Writing Security Tools and Exploits

This chapter illustrates the basics and the exploitation of stack overflows. In 1996, stack-based buffer overflows were the first type of vulnerability described as a separate class. (See "Smashing the Stack for Fun and Profit," by Aleph1, a.k.a. Elias Levy.) These overflows are considered the most common type of remotely exploitable programming error found in software applications. As with other overflows, the problem is with mixing data with control information; it is easy to change the program execution flow by incorrectly changing data.
Stack overflows are the primary focus of security vulnerabilities, and are becoming less prevalent in mainstream software; however, it is still important to be aware of and look for them.
Stack overflow vulnerabilities occur because the data and the structures controlling the data and/or the execution of the program are not separated). In the case of stack overflows, the problems occur when the program stores a data structure (e.g., a string buffer) on the data structure (called a stack) and then fails to check for the number of bytes copied into the structure. When excessive data is copied to the stack, the extra bytes can overwrite various other bits of data, including the stored return address. If the new buffer content is crafted in a special way, it may cause the program to execute a code provided by an attack inside the buffer (e.g., in UNIX, it may be possible to force a Set User ID (SUID) root program to execute a system call that...