COMPSCI 390R

Buffer Overflows & Stack Exploits

Topics to Cover:
1. Project 1 due 2/28 at midnight
I’m hosting office hours today, 4:30-6pm LGRT 212

2. Homework 2 releasing today

Due in 1 week
Recap of what we’ve learned so far:
1. CS 230 Review
a)ELF file structure
b)x86-64 ASM

2. Reverse Engineering w/ Ghidra

3. Code Auditing
a)Integer overflow/underflows
b)Type Conversion
c) Sizeof errors
Recap of what we’ve learned so far:
So far we’ve found a lot of ways to corrupt the stack memory, but what
can we actually do with that?

Segmentation Faults cause crashes but that doesn’t get us much

besides a Denial of Service attack, we want more
• Denial of Service attacks are still important to report, 1836 CVE’s
were DoS attacks in 2021, making up 16.3% of all attacks
Let's Get Hacking!
Corrupting the Stack: Stack
--8 bytes wide--

Lets examine our code

Corrupting the Stack: Stack
--8 bytes wide--

Saved Ret Addr

Lets examine our code
1. Setup Stack Frame Saved Base Ptr
<- RBP

<- RSP
Corrupting the Stack: Stack
--8 bytes wide--

Saved Ret Addr

Lets examine our code
1. Setup Stack Frame Saved Base Ptr
<- RBP

2. Initialize overflow_me 0 <- overflow_me

<- RSP
Corrupting the Stack: Stack
--8 bytes wide--

Saved Ret Addr

Lets examine our code
1. Setup Stack Frame Saved Base Ptr
<- RBP

2. Initialize overflow_me 0 <- overflow_me

3. Call gets function

DDDDDDDD

CCCCCCCC

BBBBBBBB

AAAAAAAA <- RSP

Corrupting the Stack: Stack
--8 bytes wide--

Saved Ret Addr

Lets examine our code
1. Setup Stack Frame Saved Base Ptr
<- RBP

2. Initialize overflow_me 0 <- overflow_me

3. Call gets function

4. Everything looks ok!

DDDDDDDD

CCCCCCCC

BBBBBBBB

AAAAAAAA <- RSP

Corrupting the Stack: Stack
--8 bytes wide--

Saved Ret Addr

Lets examine our code
1. Setup Stack Frame Saved Base Ptr
<- RBP

2. Initialize overflow_me FFFFFFFF <- overflow_me

3. Call gets function

EEEEEEEE

What if we wanted DDDDDDDD

to give more input?
CCCCCCCC

BBBBBBBB

AAAAAAAA <- RSP

Corrupting the Stack: Stack
--8 bytes wide--

HHHHHHHH
Lets examine our code
1. Setup Stack Frame GGGGGGGG
<- RBP

2. Initialize overflow_me FFFFFFFF <- overflow_me

3. Call gets function

EEEEEEEE

What if we wanted DDDDDDDD

to give more input?
CCCCCCCC

What if we wanted to BBBBBBBB

give even more input!

AAAAAAAA <- RSP
So we crashed the program…
• Overwriting the return address and base pointer messes up the
execution of the rest of the program
• Base pointer is important because we index local variables with it
• Return address being corrupted means we’ll jump to an invalid
location after we’re done with main (the program doesn’t end after
main it still needs to clean up some stuff)

Can we fix this?

New Program! Stack
--8 bytes wide--

Saved Ret Addr

Saved Base Ptr

<- RBP

<- RSP
New Program! Stack
--8 bytes wide--

Saved Ret Addr

Just like before we can corrupt
the memory and saved values
and crash the program Saved Base Ptr
<- RBP

How do we get to the win

function though?

<- RSP
Lets look into memory: Stack
--8 bytes wide--

Saved Ret Addr

Since our programs don’t have
mitigations on them, they are
loaded into predictable Saved Base Ptr
<- RBP
memory ranges

If we disassemble main and

win in gdb, we can get the
location in memory they are
put into during every execution

<- RSP
Our New Exploit: Stack
--8 bytes wide--

win addr
1. Fill the stack until we reach
the base pointer
BBBBBBBB
<- RBP
2. Overwrite the base pointer
(doesn’t really matter what
AAAAAAAA
the value is)
AAAA
3. Set return address to our AAAAAAAA
intended destination (win
offset)
AAAAAAAA
4. Run program and you win!
AAAAAAAA <- RSP
Things to Note:
• You can to anywhere in the program
• Doesn’t have to be the start of a function, you can jump to the
center to avoid certain parts or even jump to data

• Order of variables on the stack matter!

• If the buffer came first on the stack, since we can only write up,
we are unable to change local variables below it