tags:

views:

296

answers:

3
+4  Q: 

For buffer overflows, what is the stack address when using pthreads?

I'm taking a class in computer security and there is an extra credit assignment to insert executable code into a buffer overflow. I have the c source code for the target program I'm trying to manipulate, and I've gotten to the point where I can successfully overwrite the eip for the current function stack frame. However, I always get a Segmentation fault, because the address I supply is always wrong. The problem is that the current function is inside a pthread, and therefore, the address of the stack seems to always change between different runs of the program. Is there any method for finding the stack address within a pthread (or for estimating the stack address within a pthread)? (note: pthread_create's 2nd argument is null, so we're not manually assigning a stack address)

A: 

Without knowing more about the application it's a little hard to know, but the first thing that comes to mind is heap spraying.

torak  2010-03-08 16:42:02
+7  A: 
jschmier  2010-03-08 16:49:36
I was actually reading that article. I'll have to study it again, but wasn't that quote referring to obtaining the address of "/bin/sh", inside the buffer? Don't we still have to overwrite the eip so that it points to the initial jump instruction?
t2k32316  2010-03-08 23:02:29
The example that the excerpt is building up to overflows a character buffer using `strcpy()`. The overflow overwrites the return address (saved IP) on the stack so that it points back to a JMP instruction inside the buffer. The JMP instruction jumps to the CALL instruction which calls the `execve()` of `/bin/sh`, which has all been copied into the buffer as shellcode. The article later suggests padding the front of the overflow buffer with NOP instructions so the return address only need to point somewhere in the NOPs.
jschmier  2010-03-09 15:37:17
Thanks, jschmier, for all your responses. My TA mentioned that by using pthreads, the program is effectively performing stack randomization as a prevention technique against buffer overflows. The method of JMP and CALL instructions only works once the return address has been changed to point to my code in the buffer. However, since the program is using pthreads, I don't know what memory address to use to overwrite the return address.
t2k32316  2010-03-10 18:46:30
A: 

In addition to my previous answer, you may also want to read the following:

The following article focuses more on heap overflows:

jschmier  2010-03-09 15:57:14

related questions

any good tool for makefile generation?
How do you pass a function as a parameter in C?
Where should a veteran C programmer start in order to master Java ?
Any good book on best practice and guidelines in developing a SDK in C?
How do you determine the size of a file in C?
Decoding printf statements in C (Printf Primer)
Shift operator in C
How to avoid redefining VERSION, PACKAGE, etc.
Alpha blending sprites in Nintendo DS Homebrew
When should I use type abstraction in embedded systems
How to implement continuations?
What are the barriers to understanding pointers and what can be done to overcome them?
Anyone have experience creating a shared library in MATLAB?
String.indexOf function in C
Passing multidimensional arrays as function arguments in C
C/C++ library for reading MIDI signals from a USB MIDI device
Choosing a static code analysis tool
How do you printf an unsigned long long int?
Good STL-like library for C.
Rockbox audio format
Why am I getting a malloc: double free error with realloc()?
Should I learn C?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS