This paper presents a number of technical discussion points relating to the potential for exploiting stack overflow vulnerabilities without having direct access to the application which is to be exploited.
The points raised in this paper discuss the key issues which would need to be overcome in order to do this, as well as presenting several ideas as to how this can be achieved from a ‘blind’ perspective.
Theory
It is the common belief that it is a difficult, if not impossible, task to exploit a buffer overflow vulnerability without access to a copy of the software in which the vulnerability has been discovered. This is understandable, as the typical exploit writer will require at least two pieces of basic information to exploit even the most simple of cases.
An exploit writer will normally require the following information:
- How many bytes are needed to overflow the buffer and overwrite a value which can be used to gain direct control over the instruction pointer (saved return address, function pointer, etc)?
- Which address may be used to successfully return to the buffer in question?
In theory, if these two pieces of information may be eliminated, replaced, or solved generically, it would be possible to exploit some buffer overflow vulnerabilities ‘blindly’ – without a copy of the flawed software at hand.
Throughout this paper, we will devise a mechanism which can successfully satisfy both of these important points. The purposes being to develop a basic design framework for the blind exploitation of buffer overflow vulnerabilities under Microsoft Windows NT based operating systems.
Author: Peter Winter-Smith
