Pedram Amini and I demonstrated a pydbg script we wrote that detects stack return address corruption and breaks into the debugger console. By doing this we can trace and debug stack overflows that destroy all stack unwinding. Stack unwinding is crucial when finding the path a vulnerable function takes on its way to complete stack distruction. Under normal circumstances when a overflow happens (especially when unbound overflows destroy SEH) one can not tell exactly when the overflow occurred. Our approach was fairly simple in that we store each return address when calling a function and popping the address when we return. Keeping our own call stack in this way lets us maintain integrity when shit goes wrong. Anyways when we record a calls return we then check that address against the current esp during the ret instruction. If things are different we bust an error and drop the user into the pydbg console. This allows a researcher to further query memory and gather all needed information. The benefits are huge and the demo we showed exemplified how much easier it is to track down traditional stack overflows when you can unwind the call stack. Also we went a step further and mentioned the idea that if you specify a unique string during the overflow the script can backtrace the stack to the beginning of your payload and thus automatically print out a working exploit with the proper offset to return eip overwrite…Anyways questions can go to pedram or cody on openrce.org (a wonderful site). peace!
Detecting Stack Corruption
page revision: 0, last edited: 04 Feb 2007 12:57