Description: Welcome to Part 8 of the Buffer Overflow Primer. If you have not already done so, please start this series by viewing Part 1. The Buffer Overflow Primer requires that you know at least some basic Assembly Language. I have created a series of Assembly Language video tutorials for Hackers here, for those not familiar with the language. <br><br>In this video we will look at how to subvert the NX protection mechanism. The NX protection mechanism basically marks the stack, heap etc. as Non-Executable. This means the processor will not execute any instruction which is on them. From a stack overflow standpoint, this is a problem as our entire shellcode is on the stack, which now has been marked "Non-Executable". The way we counter this problem, is by using a technique called "Return to Libc". <br><br>The basic idea behind the "Return to Libc" attack is that even though the stack has been marked "Non Executable", it can still be overwritten and corrupted. We are thus still in control of the return address on the stack and hence control EIP. Libc is mapped into program memory of most processes and thus we can access the function calls by their address in memory. In this video, we will look at how to find the addresses for the system() and exit() calls in Libc and use them to spawn a shell from a vulnerable program. Please download ExploitMe.c, Ret2Libc.c and GetEnvironmentVarAddr.c to follow the video.<br><br><br> <style type="text/css"> body { background: #FFF; } </style> </div>
Tags: tools ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Thank you!
Thanks a lot!
That makes a lot of sense, really looking forward to the next video. Thank you very very much!
thank you, I left one more video!
exciting buffer overflows
at 11min 54sec : Stack values
When the system() is called will there be only the return address in the stack ?
We do not need to store any base pointer anywhere ?
In general whenever a function call happens,
first the arguments
then return address
then base pointer
right? Just wanna know exactly what happens !
Great! Very good explanation.