Exploiting Stack Overflows
The stack buffer overflow is the “classic” buffer-overflow vulnerability. This vulnerability class has been known publicly since at least November 1988, when the Robert Morris Internet worm exploited a stack buffer overflow in the BSD finger daemon on VAX machines.
A connection was established to the remote finger service daemon and then a specially constructed string of 536 bytes was passed to the daemon, overflowing its input buffer and overwriting parts of the stack.
—Eugene H. Spafford, “The Internet Worm Program: An Analysis”
Stack buffer overflow attacks and defenses have evolved significantly since then, but the core principles have remained the same: overwrite the function return address, and redirect execution into dynamically injected code, commonly referred to as the shellcode or the exploit payload.
In Leopard, Apple has implemented several defenses against the exploitation of stack buffer overflows, including randomizing portions of the process memory address space, making thread stack segments non-executable on the x86 architecture, and leveraging the GNU C compiler’s stack protector in some executables.
This chapter starts with background on how the stack works in Mac OS X, what happens when the stack is “smashed,” and how to exploit a simple stack buffer overflow vulnerability. Subsequent sections will detail the stack buffer overflow exploit protections in Leopard and how to overcome them in real-world exploits.
We will start ...