0

I want to understand how a vulnerable internet facing process on some computer is exploited to run arbitrary binary code.

I understand how buffer overflows could be used to overwrite the return address to make the process jump to a location it wasn't supposed to - but I don't know how it's possible for a process to execute arbitrary binary code that it recieves from an attacker.

It seems like if an attacker sends binary code to a process it will never be put into the .text section so it will remain non-executable, even if 'return' jumps into it. Stack and heap overflows wouldn't write into the section where code is stored, so they will still have a no execute bit.

Edit: To be clearer the main part I don't understand is this:

  • the .text section where binary assembled CPU instructions are stored cannot be modified
  • the .data/.bss section is marked as no-execute so that the information there will only be treated as data, will never be executed by the CPU
emberfang
  • 199
  • 8

1 Answers1

1

A usual buffer overflow attack sends the server a message which not just overwrites a return address but also includes the code the attacker wants to execute. The return address would be overwritten to make the program jump into the message itself which will then be interpreted as code and executed.

Sometimes there is not enough space for the complete shellcode. In that case the attacker might use other methods to place their shellcode in a known memory location. This can be done by sending data to functions which aren't vulnerable them self but accept larger amounts of data and store it in a predictable memory location.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • But I think if you use a buffer overlow the shellcode will be in the data section of the processes address space, so jumping into it wont execute it.. and there's no way to write into the .text section where executable code is store. – emberfang May 19 '14 at 13:00
  • @emberfang In the [Von-Neumann Architecture](http://en.wikipedia.org/wiki/Von_Neumann_architecture), which is the architecture used by all modern PCs, there is no difference between program-memory and data-memory. That's why buffer overflows can work. – Philipp May 20 '14 at 08:09
  • okay, I thought program memory was read only, only allocated once and shared between processes and executable while data memory was allocated once per process and marked non executable. I h ad been reading http://en.wikipedia.org/wiki/Executable_space_protection http://en.wikipedia.org/wiki/NX_bit and I don't understand why this protection doesn't exist – emberfang May 20 '14 at 09:31
  • 1
    @emberfang Some program actually use self-modifying code intentionally and would no longer work when these features would be always enabled. Also, these features negatively affect performance. That's why they must be requested intentionally by the program. Many programs don't. – Philipp Jun 04 '14 at 23:45