views:

296

answers:

3

I'm taking a class in computer security and there is an extra credit assignment to insert executable code into a buffer overflow. I have the c source code for the target program I'm trying to manipulate, and I've gotten to the point where I can successfully overwrite the eip for the current function stack frame. However, I always get a Segmentation fault, because the address I supply is always wrong. The problem is that the current function is inside a pthread, and therefore, the address of the stack seems to always change between different runs of the program. Is there any method for finding the stack address within a pthread (or for estimating the stack address within a pthread)? (note: pthread_create's 2nd argument is null, so we're not manually assigning a stack address)

A: 

Without knowing more about the application it's a little hard to know, but the first thing that comes to mind is heap spraying.

torak
+7  A: 
jschmier
I was actually reading that article. I'll have to study it again, but wasn't that quote referring to obtaining the address of "/bin/sh", inside the buffer? Don't we still have to overwrite the eip so that it points to the initial jump instruction?
t2k32316
The example that the excerpt is building up to overflows a character buffer using `strcpy()`. The overflow overwrites the return address (saved IP) on the stack so that it points back to a JMP instruction inside the buffer. The JMP instruction jumps to the CALL instruction which calls the `execve()` of `/bin/sh`, which has all been copied into the buffer as shellcode. The article later suggests padding the front of the overflow buffer with NOP instructions so the return address only need to point somewhere in the NOPs.
jschmier
Thanks, jschmier, for all your responses. My TA mentioned that by using pthreads, the program is effectively performing stack randomization as a prevention technique against buffer overflows. The method of JMP and CALL instructions only works once the return address has been changed to point to my code in the buffer. However, since the program is using pthreads, I don't know what memory address to use to overwrite the return address.
t2k32316
A: 

In addition to my previous answer, you may also want to read the following:

The following article focuses more on heap overflows:

jschmier