Date: Mon, 1 Nov 1999 21:14:07 -0000 From: vendicator@USA.NET Subject: "Function pointer" attacks. To: BUGTRAQ@SECURITYFOCUS.COM I don't know is this tecnique is already known but since I added a protection for it in Stack Shield I decided to post it. This is a "stack smashing" technique that allows to beat StackGuard and Stack Shield (before the version 0.6). It is simple: if a function with an overflowable buffer contains call with a function pointer declared before the buffer the attacker may overwrite the pointer with the address of the shellcode (or in the NOP block) without altering the RET address in the stack. Even if the RET is altered the shellcode is executed before the function epilog causing StackGuard and the old Stack Shield not to detect it. Here is an example: #include <stdio.h> #include <stdlib.h> void dummy(void) { printf("Hello world!\n"); } int main(int argc, char **argv) { void (*dummyptr)(); char buffer[200]; if (argc < 2) exit(EXIT_FAILURE); dummyptr=dummy; strcpy(buffer, argv[1]); /* Vulnerability */ (*dummyptr)(); exit(EXIT_SUCCESS); } If we put in the command line a parameter of at least 210 bytes we can force the program to execute the shellcode without changing the RET address. StackGuard and the old Stack Shield cannot detect this. The new Stack Shield 0.6 beta has a new protection mechanism that checks on non-costant calls if the call is in the TEXT segment. This could cause problems for programs that execute code from the DATA or STACK segment, howewer this stops this kind of attack. Vendicator