January 14th, 2002, 08:16 PM
Hey, what's up everyone? I was going to post this question in the "newbie questions" form but I put it in 'Misc. Security Discussions" instead.. I was hopeing some one could help me with buffer overflows. Don't start sending flames cause you had to learn and ask some one else also at one point in time.
Any who, I did some researching at Google and fount a site that helped explane what a buffer_overflow is but I'm still wondering if this would be considered a buffer_overflow or not?Here's what I fount:
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
Ok, now, after reading that I fount that you can crash Yahoo! messenger by sending a message to all of your friends and pressing Ctrl+G which is supposed to send a Buzz! wake up message to the recipient.. But instead, I got this error message:
This program has performed an illegal operation and will be shut down. If the problem persists, contact the program vendor.
YPAGER caused an invalid page fault in
module YPAGER.EXE at 0177:00485274.
EAX=0076f460 CS=0177 EIP=00485274 EFLGS=00010246
EBX=00000000 SS=017f ESP=0076f32c EBP=0076f4a0
ECX=00000000 DS=017f ESI=004ede94 FS=10ff
EDX=00000003 ES=017f EDI=00000000 GS=0000
Bytes at CS:EIP:
8b 47 6c 8b 18 3b d8 74 3b 56 8b 73 08 8d 46 14
01adadf8 00000000 00455d06 00000000 01adadf8 bff52098 74737563 52006d6f 46204d41 53454c49 4841595c 5c214f4f 5353454d 45474e45 50005c52 52454741
Any one have a clue as to what that says?
January 24th, 2002, 06:14 PM
May not be much help but
Well here goes. Buffer overflows are caused by bad programming practices in C and C++ (although they can occur in other languages, C and C++ are inherently unsafe programming languages). When writing a program it requires a place to put bits (so the programmer set's a specified buffer) and when a program exceeds the designated amount of bits designed by the buffer it causes a buffer overflow. When this happens, the next contiguous chunk of memory is overwritten. Since the C language is inherently unsafe, it allows programs to overflow buffers at will (or, more accurately, completely by accident). There are no run-time checks that prevent writing past the end of a buffer, so a programmer has to perform the check in his or her own code, or run into problems down the road. In the simplest case, consider a Boolean flag allocated in memory directly after a buffer. Say that the flag determines whether or not the user running the program can access private files. If a malicious user can overwrite the buffer, then the value of the flag can be changed, thus providing the attacker with illegal access to private files. Another way in which buffer overflows cause security problems is through stack-smashing attacks. Stack-smashing attacks target a specific programming fault: careless use of data buffers allocated on the program's run-time stack, namely local variables and function arguments. The results of a successful stack-smashing attack can be far more serious than just flipping a Boolean access control flag as in the previous example. A creative attacker can take advantage of a buffer overflow vulnerability through stack-smashing and then run arbitrary code (anything at all). The idea is pretty straightforward: Insert some attack code (for example, code that invokes a shell) somewhere and overwrite the stack in such a way that control gets passed to the attack code. (We'll go into the details of stack smashing in our third and fourth columns on buffer overflows.) Commonly, attackers exploit buffer overflows to get an interactive session (shell) on the machine. If the program being exploited runs with a high privilege level (such as root or administrator), then the attacker gets that privilege in the interactive session. Under good programming if a buffer is filled the program will end the program at where the buffer ended and not let the overflow effect the files or if it's filled it breaks and shuts down.
Most of it from my head a little copy and paste was done cause I didn't know a good way to define some of the stuff but I hope this helps.
Alternate realities celebrate reality. If you cant handle the reality your in, then you wont be able to handle the one your attempting to escape to.
January 24th, 2002, 06:33 PM
sounds like it
It does indeed sound as though you've got a buffer overflow there; a great paper on the topic is AlephOne's "Smashing the Stack for Fun and Profit" ( http://www.phrack.org/show.php?p=49&a=14 ) the error that you're seeing there happens when the return address for the run-time stack is overwritten, but the value that appears there is invalid in some way (i.e. out of the range of available memory)
Folks, please correct me if I'm wrong here, as I'm more or less a newbie myself and I haven't played with buffer overflows for a little while.
January 24th, 2002, 07:27 PM
Hmmmmmm I can be corrected if I'm wrong but this looks like the stack allocation was too low.
when the cpu recieved an INT request it put the current code that was in the internal registers into a stack and the stack allocation was too low. Thats what a "stack" does it holds register information on a temp. basis while an INT request is being executed..it then empties itself back into the cpu's internal registers..it tried to do this and you got an "invalid page fault" which is something trying to use memory that another program is using. Thats my guess..and its just a guess