Do I always have to overwrite EIP to get to write on the stack in a buffer overflow?

Summary

Do not always need to overwrite EIP to get to write on the stack in a buffer overflow. There are other ways of achieving this.

Introduction

A buffer overflow is an attack whereby an attacker injects more data into a buffer than it can hold, leading to the overflow of adjacent memory locations. This can be used to execute arbitrary code by modifying the Instruction Pointer (EIP) register, which determines the next instruction to be executed. However, there are other ways to write on the stack in a buffer overflow without having to overwrite EIP.
– Alternative methods
1. Return-to-Libc Attack
This attack involves redirecting the control flow to a library function instead of modifying EIP directly. The attacker can use the stack to point to a library function that they want to execute, and then jump to that function using the system call number as the target address. This method is more reliable than overwriting EIP since it does not depend on the contents of the stack at the time of the attack.
2. Stack Pivot Attack
This attack involves pivoting off a saved frame pointer to change the value of EIP. The attacker can use a saved frame pointer as a new base address for the stack and modify the return address to point to that address. This method is useful when there are no suitable library functions available in the process memory.
3. Function Pointer Overwrite Attack
This attack involves overwriting a function pointer with a user-controlled address. The attacker can find a function pointer on the stack and modify it to point to a location where they want the control flow to go. This method is useful when there are no suitable library functions or saved frame pointers available in the process memory.
4. Return-to-Self Attack
This attack involves redirecting the control flow back to the attacked function itself. The attacker can modify the return address to point to the beginning of the attacked function, which allows them to continue executing the function as if the buffer overflow never happened. This method is useful when there are no suitable library functions or saved frame pointers available in the process memory.

Conclusion

In conclusion, there are other ways to write on the stack in a buffer overflow without having to overwrite EIP. These methods include return-to-libc attack, stack pivot attack, function pointer overwrite attack, and return-to-self attack. Each of these methods has its own advantages and disadvantages, depending on the specific circumstances of the attack. Therefore, it is essential to understand these alternative methods to effectively defend against buffer overflow attacks.

Previous Post

Career advice – Is it possible to get a security job without formal education? What can compensate for the lack of it?

Next Post

Does a compromised kernel give complete control over a device?

Related Posts