[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ascii-armor

To: "Bryan K." <ef057@hotmail.com>
Subject: Re: Ascii-armor
From: Shachar Shemesh <kernelnewbies@shemesh.biz>
Date: Sun, 04 May 2003 20:39:44 +0300
CC: kernelnewbies@nl.linux.org
In-Reply-To: <Law15-F52VsKxuml9ZG0001a727@hotmail.com>
List-archive: <http://mail.nl.linux.org/kernelnewbies/>
List-help: <mailto:listar@nl.linux.org?Subject=help>
List-owner: <mailto:riel@nl.linux.org>
List-post: <mailto:kernelnewbies@nl.linux.org>
List-software: Listar version 1.0.0
List-subscribe: <mailto:kernelnewbies-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:kernelnewbies-request@nl.linux.org?Subject=unsubscribe>
Original-Recipient: rfc822;kernelnewbies-archive@nl.linux.org
References: <Law15-F52VsKxuml9ZG0001a727@hotmail.com>
Sender: kernelnewbies-bounce@nl.linux.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030430 Debian/1.3-5

Bryan K. wrote:

> I have applied the exec-shield patch from Ingo Malnar and I am trying 
> to understand how it works. In the announcement of the patch 
> (http://www.kerneltrap.org/node.php?id=644) Ingo says something about 
> the ascii-armor area which at i386 is the area 0-16MB. Can anyone 
> briefly explain me what is this area and why is protected from 
> ascii-based overflow exploits?
>
> Thank you in advance.

Most overflow attacks work against functions of the sort of "strcpy" and 
friends. As such, the attack payload cannot contain certain characters, 
or the buffer will be terminated at that point, and the attack won't 
succeed.

The forbidden characters vary, depending on the precise place where the 
overflow occures. One character that is universally forbidden, however, 
is the "NULL" character (ASCII 0).

Most attacks work this way: The attacker writes the code she wants to 
inject into the attacked process (depending on functionality, this may 
be called "shell code", "reverse shell code", and the general name is 
"egg"), and then inject the address of the egg into a pointer that 
causes the egg to execute.

The idea behind ASCII armouring buffers is to mandate a NULL in the 
buffer's address. The idea is that the egg is injected into an address, 
which cannot be then sent into the pointer. This, theoretically, foils 
the entire attack.

Another idea presented in the discussion was to have the buffer in a 
different address each time. This variation means that the attacker has 
the theoretical ability to send the buffer's address, but does not know 
where this buffer is.

For more information about exploiting stack overruns, I recommend 
Aleph1's classic "Smashing the stack for fun and profit". Look it up in 
Google or get it from phrack magazin (phrack.org - I think it was phrack 
#49. Not sure).

             Shachar

-- 
Shachar Shemesh
Open Source integration consultant
Home page & resume - http://www.shemesh.biz/

--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
FAQ:           http://kernelnewbies.org/faq/

References:
- Ascii-armor
  - From: "Bryan K." <ef057@hotmail.com>

Prev by Date: Re: About priority of processes.
Next by Date: Re: Re: Memory allocation problem
Prev by thread: Ascii-armor
Next by thread: =?GB2312?B?0MK1xLXn07DAtMHL?=
Index(es):
- Date
- Thread