Buffer Overflow & Return-to-libc review

from the buffer overflox attack and libc attack slides, using a prompt from gpt to make the test questions & answers.

What is the main goal of a stack-based buffer overflow attack?

Overwrite return address to execute attacker-controlled code

In a function call, what does ret do?

pops the return address and jumps to it

Why is calculating the offset between buffer base and return address important?

To determine exactly how many bytes are needed to overwrite the return address on the stack.

Why is a NOP sled used in constructing malicious input?

A NOP sled increases the probability of landing in the malicious code by allowing execution to slide into the shellcode even if the jump address is slightly off.

Why must the overwritten return address avoid containing 0×00 in certain exploits using strcpy()?

Because strcpy() stops copying when it encounters a null byte (0×00), which would truncate the exploit payload.

During a function prologue, which instructions are typically executed?

push %ebp and mov %esp, %ebp

what does “leave” do internally?

leave performs
mov %ebp, %esp
pop %ebp
which restores the previous stack frame.

in 32-bit Linux shellcode using execve, what value must be placed in %eax

0×0b or the system call number for execve.

execve(“/bin/sh”, argv, 0), what does %ebx typically contain?

%ebx contains the address of the string “/bin/sh”.

what problem does ASLR attempt to solve?

It randomizes memory layout (stack, heap, libraries) to make it difficult to predict addresses for exploitation.

How does StackGuard detect buffer overflow?

It places a canary value before the return address. If the canary changes, the program detects overflow and terminates.

What is the purpose of the NX bit?

it marks memory as non-executable, preventing injected code on the stack from being executed.

why does a non-executable stack breaking traditional shellcode injection?

Because even if shellcode is injected onto the stack, the CPU will refuse to execute it.

what is the main idea behind a return-to-libc attack?

Instead of injecting new code, the attacker redirects execution to existing library functions like system().

In Return-to-libc, what function is commonly used to spawn a shell?

system(“/bin/sh”)

Why do we often include the address of exit() after system() in the stack layout?

To prevent the program from crashing after system() returns. exit() provides a clean termination path.

In the stack frame of system(), where must the argument (“/bin/sh”) be placed relative to %ebp?

At ebp + 8 (first argument position in 32-bit calling convention).

Why is the address of an environment variable sensitive to the program name length?

Because environment variables are placed on the stack, and their location depends on stack layout, which changes with program name length.

What is Return-Oriented Programming (ROP)?

it chains together small instructions sequences (“gadgets”) already present in memory to perform arbitary computation without injecting code.

Why is defeating ASLR by brute force feasible on 32-bit systems but much harder on 64-bit systems?

64-bit systems have a larger address space. 2^64 possibilities.

If the distance between the buffer start and return address is 112 bytes, how would you structure your malicious input?

112 bytes to reach return address, 4 bytes new return address, NOP sled, Shellcode placed at known offset

if NX is enabled but ASLR is disabled, which attack technique is most appropriate? why?

Return-to-libc attack. Because NX prevents execution of injected shellcode, but ASLR being disabled means library function addresses line system() are predictable.