Smashing the Stack
for Fun and Profit
Process Memory Organization
Why do we use a stack?
How to write a buffer overflow exploit
Small buffer overflows
.oO Phrack 49 Oo.
Volume Seven, Issue Forty-Nine
File 14 of 16
BugTraq, r00t, and Underground.Org
Smashing The Stack For Fun And Profit
by Aleph One
`smash the stack` [C programming]
n. On many C implementations it is possible to corrupt the execution
stack by writing past the end of an array declared auto in a
routine. Code that does this is said to smash the stack, and
can cause return from the routine to jump to a random address.
This can produce some of the most insidious data-dependent bugs
known to mankind. Variants include trash the stack, scribble
the stack, mangle the stack; the term mung the stack is not used,
as this is never done intentionally. See spam; see also alias
bug, fandango on core, memory leak, precedence lossage, overrun
Over the last few months there
has been a large increase of buffer overflow vulnerabilities
being both discovered and exploited. Examples of these are syslog,
splitvt, sendmail 8.7.5, Linux/FreeBSD mount, Xt library, at,
etc. This paper attempts to explain what buffer overflows are,
and how their exploits work.
Basic knowledge of assembly is
required. An understanding of virtual memory concepts, and experience
with gdb are very helpful but not necessary. We also assume we
are working with an Intel x86 CPU, and that the operating system
Some basic definitions before
we begin: A buffer is simply a contiguous block of computer memory
that holds multiple instances of the same data type. C programmers
normally associate with the word buffer arrays. Most commonly,
character arrays. Arrays, like all variables in C, can be declared
either static or dynamic. Static variables are allocated at load
time on the data segment. Dynamic variables are allocated at
run time on the stack. To overflow is to flow, or fill over the
top, brims, or bounds. We will concern ourselves only with the
overflow of dynamic buffers, otherwise known as stack-based buffer
Memory Organization ~~~~~~~~~~~~~~~~~~~~~~~~~~~
To understand what stack buffers
are we must first understand how a process is organized in memory.
Processes are divided into three regions: Text, Data, and Stack.
We will concentrate on the stack region, but first a small overview
of the other regions is in order.
The text region is fixed by the
program and includes code (instructions) and read-only data.
This region corresponds to the text section of the executable
file. This region is normally marked read-only and any attempt
to write to it will result in a segmentation violation.
The data region contains initialized
and uninitialized data. Static variables are stored in this region.
The data region corresponds to the data-bss sections of the executable
file. Its size can be changed with the brk(2) system call. If
the expansion of the bss data or the user stack exhausts available
memory, the process is blocked and is rescheduled to run again
with a larger memory space. New memory is added between the data
and stack segments.
/------------------\ lower |
| memory | Text | addresses | | |------------------| | (Initialized)
| | Data | | (Uninitialized) | |------------------| | | | Stack
| higher | | memory \------------------/ addresses
Fig. 1 Process Memory Regions
What Is A Stack? ~~~~~~~~~~~~~~~~
A stack is an abstract data type
frequently used in computer science. A stack of objects has the
property that the last object placed on the stack will be the
first object removed. This property is commonly referred to as
last in, first out queue, or a LIFO.
Several operations are defined
on stacks. Two of the most important are PUSH and POP. PUSH adds
an element at the top of the stack. POP, in contrast, reduces
the stack size by one by removing the last element at the top
of the stack.
More smashing the stack--->>