push %ebp

Presented at ToorCon San Diego 13 (2011), Oct. 9, 2011, 6:30 p.m. (20 minutes)

The most difficult step in exploiting most types of remote vulnerabilities is determining the memory addresses of data of interest. This talk will explore a technique for dynamic stack analysis for use in situations where stack contents can be extracted but access to the vulnerable executable is not available. This technique, applied here to remote format string vulnerabilities and illustrated with pseudocode, can be used to determine the stack layout and location quickly and with relatively high reliability. Prior discussion of this method couldn't be found, and by presenting it here, the speaker hopes others may be able to use and improve upon it.


  • Tom Samstag / tecknicaltom as Tom Samstag
    Tom Samstag is a Security Engineer at Security Innovation in Seattle, performing penetration testing and security code review. Passionate about security research for many years, he made the move professionally to security from video game development earlier this year. He is also a regular participant in various CTF and other hacking games. A C programmer at heart, his interests tend to gravitate towards reverse engineering exploitation, static analysis, and other bit-fu aspects of software and security.