Null Pointer Dereferences and Exploit Development
April 14, 2010
Found this one on Slashdot yesterday. It’s an excellent article on how to exploit null pointer dereferences on Linux.
It’s always amazing to me how many people in the penetration testing and vulnerability side of the industry don’t “get” what it means to write an exploit. I regularly ask people (who I’m hiring to be a penetration tester for MAD) and it’s almost comical how many of them can’t describe in detail how a buffer overflow works.
It’s more insidious than it sounds. Everyone can describe the basics: there’s a character buffer in a C-like language that takes in an unbounded set of input (e.g. via strcpy). Stick too many characters in the buffer, and suddenly the buffer gets executed as arbitrary code and bad things happen.
But when pressed as to HOW the buffer ends up getting treated as code, you’ll find that you often hear crickets when you ask people in our industry to explain. Do you know the answer to this one?
Suppose I fill the buffer with repeating “A”s…. how does 0×41414141 end up as the next executed instruction?
Since I’ve just finished up that module in preparation for launch of The Hacker Academy, I’m sensitive to it. I can also guarantee that our students will know the answer.
