What does this famous article mean - "Smashing the stack for fun and profit"?
I was reading this famous article: Aleph One - Smashing The Stack For Fun And Profit and I have no idea how stack canaries/NX support/ASLR can avoid an attack like that. I'll try to explain me better. Stricly speaking:
stack canaries: random values before RET NX support: no x flag for stack (and heap) ASLR: address space randomization Considering this example: example3.c:
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
int *ret;
ret = buffer1 + 12;
(*ret) += 8;
}
void main() {
int x;
x = 0;
function(1,2,3);
x = 1;
printf("%dn",x);
}
In this case:
Stack canaries are bypassed (i change only the RET value)
NX support: useless
ASLR: useless (i bypass the instruction x = 1 adding an offset)
I don't understand how the remediations above can avoid an example like that.
The holy grail of smashing the stack for fun and profit is to gain control of a pointer so that you can point it at the malicious code to be executed. There has to be an overflow in the program itself that is being exploited. In this example3.c the return can easily be controlled because it is a carefully crafted program. It's a proof of concept of how to overflow a vulnerable buffer to gain control of a pointer, in this case, the return pointer. In a real exploit somehow the malicious program to be run needs to get loaded into executable memory and the instruction pointer has to be pointed at it. The reasons the protections you mentioned cause real-world difficulties:
Find a buffer overflow in the program, can't just write one in there. Say we found one, but there are Stackguard-style canaries between the stack buffers and any other stack frame data, like the return address. Find and perfectly write over the stack canaries when overflowing it so they are unaltered, and hope the return address hasn't been saved somewhere else StackShield style by the program we're trying to get all over, and the stack hasn't been shuffled. Heroically we have a controllable pointer.
We manage to get the malicious program loaded into memory also, where is it? ASLR - Designed to randomize the executable, brk()-managed heap, library images, mmap()-managed heap, user space stack and kernel space stack. That's unfortunate, and tracking libraries and mapping memory is difficult (Unless you're an artist), so we get it on the stack or heap, which is easiest anyway. We get it there, get the pointer on it, but then Non-executable memory pages prevent its execution. Return-to-library exploits, like the one I linked above, were developed because libraries are necessarily executable and present.