As an
example, consider an ftp server that contains a stack buffer overflow when handling filenames
associated with the RETR command thatwon??™t get triggered until the user disconnects
with the QUIT command. A rough layout to exploit this vulnerability might look
something like this:
USER anonymous
PASS guest@
RETR
QUIT
Note that ftp protocol elements precede and follow the shellcode. It is also worth noting
that protocol elements are generally immune to the character restrictions that may exist
for your shellcode. For example, in the preceding we clearly need carriage returns to
delimit all of the commands, but must not include a carriage return in our shellcode
buffer until we are ready to terminate the buffer and append the QUIT command.
Buffer Orientation Problems
To effect a buffer overflow exploit, a buffer is overflowed and control information
beyond the end of the buffer is modified to cause the program to transfer control to a
user-supplied payload. In many cases other program variables may lie between the vulnerable
buffer and the control structures we need to manipulate. In fact, current versions
of gcc intentionally reorder stack buffers to place non-array variables between any stackallocated
buffers and the saved return address.
Pages:
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835