Date:         Mon, 1 Nov 1999 21:14:07 -0000
From: vendicator@USA.NET
Subject:      "Function pointer" attacks.
To: BUGTRAQ@SECURITYFOCUS.COM

I don't know is this tecnique is already known but since I
added a protection for it in Stack Shield I decided to post
it.

This is a "stack smashing" technique that allows to beat
StackGuard and Stack Shield (before the version 0.6).

It is simple: if a function with an overflowable buffer
contains call with a function pointer declared before the
buffer the attacker may overwrite the pointer with the
address of the shellcode (or in the NOP block) without
altering the RET address in the stack. Even if the RET is
altered the shellcode is executed before the function epilog
causing StackGuard and the old Stack Shield not to detect
it.

Here is an example:

#include <stdio.h>
#include <stdlib.h>

void dummy(void) {
  printf("Hello world!\n");
}

int main(int argc, char **argv) {
  void (*dummyptr)();
  char buffer[200];

  if (argc < 2)
    exit(EXIT_FAILURE);
  dummyptr=dummy;
  strcpy(buffer, argv[1]); /* Vulnerability */
  (*dummyptr)();

  exit(EXIT_SUCCESS);
}

If we put in the command line a parameter of at least 210
bytes we can force the program to execute the shellcode
without changing the RET address. StackGuard and the old
Stack Shield cannot detect this.

The new Stack Shield 0.6 beta has a new protection mechanism
that checks on non-costant calls if the call is in the TEXT
segment. This could cause problems for programs that execute
code from the DATA or STACK segment, howewer this stops this
kind of attack.

  Vendicator