2

Normal use:

 ------(buffer)------ --(ret)--- DDDDDDDDEEEEEEEEEEEE EEEE FFFF 89ABCDEF0123456789AB CDEF 0123 this is a string\0 bff5 a400

Stack overflowed:

 ------(buffer)------ --(ret)--- DDDDDDDDEEEEEEEEEEEE EEEE FFFF 89ABCDEF0123456789AB CDEF 0123 oh no you got hacked cadf aff0 \0

Could you prevent this by putting the initial value of the string in the last (or, if there are other variables, closest to last) memory slot (EB) and making each subsequent letter each previous slot? E.g. 

 ------(buffer)------ --(ret)--- DDDDDDDDEEEEEEEEEEEE EEEE FFFF 89ABCDEF0123456789AB CDEF 0123 dekcah tog uoy on ho bff5 a400 (no harm to ret pointer)

I understand there are better and more widely-accepted stack overflow preempts (canaries, noexec, ASLR). I'm just wondering. Would this fix the problem? Would it be technically feasible?

Improve this question
1
  • By the way, there are exploitable memory conditions other than stack overflow - heap overflow, use after free, and more. Canaries only prevent stack overflows, and do it quite well. Noexec and ASLR help prevent all kinds of memory exploits - but unfortunately they are not as reliable.
    – paj28
    CommentedSep 9, 2016 at 15:09

2 Answers 2

Reset to default
2

If your code doesn't protect from writing into adjacent memory spaces, then no you can't reverse the order and be protected from a buffer overflow. Reversing the way the string is stored just changes the shellcode payload arrangement (i.e. the payload may come first and the NOPS [x\00] may go in last). Like this:

x\DEx\ADx\BEx\EF\x00x\00x\00

vs

x\00x\00x\00x\DEx\ADx\BEx\EF

As you mentioned, there are much better coding practices that protect against buffer overflows.

Improve this answer
2
  • I mean that you can write into adjacent memory, but each subsequent character of a string is in the memory slot before, so that the string progresses away from the ret pointer, not towards it.
    – Tony
    CommentedSep 9, 2016 at 17:17
  • 1
    That's not how the stack works. Stacks grow toward low memory addresses (vs heaps, which grow toward high-numbered memory), thus once you corrupt the stack (i.e. gain control of the instruction pointer) you can overflow into where you want to be (insert beginning of payload here). Read: Smashing the Stack for Fun and Profit for an awesome primer!
    – HashHazard
    CommentedSep 9, 2016 at 17:30
0

It would probably stop some attacks that rely on exploiting strcpy and the like (when copying stuff around on the stack) because if you write into the opposite direction of the return address on the stack you at least can't overwrite that directly. It would still allow you to overwrite other things on the stack - possibly pointers - among many other things. It also wont protect against memcpy and many other things. Stack cannaries work pretty much against every buffer overflow. Stack cannaries however do not prevent an attacker from overwriting other pointers on the stack. Meaning you can still control pointers on the stack and use these pointers and other things in the code to write to arbitrary memory locations including the return address on the stack.

Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.