Wähle die Ordner aus, zu welchen Du "Dobin 0x52_DefeatExploitMitigations.pdf" hinzufügen oder entfernen möchtest
How can you defete the stack canary with arbitrary write?
With a string format like:
204 bytes are skiped.
When we have an arbitrary write we can write behind the stack canary.
How can we prevent arbitrary write?
What causes the arbitrary write vulnerability and why is this not a problem nowerdays?
Example: Formatstring attacks
What does the stack cannary protect, does it protect from overwriting local variables?
The stack canary protects metadata fo the stack (SBP [Stored Base Pointer], SIP [Stored Instruction Pointer])
It does NOT protect Local variables.
Is the heap protected by the Stack Canary, and name some Heap Bug classes.
The heap is not protected by the Stack Canary.
Heap bug classes:
How can you brute force the stack canary?
A network server fork()'s on connect()
Stack canary stay's the same.
This allows us to iteratively bruteforce the stack cannary, by only partially overwriting it an testing.
A stack canary has 32 bites = 4 billion possibilites, how many posibilities are there if we brute force it iteratively?
4 * 2^8 = 1024 possibilities
This means an avarege of 512 tries (crashes)
Why do you need to brute force the SBP (Stored Base Pointer) first, before you can brute force the stack canary?
Need to break SBP (Stored Base Pointer) first...
Defeat ASLR (Address Space Layout Randomization) for free, because brute force SBP
Lernen und Lehren
Engagiert in den Bereichen Sport, Bildung und Wirtschaft
Lernkarten und mehr für Azubis