Results 1 to 8 of 8

Thread: small buffer overflows

  1. #1
    Just burned his ISO
    Join Date
    Sep 2011
    Posts
    3

    Default small buffer overflows

    Hello Guys,


    Can someone please clarify why small buffer overflows are more difficult to exploit? I have seen this statement quoted in many books. I can understand that the classic scheme of

    NOP | SHELLCODE | RETURN ADDRESS

    may not work since it could overwrite the ret of the stack with NOPS or the shellcode...

    but if we use this scheme:

    RETURN ADDRESS | NOP | SHELLCODE

    we dont have to care about the size of the buffer since in this way we are trying to overwrite the ret of the stack with a return address hopefully inside the "NOP window".



    TIA
    Chris

  2. #2
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: small buffer overflows

    Um. Just curious about a few things, could be way off though. First: Isn't the point of the nop sled to made sure that we have some sort of leeway calculating the relative memory address? so whats the point of putting the ret first if we cant get the exact memory address to write to? Second: The heap goes up toward the stack. How can we write shellcode inside of the stack? The overflow works like this: (excuse my lame ascii art.)

    Your way: Address -> nop sled -> shell code
    My way: nop sled -> shellcode -> address
    heap<-------------------------> stack
    heap vars-------><----------stack states

    so my question for you is how can we get the stack to return to the address we want if we've overwritten it with gibberish? The stack frame is only there to return to the address we want. I've overwritten it with another address, you've done it with shell code.
    If this answers your question great. If not, then as long as I'm misunderstanding what your asking, or what the mechanics of the overflow are, please clarify so that maybe I can.
    Last edited by ShadowMaster; 09-23-2011 at 05:15 PM.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  3. #3
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default Re: small buffer overflows

    Quote Originally Posted by coyoteugly View Post
    Hello Guys,


    Can someone please clarify why small buffer overflows are more difficult to exploit? I have seen this statement quoted in many books. I can understand that the classic scheme of

    NOP | SHELLCODE | RETURN ADDRESS

    may not work since it could overwrite the ret of the stack with NOPS or the shellcode...

    but if we use this scheme:

    RETURN ADDRESS | NOP | SHELLCODE

    we dont have to care about the size of the buffer since in this way we are trying to overwrite the ret of the stack with a return address hopefully inside the "NOP window".



    TIA
    Chris
    Small buffers are potentially more difficult because there is a lot less room for your shellcode. Useful shellcode won't fit inside a small buffer.

    NOP's are used during the return right before your shellcode gets run. The reason we use NOP's is because we may not always return on the exact address everytime. This just gives us a small buffer incase things don't go as planned.

    @ShadowMaster

    If you're using a basic buffer overflow your shellcode is most likely in the stack not the heap.

    @Everyone

    Check these out:
    https://www.corelan.be/index.php/200...sed-overflows/
    The Grey Corner: Simple Stack Based Buffer Overflow Tutorial for Vulnserver
    Last edited by hhmatt; 09-23-2011 at 09:44 PM.

  4. #4
    Just burned his ISO
    Join Date
    Sep 2011
    Posts
    3

    Default Re: small buffer overflows

    Sorry for the late reply, i just thought that my message will never be posted...

    I have found many good people that readily try to help me but still no one has answered my question. I dont know, maybe i am just not writing my thoughts clearly.


    @shadowmaster

    The scheme

    NOP | shellcode | return address (1)

    is correct. But it can be used only when the buffer that will be overflowed is large enough to fit the shellocode. It is easy to understand that.

    My question was that if we use the scheme

    return address | NOP | shellcode (2)

    you just dont have to worry about the shellcode size. Even if the buffer is 1 byte, you just dont care. Overflow the buffer with a return address that points hopefully to an address that the NOPs are located.


    I have read in so many books and even in the aleph one "smash the stack for fun and profit", that when the buffer is too small to fit a shellcode, then use an environmental variable to create the scheme of (1). I tend to believe that this statement is wrong
    Last edited by coyoteugly; 09-26-2011 at 08:37 AM.

  5. #5
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default Re: small buffer overflows

    Quote Originally Posted by coyoteugly View Post
    Sorry for the late reply, i just thought that my message will never be posted...

    I have found many good people that readily try to help me but still no one has answered my question. I dont know, maybe i am just not writing my thoughts clearly.


    @shadowmaster

    The scheme

    NOP | shellcode | return address (1)

    is correct. But it can be used only when the buffer that will be overflowed is large enough to fit the shellocode. It is easy to understand that.

    My question was that if we use the scheme

    return address | NOP | shellcode (2)

    you just dont have to worry about the shellcode size. Even if the buffer is 1 byte, you just dont care. Overflow the buffer with a return address that points hopefully to an address that the NOPs are located.


    I have read in so many books and even in the aleph one "smash the stack for fun and profit", that when the buffer is too small to fit a shellcode, then use an environmental variable to create the scheme of (1). I tend to believe that this statement is wrong
    This is how we handle too small of buffer space.

    https://www.corelan.be/index.php/201...2-egg-hunting/

    Which is why they said it was harder but not impossible.
    Seriously, go through those blogs I posted and do the exploits you will learn a lot.

  6. #6
    Just burned his ISO
    Join Date
    Sep 2011
    Posts
    3

    Default Re: small buffer overflows

    Thanks hhmat...i will do my homework and come back for further questions!

  7. #7
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: small buffer overflows

    Quote Originally Posted by coyoteugly View Post
    Sorry for the late reply, i just thought that my message will never be posted...

    I have found many good people that readily try to help me but still no one has answered my question. I dont know, maybe i am just not writing my thoughts clearly.


    @shadowmaster

    The scheme

    NOP | shellcode | return address (1)

    is correct. But it can be used only when the buffer that will be overflowed is large enough to fit the shellocode. It is easy to understand that.

    My question was that if we use the scheme

    return address | NOP | shellcode (2)

    you just dont have to worry about the shellcode size. Even if the buffer is 1 byte, you just dont care. Overflow the buffer with a return address that points hopefully to an address that the NOPs are located.


    I have read in so many books and even in the aleph one "smash the stack for fun and profit", that when the buffer is too small to fit a shellcode, then use an environmental variable to create the scheme of (1). I tend to believe that this statement is wrong
    Ok. I understand now. That sounds good. But have you actually tried it? If you've tried it and it worked, then just use and forget what people say. If it doesn't work then that's why we don't use it.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  8. #8
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: small buffer overflows

    Quote Originally Posted by coyoteugly View Post
    Hello Guys,


    Can someone please clarify why small buffer overflows are more difficult to exploit? I have seen this statement quoted in many books. I can understand that the classic scheme of

    NOP | SHELLCODE | RETURN ADDRESS

    may not work since it could overwrite the ret of the stack with NOPS or the shellcode...

    but if we use this scheme:

    RETURN ADDRESS | NOP | SHELLCODE

    we dont have to care about the size of the buffer since in this way we are trying to overwrite the ret of the stack with a return address hopefully inside the "NOP window".



    TIA
    Chris
    @moderators: I know I'm double posting, but I needed to bump this thread up to the top so people can correct my mistakes. I don't know if it does that for an edit.

    @coyote
    I did my research, and it turns out that the scheme you described is used in at least two case. The most useful is when you have ALSR protection, or you need to use self-writing shell code. Either way, when you overwrite the buffer, you use your scheme. That being the case, if you do that regularly, then I see no reason why it should not work, except if you plan on returning control to the program after the exploit. Then if you use your scheme your pretty much screwed because eip esp and all the other registers have been mangled beyond repair. Good luck though. As a one time exploit you're fine though.
    Last edited by ShadowMaster; 10-25-2011 at 12:49 PM. Reason: Egregious error!
    World Domination is such an ugly phrase. I prefer the term World Optimization.

Similar Threads

  1. Buffer Overflows - Help Understanding EIP and ESP Interaction
    By ThePistonDoctor in forum Experts Forum
    Replies: 26
    Last Post: 01-06-2011, 01:49 PM
  2. Replies: 0
    Last Post: 11-29-2010, 06:34 AM
  3. A question about buffer overflows...
    By drakoth777 in forum OLD Pentesting
    Replies: 2
    Last Post: 03-24-2009, 08:22 PM
  4. Heap overflows
    By compaq in forum OLD Newbie Area
    Replies: 2
    Last Post: 12-06-2008, 01:04 AM
  5. Aireplay-ng overflows my IPW3945? Possible?
    By DraveThe in forum OLD Newbie Area
    Replies: 0
    Last Post: 01-12-2008, 08:33 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •