aboutsummaryrefslogtreecommitdiff
path: root/CamilStaps-s4498062-Assignment-4/ex2
diff options
context:
space:
mode:
Diffstat (limited to 'CamilStaps-s4498062-Assignment-4/ex2')
-rw-r--r--CamilStaps-s4498062-Assignment-4/ex232
1 files changed, 32 insertions, 0 deletions
diff --git a/CamilStaps-s4498062-Assignment-4/ex2 b/CamilStaps-s4498062-Assignment-4/ex2
new file mode 100644
index 0000000..fa8c4c5
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-4/ex2
@@ -0,0 +1,32 @@
+a
+ A heap buffer flow is a buffer overflow on the heap, as opposed to a stack buffer overflow, which is on the stack.
+
+b
+ You can give the program two arguments: a command and a password.
+ The program creates two instances of the Command class: a Shell and a Date. Both receive the password.
+ If the command equals 'shell', run() is called on the Shell instance. Similarly for 'date' and Date.
+ The Date executes /bin/date. The Shell checks the password against a hash, and only executes /bin/sh when the password is correct.
+
+ Examples:
+
+ ./cmd shell password
+ ./cmd date
+
+c
+ I would expect somewhere above 256, but it doesn't work for me (tried values up to 1500; segfaults occur above 266, but I don't get a shell). Since this is on the heap, variables aren't directly next to each other even when malloc'ed directly after each other, because some space around the data is used for accounting purposes.
+
+ Even with 0 in /proc/sys/kernel/randomize_va_space, -fno-stack-protector and -fno-pie it doesn't work.
+
+d
+ Can't do this because it doesn't work.
+
+e
+ ASLR randomises addresses of dynamic libraries, stack, heap, etc. and the binary itself. This way, it is impossible to get addresses you need to know from one run and use them in a second run (because they will have changed). You can see that this is applied in this program because the `New instance of Command() at address: ...' is different in every run. It does not mitigate this attack because the attack doesn't rely on fixed addresses, but fixed distances between addresses.
+
+ DEP prevents certain parts of the memory from being executed. It makes it impossible (ideally) for the user of a program to input data that will be executed. It does not mitigate this attack because the attack doesn't attempt to execute something that shouldn't be executed.
+
+ SSP is a protection mechanism that puts special values, canaries, on the stack and checks that they are still there when returning from a function (if not, the program is aborted). This makes it impossible to overwrite anything else than the local variables of the current function. In particular, it makes it impossible to change the return address and saved frame pointer. It doesn't mitigate this attack because this attack takes place on the heap, not on the stack.
+
+f
+ For this it would be useful to have seen the attack working in point d, but that wasn't possible. Sorry.
+
generated by cgit v1.2.3 (git 2.39.1) at 2025-03-15 04:13:34 +0000