Reputation: 3264
Running code from BSS section
In a buffer overflow attack, it's possible to run code from the BSS section (assuming the user disabled some security protections). How is code running there different than code running in the text section? Does it make sense to push things onto the stack while running code from the BSS section? If not, how can functions be called from there?
I'm using linux x86.
Upvotes: 3
Views: 1787
Answers (2)
Reputation: 16351
Yes, you are correct. Provided that the memory segment or selector that holds the BSS is not marked non-executable you can easily execute code from it if:
- You know where it is in memory
- You have a way to control the EIP to redirect execution here
- You have some input (file, actual input, network or environment) that will end up in a statically allocated variable.
Simply inject your code into #3 and you're off to the races.
By the way.. I would not expect BSS to be marked executable, but don't despair. This by no means indicates that some other selector doesn't point at exactly the same memory and is marked executable. This means that you could approach it through BSS to inject code since that will be read/write and then through some other selector to execute.
For example, I find a fair number of examples where CS is pointing to precisely the same memory as DS, but CS is read-only and executable while DS is readwrite and non-executable. Make sense?
Upvotes: 1
Reputation: 197
As much as i am aware, your premise of the BSS segment containing executable instructions is flawed. The BSS segment is used to hold only static variables that haven't been assigned values for example:
static char *test_var;
The text segment is the segment that contains the executable instructions and not the BSS segment.
For more clarity refer to: http://en.wikipedia.org/wiki/.bss http://en.wikipedia.org/wiki/Code_segment
Also, you might want to look at Virtual Memory layout. The link http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/ illustrates this very well with diagrams etc.
However, if you want to see which segments of an executable are marked as executable, use this tool called readelf on an executable as shown below:
readelf -l ./test
Upvotes: 2
Related Questions
- executing assembly code in c
- Writing assembly codeprogram gdb
- Writing to .bss section in x86 assembly
- Assembly Code from C program
- Section bss and loading them to the memory
- Converting Assembly to C
- How do you execute a C program from within a x86 assembly program?
- Trouble in getting _bss_start through in assembly
- How to run a C binary from Assembly code?
- x86 ASM Linux - Using the .bss Section