IV Exploit Q & A - kkli08/Buffer-Overflow GitHub Wiki

If buffer size is relatively small, how can it hold the nop sled and the shell code? or do you mean those payload don't store in the buffer? in that case where those payload stored and if they are modifiable?(cuz most of the part in memory is read-only)

Your question touches on a key aspect of the exploit4.c approach, especially when dealing with small buffer sizes in the target program. Let's clarify where the payload (NOP sled and shellcode) is stored and how this works with small buffers:

Buffer Size and Payload Storage:

  1. Small Buffer in Target Program:

    • The buffer in the vulnerable program (vulnerable.c) that is being overflowed might be too small to directly store the entire NOP sled and shellcode. This is a common limitation in buffer overflow exploits.

  2. Payload Storage in Environment Variable (EGG):

    • In exploit4.c, the NOP sled and shellcode are not stored in the small buffer of the vulnerable program. Instead, they are placed in an environment variable (EGG).
    • Environment variables are stored in a different part of the process's memory (typically at the top of the stack or in a dedicated area for environmental storage, depending on the operating system and its memory layout).

  3. Modifiability of Environment Variables:

    • Environment variables are generally stored in modifiable memory regions, allowing the shellcode within an environment variable to be executed.
    • Most modern operating systems allocate writable memory for environment variables, precisely because they are meant to be set and modified by processes.

Exploitation Mechanics with Environment Variables:

  1. Overcoming Small Buffer Limitations:

    • By using an environment variable to hold the NOP sled and shellcode, exploit4.c overcomes the limitation of the small buffer size in the vulnerable program.
    • The actual buffer in the vulnerable program is overflowed with addresses that point to the EGG environment variable (where the NOP sled and shellcode reside).

  2. Overflowing with Addresses (RET):

    • The RET environment variable, set by exploit4.c, contains addresses that aim to point somewhere within the NOP sled in the EGG variable.
    • When the buffer in the vulnerable program overflows, these addresses overwrite the return address on the stack, redirecting execution to the NOP sled in EGG.

  3. Execution Flow:

    • If the overflow successfully overwrites the return address with one of the addresses in RET, the CPU starts executing from that address, which leads to the NOP sled in EGG.
    • The CPU then executes the NOP instructions until it reaches and executes the shellcode, leading to the spawning of a shell.