Stack Attacks Flashcards
(21 cards)
In 64 bit where are the arguments for a function past?
The first 6 go into registers, after that they go into the stack.
In 32 bit, where are the arguments for a function past?
The stack
Name the 6 registers in order that function arguments are passed into in x64
RDI
RSI
RDX
RCX
R8
R9
Which registers are function results returned in?
RAX and RDX
What is the RAX register?
The accumulator
What is the RIP register?
The instruction point
What does the RSP register point to?
The top of the stack
What does the RBP register point to?
The bottom of the stack
Which registers are floating point function arguments pass into?
XMM0 to XMM7
Describe what happens in memory when a function is called?
Arguments are put into registers
The function updates the RSP and RBP values to make new stack space
The old instruction pointer is pushed onto the stack
The old RBP is pushed onto the stack
What is a buffer overflow attack?
When you write data that is large than the size of a buffer into a buffer, causing it to overflow and overwrite the old instruction pointer. Allowing you to change where the program resumes from after the function finishes.
How does the NX-bit defend against buffer overflow attacks?
The NX-bit provides a hardware distinction between the text and the stack. Code should only be in the text, and never the stack. If the instruction pointer ever points to the stack it will crash.
How does address space layout randomisation (ASLR) protect against buffer overflow attacks?
ASLR adds a random offset to the stack and code bases each time a program runs. This makes it harder for an attacker to know the address of particular pieces of code.
How does do stack canaries protect against buffer overflow attacks?
A stack canary is a random value from the heap that is written to the base of the stack. When the function finishes the value on stack is compared to the value on the heap, if they are different the program crashes.
What is use after free?
This is when a memory address is freed by a program and then the program accesses the address later. This allows another program to gain control of the memory address and change the value stored there.
What is double free?
When the same memory address is freed twice, which means it will be reallocated twice. Which means 2 variables later in the program may point to the same address.
Where do canaries go on the stack?
Before the old stack base pointer and instruction pointer
What is a format string vulnerability?
There is no check in the number of % signs in a string inputted by the user. You can then input a string with many %p to get register values and values from the stack.
What is a return to libc attack?
The standard c library is almost always loaded. It contains many useful functions that can be pointed to, such as system, that allows you to run any command.
In x64 calls to libc what must you remember?
The RSP must end with 0
What is a ROP attack?
When you chain together instruction pointer values in the stack that point to single instructions in the text to allow arbitrary code execution.
