hi guys
i have been reading few articles about shell code and buffer over flow.it seems the for the most part shell code is possible because the EIP blindly execute any address that is stored in it (with in the process address space). why cant we have hardware measures or software measure applied that will only limit the EIP to point to the text area where the code lies if its not possible may i know why
thankz
need sum explanation abt shell code
Forum rules
Older HTS users: Be nice to the new people.
NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.
Older HTS users: Be nice to the new people.
NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.
2 posts • Page 1 of 1
need sum explanation abt shell code
by nirVaan on Sat May 24, 2008 3:34 am
([msg=3132]see need sum explanation abt shell code[/msg])
- nirVaan
- New User
- Posts: 2
- Joined: Sat May 24, 2008 12:38 am
- Blog: View Blog (0)
Re: need sum explanation abt shell code
by int3grate on Thu May 29, 2008 4:11 pm
([msg=3532]see Re: need sum explanation abt shell code[/msg])
There is. Most (updated) operating system implement a feature known as a "non executable" stack. This means that code can not be executed that is located on the stack.
This still doesn't stop an attacker from being able to execute code after performing a stack overflow. A commonly used method of getting around "non-executable" stack is to instead call code located elsewhere on the system. An attack known as a "Return to libc" attack will allow an attacker to fill the stack with arguments to a function, and set the EIP to a c library function loaded elsewhere in memory. This allows an attacker to bypass the protection provided by a "non-executable" stack. You can find out more information about this here: http://en.wikipedia.org/wiki/Return-to-libc_attack
Also available in Windows Vista and in the latest versions of the Linux Kernel is a feature called ASLR, or "Address Space Layout Randomization". This means that when the operating system loads things in memory, it puts them in random places, so it is very hard to determine what memory address your shell code will be stored at, or where a shared library (such as those needed for a return to libc attack) will be stored at. So the only way to attack these systems is either by brute force guessing, or using some type of information leak (like from a format string bug vulnerability) to find the correct memory address. There are also several ways (based on the way things must be stored) to limit your search space, so you don't have to spend forever trying to brute force, but it still is a very effective method of protection. You can learn more about ASLR here: http://en.wikipedia.org/wiki/ASLR
A good book that will explain all of these issues in detail, that I highly recommend is the "The Shellcoder's Handbook: Discovering and Exploiting Security Holes". You can get it on Amazon for about $30. http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/
Very good question BTW.
Int3grate
This still doesn't stop an attacker from being able to execute code after performing a stack overflow. A commonly used method of getting around "non-executable" stack is to instead call code located elsewhere on the system. An attack known as a "Return to libc" attack will allow an attacker to fill the stack with arguments to a function, and set the EIP to a c library function loaded elsewhere in memory. This allows an attacker to bypass the protection provided by a "non-executable" stack. You can find out more information about this here: http://en.wikipedia.org/wiki/Return-to-libc_attack
Also available in Windows Vista and in the latest versions of the Linux Kernel is a feature called ASLR, or "Address Space Layout Randomization". This means that when the operating system loads things in memory, it puts them in random places, so it is very hard to determine what memory address your shell code will be stored at, or where a shared library (such as those needed for a return to libc attack) will be stored at. So the only way to attack these systems is either by brute force guessing, or using some type of information leak (like from a format string bug vulnerability) to find the correct memory address. There are also several ways (based on the way things must be stored) to limit your search space, so you don't have to spend forever trying to brute force, but it still is a very effective method of protection. You can learn more about ASLR here: http://en.wikipedia.org/wiki/ASLR
A good book that will explain all of these issues in detail, that I highly recommend is the "The Shellcoder's Handbook: Discovering and Exploiting Security Holes". You can get it on Amazon for about $30. http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/
Very good question BTW.
Int3grate
- int3grate
- New User
- Posts: 38
- Joined: Tue May 27, 2008 7:54 pm
- Blog: View Blog (0)
2 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests