Understanding DoS 269
The key takeaway from this is to understand how the stack can be “overflowed” and
thus create a DoS condition within the program or system. Knowing the basics of how the
stack is used gives you insight into how it might be compromised.
Now that you are familiar with the heap and the stack, let’s go over some key concepts
that will be important for passing the exam, as well as for understanding the operation of a
successful DoS attack via buffer overflow:
Smashing the Stack “Smashing” the stack refers to the use of buffer overflow to com-
promise the stack integrity and gain program-level access for running malicious code.
Refer back to the basic program stack in Figure 11.1; smashing the stack modifies normal
stack operation by submitting excess data to the stack, surpassing its normal bounds (if
left unchecked). The excess data overwrites legitimate variables in the stack and resets the
saved Extended Instruction Pointer (EIP) value to point to the injected malicious code.
Figure 11.2 shows this process.
FIGURE 11.2 Smashing the stack
Stack LimitFalse EIPFalse SPStack Pointer (SP)
Extended Instruction Pointer
(EIP)Bottom of
Stack0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90 0x90Program DataReturn AddressStuffFigure 11.2 deserves just a bit more explanation, as it may look a little confusing at this
point. Let’s take it one piece at a time. Underlying the “0x90” block (which will be dis-
cussed in “NOP Sled” in a moment) is the basic program stack from Figure 11.1. Remem-