You will not always be as lucky, so you need to know both
ways. See the references for even more creative ways to return into libc.
Bottom Line
Now that we have discussed some of the more common techniques used for memory
protection, how do they stack up? Of the ones we reviewed, ASLR (PaX and PIE) and
non-executable memory (PaX and ExecShield) provide protection to both the stack and
the heap. StackGuard, StackShield, SSP, and Libsafe provide protection to stack-based
attacks only. The following table shows the differences in the approaches.
No protection used Vulnerable Vulnerable
StackGuard/StackShield, SSP Protection Vulnerable
PaX/ExecShield Protection Protection
Libsafe Protection Vulnerable
ASLR (PaX/PIE) Protection Protection
References
Nergal??™s libc exploits www.phrack.org/archives/58/p58-0x04
Vangelis, libc exploits http://neworder.box.sk/news/11535
Solar Designer??™s libc exploits www.imchris.org/projects/overflows/returntolibc1.html
Shaun2k2??™s libc exploits http://governmentsecurity.org/archive/t5731.html
???A Buffer Overflow Study: Attacks and Defenses???
http://community.corest.com/~juliano/enseirbof.pdf
Jon Erickson, Hacking: The Art of Exploitation (San Francisco: No Starch Press, 2003)
Koziol et al.
Pages:
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379