ST

Description: Welcome to Part 8 of the Buffer Overflow Primer. If you have not already done so, please start this series by viewing Part 1. The Buffer Overflow Primer requires that you know at least some basic Assembly Language. I have created a series of Assembly Language video tutorials for Hackers here, for those not familiar with the language.

In this video we will look at how to subvert the NX protection mechanism. The NX protection mechanism basically marks the stack, heap etc. as Non-Executable. This means the processor will not execute any instruction which is on them. From a stack overflow standpoint, this is a problem as our entire shellcode is on the stack, which now has been marked "Non-Executable". The way we counter this problem, is by using a technique called "Return to Libc".

The basic idea behind the "Return to Libc" attack is that even though the stack has been marked "Non Executable", it can still be overwritten and corrupted. We are thus still in control of the return address on the stack and hence control EIP. Libc is mapped into program memory of most processes and thus we can access  the function calls by their address in memory. In this video, we will look at how to find the addresses for the system() and exit() calls in Libc and use them to spawn a shell from a vulnerable program. Please download ExploitMe.c, Ret2Libc.c and GetEnvironmentVarAddr.c to follow the video.