How To: Attack on Stack [Part 3]; Smash the Stack Visualization: Building on Fundaments, Analyzation Trilogy Conclusion.

Attack on Stack [Part 3]; Smash the Stack Visualization: Building on Fundaments, Analyzation Trilogy Conclusion.

Attack on Stack [Part 3]; Smash the Stack Visualization: Building on Fundaments, Analyzation Trilogy Conclusion.

Hi everyone!

Last time we explained what roles Ebp and Esp registers have. We first introduced function's stack frame building, return address and calling conventions, but left some of the concepts floating without a full stop.

Today's Topic

Today we are going to complete the analysis of the Assembly code to finally move on to Exploitation in the following parts of the guide.

Recalling the last steps of the previous part, we explained what's the purpose of the function prologue, how Ebp and Esp registers are used to refer data in memory and stack frames with some GDB examples, trying to find out how the program's argument is pushed into mains()'s stack frame with the help of local and global pointers.

Today we are focusing on echo()'s Assembly representation: after concluding the explanation of the last lines in main() before echo()'s call (responsible for passing arguments to the next function), we will move to

function calling. If last time I briefly explained how stack frames are built and destroyed, today I'm analyzing how it is done trough Assembly code.

Make sure you read the previous part of the guide to be able to understand this one.

After echo()'s function prologue, we are going to explain every instruction in echo() to then go back to main() and conclude this first section of the guide.

If this sounds a little bit annoying to you, don't worry, because next time, we are going to dive deep in Exploitation fundaments, and with style!

Concluding Main()'s Explanation

Where we analyze from instruction 12 to 20, based on what last time's experience.

Disassembling Echo()

Where we iterate trough every instruction in echo(), trying to understand how is eax used and where is the buffer placed in memory.

Graphical Representation of Stack Frame Building: Recap

As an epilogue to this trilogy and an overture to exploitation, let's summarize every step of the stack frame construction, so that we can move on to exploitation:

References

Aleph1's "Smashing the Stack for Fun and Profit"
"Hacking, The Art of Exploitation"
"Buffer Overflow Demistified" by murat.
"The Shellcoder's Handbook"
Part 1 of "Attack On Stack"
Part 2 of "Attack On Stack"
Part 4 of "Attack On Stack"
Part 5 of "Attack On Stack"
Part 6 of "Attack On Stack"
Prelude to Reverse Engineering: IDA and Hopper Binary Patching Introduction

Side Note to Null Byte Users

Hey Everyone! How is it going?

Sorry if this part was shorter than usual, but I don't want to spoil you anything from the next series about exploitation! The next part will follow a different style, while still being based on pictures obviously.

Recently Null Byte is more and more active, a lot of new creators have joint us, which is really awesome.

Keep coming for the next parts (probably 5 or 6) as we explore exploitation fundaments and developing! I also encourage you to check the resources. I have a lot of them, and will probably gather all of the useful links that I used in a special part of the series, tell me if you want them sooner and I'll provide them to you all.

Again, thanks for being there Null Byters!

12 Comments

Thanks and you know I love your work more than any other here. Others can sleep on it or completely miss what you are teaching and focus on learning MSF kiddie land guides or popping WiFi pins but You and I know the greatness of what you are doing. Thanks for the guide and time you spent writing this monster.

Thank You!
Cx2H of #C3
or
CHH to the common

Ah, you make me blush ^^"

Thanks Cyber, I just thought Null Byte was in need of this (or at least of its own one). After all, if one's will of learning is enough, he will surely go trough this topic.

Again, thank you for the unbelievable support you (especially) and everyone else is showing. Sometime I think you are bots, I have never met a community like this!

You took the words right out of my mouth... it's absolutely true. ;)

Shared and will share all day, so don't be alarmed if you see my twitter rewinding your guides all day...

Thank you OTW, that's so nice coming from you!

Great guide, Ciuffy. I'm enjoying your series.

ghost_

Thank you, glad you are enjoying!

You just keep surprising us, don't you? Amazing! I've learned so much!

Understanding how to "smash the stack" will most definitely push you forward into buffer overflows--I know I have! Again, wonderful part 3, and continue learning/teaching! :)

C|H of #C3

Yes it will. I guess that OTW has already written something about this (hope I didn't steal the topic >.>!), introducing exploitation.

But yes, next part is jumping directly into practical buffer overflows demonstrations.

Thank you C|H, Ciuffy of #C3

Awesome tutorials! I have been a long time reader of NullByte and hadn't seen many tutorials regarding overflowing programs and working with the internals, so I thought I'd make an account and give a shot at writing some when I saw that you had already done so. I must say, they are very well written, and even the slides are certainly eye candy! Well done mate.

Oh thanks, that's my objective, hopefully it looks like it has been reached. I'm glad you are touching the topic too, and especially one of the subjects mine will probably lack of a little bit (shellcode wasn't supposed to be part of it, but it probably will), so please continue!

So, welcome to Null Byte, enjoy the stay ;-) !

Share Your Thoughts

  • Hot
  • Latest