buffer overflow
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: buffer overflow

  1. #1
    Member
    Join Date
    Aug 2004
    Posts
    36

    buffer overflow

    hi,

    i want to write a simple c program with a few functions that are vulnerable to buffer overflow attacks and call them from the main function.

    i infact wrote such a program.

    now, i understand the theory of a buffer overflow attack but i do not know how to do it on my own demo vulnerable program.

    when i search the net, i only find demos showing sample vulnerable C code and they just say that it is vulnerable because the stack can be manipulated.

    but how do i investiagate and manipulate the stack contents of a program ?

  2. #2
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    well as stupid as it may sound...overflow the buffer....

    what OS are you using?

    say your program asks you for a string, say a name...not the memory allocation for name might be something like

    char name[10];

    so we can see that the amount of charecters that can be stored in name is 10, if we put more than 10 charecters in it while cause the buffer to be overflowed and in some cases crash.

    on *nix you might get an error like "segmentation fault" and on wind0ze youll get one of those box up that says about a memory problem at some memory location.

    SO say in the program asking for name I type something like "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" that mess's with the program and the buffer is overflowed, you might get an error message saying its mucked up or nothing might happen and the program migth hang, these indicate that the buffer has been overflowed

    If your on *nix you can use gdb to look at the stack with some command like x/20s $esp, thats not a perfect example but you can do some reading on using gdb. I think also the debugger in visual studio for windows allows this also

    Ohh yea if your on windows download olly debug! its freaking amazing and its free! but its shareware only for copyrite reasons so its actually freeware!

    I can suggest more stuff if you like, you need to be more specfic though :-) cheers dude

    i2c

  3. #3
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    ohh yea forgot to say! if your really interested in this get your self a copy of the shellcoders handbook

    http://www.amazon.com/exec/obidos/tg...books&n=507846

    its really worth reading, nicely written and you learn allot even if you thought you understood shellcode and other similar exploitation methods

    i2c

  4. #4
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Here's a brief example:

    Code:
    void foo(char *str) {
      char buf[10];
    
      strcpy(buf, str);
    }
    
    int main(void) {
      char *str = "This is a test line that's longer than 10 bytes";
    
      foo(str);
    }
    The above will compile no problems and any compiler will do it and won't complain. However, your char str string is longer than the declared amount in buf which is 10. I hope this helps...there's a lot of articles out there, just do a google on 'buffer overflows in C".
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  5. #5
    Senior Member
    Join Date
    Jun 2004
    Posts
    379
    find and read the book hacking the art of exploration it is one of the best book i have ever read on buffer overflow and exploits if you realy want to learn it is a must read.

  6. #6
    Junior Member
    Join Date
    Aug 2004
    Posts
    25
    Originally posted here by i2c
    well as stupid as it may sound...overflow the buffer....

    what OS are you using?

    say your program asks you for a string, say a name...not the memory allocation for name might be something like

    char name[10];

    so we can see that the amount of charecters that can be stored in name is 10, if we put more than 10 charecters in it while cause the buffer to be overflowed and in some cases crash.

    on *nix you might get an error like "segmentation fault" and on wind0ze youll get one of those box up that says about a memory problem at some memory location.

    SO say in the program asking for name I type something like "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" that mess's with the program and the buffer is overflowed, you might get an error message saying its mucked up or nothing might happen and the program migth hang, these indicate that the buffer has been overflowed

    If your on *nix you can use gdb to look at the stack with some command like x/20s $esp, thats not a perfect example but you can do some reading on using gdb. I think also the debugger in visual studio for windows allows this also

    Ohh yea if your on windows download olly debug! its freaking amazing and its free! but its shareware only for copyrite reasons so its actually freeware!

    I can suggest more stuff if you like, you need to be more specfic though :-) cheers dude

    i2c
    I apologize for my ignorance as I don't have experience in Programming. Your example of
    char name[10];
    Your explanation that if the user inputs characters > 10, buffer overflows and in somecases system crashes. But, a person with a little bit of common sense would think, why don't the input get truncated if the user types more characters then was defined, instead of an overflow or a crash?

  7. #7
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    ok so im gonna say that name is actually an array of [30] now to simplify how I type this, and that we put 40 * A into the buffer.

    bascially when you begin to overwrite other sections of the stack, becuase C doesnt have an control over how arrays are used, these need to be included by the programmer, I dont know why C doesnt have this support in it,

    but anyway with this you end up filling you the assigned buffer space with 32 bytes of A, and then it pushes the excess stuff else were, overwriting ESP and the RET which is the return pointer, so there then the value of 0x41414141 in there and this is an invalid memory address so a segmentation fault is caused.

    something like this should give you an idea -

    Code:
    {
    char name[30];
    
    gets(name);
    printf("%s\n" name);
    
    
    }
    that should work, its very similar to the example on page 18 of shellcoders handbook,

    if you on linux compile with gcc programname.c -o programname, then run it with ./programname, wack in 40 * A when you can give it input.

    youll see an error "segmentatioin fault"

    you can see the register values with gdb using something like gdb programname core, I think.

    hope that helps explain it...

    i2c

  8. #8
    Custom User
    Join Date
    Oct 2001
    Posts
    503
    FallenZer0, your question about truncating:

    You asked why doesn't the input get truncated when the user types more into the array than the array can hold. The answer to this is that on a well written program the input will get truncated.

    Basically when certain functions were written in c, I guess the coders did not think about the possibility of a buffer overflow, and so did not think to make functions which limit the amount of data that is input to the size of the variable that the data is being input to. Because of this, and because c has almost complete control over the computer's memory, you will get a buffer overflow.

    I will not actually go into an example of how to do this because I feel that everyone uses the same examples which do not necessarily help someone who doesn't understand the concept learn, and also because I am not confident of my ability to write one, but I will attempt to explain to you the concept of the buffer overflow exploit in basic detail.

    In your program, you have memory allocated to all your data members, and then you have certain pieces of memory which the computer uses to complete operations such as where to go when a function is complete, etc (I told you this is very basic...). If you manage to overwrite all the memory for your data members, and put information into any "system memory" that is "before" the pointer which tells the program where to go when the current function is complete which does not crash your program, you can then change the aforementioned pointer to a memory address that contains something that you want to run yourself (i.e. some kind of malicious code).

    The art of creating a buffer overflow relies on exploiting a program that runs with a certain access level that you require in such a way that you do not crash it before it runs your own code (AFAIK).

    And to add to my answer about why isn't the input truncated. There are many methods in c that do check the length of input and truncate input in order to prevent buffer overflows, but the programmer has to be aware of these functions and has to use them instead of some more basic function in his/her code.

    Hope that answer wasn't too confusing.

    ac

  9. #9
    Junior Member
    Join Date
    Aug 2004
    Posts
    25
    Thankyou i2c and gothic_type for your explanations. That definitely helps me.

  10. #10
    OK, so I know what a buffer overflow is, but how do you then get the program to execute commands? Could someone write an exploit for i2c's program?
    -n6

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •