Stack: run-time. 8MB limit Heap: malloc() Data: global, static variable, string constant Text: Code, Libraries
Result
use fgets
instead of gets
use strncpy
instead of strcpy
don't use scanf
with %s
(or use %ns
)
It shifts the stack space so that it is hard for hacker to know what exactly the return address should be.
Can be overcome with padding of nop
in exploit code
x86-64 marked stack as non-executable by default (seg-fault)
Compiler-added canaries (used by default)
Why We Use it:
works with non-executable stack
works with stack randomization
return-oriented does not overcome canaries
Gadgets: sequence of code ending with ret(0xc3)
the location of library is fixed
libraries are executable
xxd a.out | grep c3
Table of Content