I’ve found lots of examples in C of programs illustrating buffer Overflows, including those of pointer rewrites which has been of great help in understanding how a buffer overflow works and memory safety etc. but I’ve yet to be able to find an example illustrating how such a buffer overflow can rewrite a pointer in such a way that it actually results in code execution?

Is this just not a thing, or is my google-fu rust y? Tried ChatGPT and my local Mistral and they both seem unable to spit out precisely what I’m asking, so maybe I’m wording this question wrong.

If anyone in here knows, could point me in the right direction? Thanks y’all btw love this community 🧡

  • tal@lemmy.today
    link
    fedilink
    English
    arrow-up
    10
    ·
    5 months ago

    Today there are a lot of mitigations where the steps of the paper don’t work anymore,

    Yeah, that’s fair to note. For a number of environments today, the base address of the stack is randomized, which is aimed at making it hard to push a static offset and exploit buffer overflows targeting the stack:

    https://en.wikipedia.org/wiki/Address_space_layout_randomization

    https://en.wikipedia.org/wiki/Buffer_overflow_protection

    Historically part of exploiting such a buffer overflow might include the malicious code to be invoked, as a way to get it into memory, and the introduction of the NX bit to x86 permitted OSes to mark regions of memory to the CPU’s MMU as only being able to contain data, not executable code. This meant that it became significantly harder to have a buffer overflow that both seized control of the instruction pointer and contained hostile code.

    • paw@feddit.org
      link
      fedilink
      English
      arrow-up
      4
      ·
      5 months ago

      Thanks for your reply. This extends “smashing the stack for fun and profit” in an important way.

    • LainTrain@lemmy.dbzer0.comOP
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      5 months ago

      Interesting point.

      This makes it seem like the whole concern about memory safety has become almost redundant, the chances of exploitation are just so remote, it must take incomprehensible work to discover a functional exploit that would be useful to attackers in modern software