void badCode(int x) {
char buf[256];
int i, j;
//body of badCode here
}
; generated assembly prologue for badCode
badCode:
push ebp
mov ebp, esp
sub esp, 264
Here the statement that subtracts 264 from esp allocates stack space for the 256-byte
buffer and the two 4-byte integers i and j. All references to the variable at [ebp-256] refer
to the 256-byte buffer buf. If an attacker discovers a vulnerability leading to the overflow
of the 256-byte buffer, she can develop an exploit that copies at least 264 bytes into buf
(256 bytes to fill buf, 4 bytes to overwrite the saved ebp value, and an additional 4 bytes
to control the saved return address) and gain control of the vulnerable application.
Figure 19-3 shows the stack frame associated with the badCode function.
Mutating this application is a simple matter of modifying the stack layout in such a
way that the location of the saved return address with respect to the start of the buffer is
something other than the attacker expects. In this case, we would like to move buf in
some way so that it is more than 260 bytes away from the saved return address. This is a
simple two-step process. The first step is to make badCode request more stack space,
which is accomplished by modifying the constant that is subtracted from esp in the prologue.
Pages:
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862