I just started looking into how buffer overflow attacks work, and tried simulating an attack on Windows 7 using Visual C 2010. The buffer overflow attack is very contrived, it just overwrites the return address to the address of the "buffer" local variable. The buffer holds the string of shellcode.
Whether I run the program in Visual Studio 2010 Debug or not, the program will jump to the shellcode and almost begins execution of it, but I get an Access Violation error, and the program will not continue executing the shellcode.
Why am I getting this error? Is this some sort of protection against buffer overflows in Windows?
How would you get the program to execute the shellcode in the buffer?
edit:
Hans (answer) is correct. This is discussed within the Security chapter of Windows Internals 5th, and the cause of the error is Microsoft's implementation of Executable Space Protection.
If this question helped anyone, any up-votes would be appreciated.
void execute_my_shellcode()
{
char buffer[24];
memcpy(buffer, "\x6A\x21\xFF\x15\x40\x62\x40\x00\x83\xC4\x04\x6A\x0A\xFF\x15\x40\x62\x40\x00\x83\xC4\x04\xC3", 24);
printf("current return address: %p\n", *(int*)((char*)&buffer + 24 + 4));
*(int*)((char*)&buffer + 24 + 4) = (int)&buffer;
printf("return address is now : %p\n\n", (int*)*(int*)((char*)&buffer + 24 + 4) );
}
This might have worked 10 years ago. These obvious security holes have been patched, the no-execute bit that processors support nowadays are one of the counter-measure.