If the stack is 'flipped' can you still execute shell code using a buffer overflow?

Question

In this scenario, the stack starts at address 00000000 and grows down. Array access (char[6] at 00002301 and char[7] at 00002302).

ebp-> 00001904 .... esp-> 00002100 (top of stack is here)

You can still execute a buffer overflow if you use a bad input, my question is:
- Can you use exploit that overflow to execute some shell code (from input).

In a regular stack, you can overwrite the ebp to point to your shell code, can you still do this is the stack is 'flipped'.

Answer 1

Short answer: yes.

1. Function A allocates buffer on the stack for variable Q.
2. A calls B passing address of Q as a parameter.
3. B overflows the buffer nuking the return address back to A.

You also have to watch out for buffer underflows, or other attacks that could modify arbitrary memory (such as freeing an element from a double linked list).

Answer 2

You can find this question perfectly solved in the O'Hallaron 's book CSAPP.

Here is the brief introduction:

• Firstly, you get the idea that we can overwrite the ebp by using the buffer overflow. This can work because the call and ret instructions would use the address to put the return point in and pull it back.
• And then, Linux has a kind of protection mechanism which is called stack randomize. This means you cannot find the exact address of ebp. But we can use the instruction names nop and this is called slop(maybe I guess).
• At last, Linux has a last wall to protect: setting canary. This is a value in the (ebp+4) address which is set before calling a function. After return, you can check this one to find if the stack has been overflow attacked.

If you want to try this, you can checkout the ICS's Lab3, and you can get well exercised about this technique.