Stack-Based Buffer Overflow,
Stack buffer overflow occurs when a program writes to a memory address on the program's call stack outside the intended data structure - usually a fixed length buffer. Here are the characteristics of stack-based programming:
- "Stack " is a memory space in which automatic variables allocated.
- Function parameters are allocated on the stack and are not automatically initialized by the system, so they usually have garbage in them until they are initialized.
- Once a function has completed its cycle, the reference to the variable in the stack is removed.
The attacker may exploit stack-based buffer overflows to manipulate the program in various ways by overwriting:
- A local variable that is near the buffer in memory on the stack to change the behavior of the program that may benefit the attacker.
- The return address in a stack frame. Once the function returns, execution will resume at the return address as specified by the attacker, usually a user input-filled buffer.
- A function pointer, or exception handler, which is subsequently executed.
The factors that contribute to overcome the exploits are
- Null bytes in addresses;
- Variability in the location of shellcode;
- Differences between environments.
NOP or NOOP (short form of no peration or no operation performed) is an assembly language instruction/command that effectively does nothing at all. The explicit purpose of this command is not to change the state of status flags or memory locations in the code. This means NOP enables the developer to force memory alignment to act as a place holder to be replaced by active instructions later on in program development.
NOP opcode can be used to form an NOP slide, which allows code to execute when the exact value of the instruction pointer is indeterminate. It is the oldest and most widely used technique for successfully exploiting a stack buffer overflow. It helps to know/locate the exact address of the buffer by effectively increasing the size of the target stack buffer area.
Heap Buffer Overflow
Heap buffer overflow occurs in the heap data area and may be introduced accidentally by an application programmer, or it may result from a deliberate exploit. In either case, the overflow occurs when an application copies more data into a buffer than the buffer was designed to contain. A routine is vulnerable to exploitation if it copies data to a buffer without first verifying that the source will fit into the destination. The characteristics of stack-based and heap-based programming are as follows:
- "Heap" is a "free store" that is a memory space, where dynamic objects are allocated.
- The heap is the memory space that is dynamically allocated new(), malloc() and calloc() functions; it is different from the memory space allocated for stack and code.
- Dynamically created variables (i.e., declared variables) are created on the heap before the execution program is initialized to zeros and are stored in the memory until the life cycle of the object has completed.
Memory on the heap is dynamically allocated by the application at run-time and normally contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage and uses the resulting pointer exchange to overwrite a program function pointer.