I am a bit confused in the idea of code injection in C. If somebody could explain it and show how its done I would appreciate it.
So lets say in C you have some Char array of size 512 which is being written to the contents of a socket of length 1024, and that char array now holds some sort of code but only half of what was written.
How is the malicious code executed in a buffer overflow, I think I am confused on the process structure(stack, heap, data, text).
The general trick has to do with how the program's code and variables are layed out in memory. For example, when a function is called the program (code inserted by the compiler) must store the address of the instruction to return to. So if this is the 32 bit word just before the beginning of the stack, one could do:
void foo()
{
int array[5];
int var = 0;
int var2 = 0;
// read in user input
printf("Enter index and value to write:");
scanf("%i", var);
scanf("%i", var2);
// malicious user might set var to -1 and var2 to an address to execute
// if say the 32-bit value before the stack variables is the instruction to
// return to
array[var] = var2
// return now goes to malicious code
}
(So your job is to construct code so that such a thing is not possible. :) )
The rules for how a function call is implemented, stack variables allocated, values passed, and return values returned back is called the calling convention. I reccomend reading the attached article for a good indepth coverage of C calling conventionts.
If you allocate a buffer on the stack, and it overflows, it writes onto the stack. The stack contains the return pointer for the function that allocated the buffer. So, if you overflow a buffer on the stack, you can set the return pointer to something arbitrary; thereby giving you control of the thread of execution.
As to actually injecting the code, that depends. The stack - or rather, the page containing it - is often set not to allow code execution; but historically it would have been possible to store small malicious programs in the buffer itself on the stack. Return oriented programming is a fairly new variant of the return-to-libc attack, both of which work around NX bits.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With