As this amount of characters is cumbersome to type and copy, we will generate the input with [[perl:start|Perl]]. Even if you are not familiar with Perl, make sure you are able to understand and generate inputs in a scripting language (e.g. [[py:start|Python]] or [[bash:start|Bash]] are perfectly fine as well). The NOP sled is followed by the actual shellcode and the approximate address we want to jump to. It is sufficient to land somewhere within the 100 byte range of the NOP sled, we do not need to know the exact address of the shellcode. Assuming a correct alignment with respect to the stack variables, we can also specify the target address multiple times with a higher chance of overwriting the return address.
+In this example we have a buffer of size 128 while our shellcode takes up only 28 bytes. Thus we have 100 bytes of space left for the NOP sled. As this amount of characters is cumbersome to type and copy, we will generate the input with [[perl:start|Perl]]. The NOP sled is followed by the actual shellcode and the approximate address we want to jump to. It is sufficient to land somewhere within the 100 byte range of the NOP sled, we do not need to know the exact address of the shellcode. Assuming a correct alignment with respect to the stack variables, we can also specify the target address multiple times with a higher chance of overwriting the return address.
 Our payload now contains the following:
@@ Zeile 114: / Zeile 114: @@
   <tr>
     <td align="left" style="width:33%"></html>[[.basic|← Back to buffer overflow basics]]<html></td>
-    <td align="center" style="width:34%"></html>[[..|Overview]]<html></td>
+    <td align="center" style="width:34%"></html>[[..start|Overview]]<html></td>
     <td align="right" style="width:33%"></html>[[.external-buffers|Continue with external buffers →]]<html></td>
   </tr>
 </table>
 </html>