August 14th, 2001, 11:11 PM
I am in a bit of a quandry here.I have heard of buffer overflows etc. but I cant understand how they work, and how people go about bringing one on.From what I have understood,you overflow the allocated memory etc. leaving room for you to execute whatever it is you want to execute,but what I dont understand is how you go about executing your script or whatever in that empty space.Any and all help is greatly appreciated.
Life is a lot funnier to those watching
August 30th, 2001, 09:09 PM
From my (limited) understanding of the subject, the buffer overflow is not so much clearing the memory to leave space for your own code as it is overwriting the memory with your code.
Suppose that a unix box was requesting a username and it would store the name in spaces 1-40 of its memory. A person would initiate a buffer overflow attack by entering in a username of, say, 340 characters. This username would then go into spaces 1-340 of the memory.
The first 40 characters would be fine. The extra 300 characters would overwrite spaces 41-340. This would either 1) do nothing if that portion of memory was not critical, 2) crash or generally disrupt the box, possibly leaving it more vulnerable (or removing it from the net) or 3) If you knew what programs were stored at that memory location the extra 300 characters of the username would be your actual instructions for the box. Username = SmithJohn...line of code
There are a bunch of documents out on the net on how to actually preform this. The technique used would depend on the machine as the memory addresses would be different. Maybe I'm wrong on this, but I don't think that this is used too much anymore. A check on the character length of the input it would stop the overflow.
That's that. There are some good *nix folks on this board that could go into more detail (as long as this info was used in the service of all that is good and decent).
August 31st, 2001, 11:22 AM
guess nemo is right.
and these overflows are caused due to improper progamming specially C string function like strcat(), gets(), scanf(), sprintf(), strcpy() which do not check the sizes of its arguments before performing operations.
September 1st, 2001, 02:26 AM
...erm, this is my first post, so if I "do it wrong" just tell me...
OK, What Nemo was saying is partically true about buffer overflows. They're actually far more advanced than that. The concept of being able to change the flow of execution of a program WHILE it's running and incredible concept.. I shall explain..
First we start of with a vulnerable program that asks for some sort of user filled input. This could be anything fom a command line parameter to a variable that is fill by the user while the program is running. The problem exists when the bounds of that buffer where the information is held is not checked to see if it can be "overstuffed". For example, you have a 15 byte buffer, and you're trying to stuff in a username (used from Nemo's example) that is 20 characters, the first 15 will be put into memory correctly, the other bytes will overwrite whatever was put into the stack before that. Something like this..
Here is our original stack space, with variables of the program held in it before we put the user name in.
We reserve 15 bytes for the username, then push the username into the memory stack Like this.
(For our example) This is a 25 byte buffer that is correctly entered. But, if we a 20 byte userame into a 15 byte memory space, you get this:
The X's represent the stack that was overwritten. Now, here is where Nemo's post is sort of "not finished".
With a buffer overflow, the point is to run your own code, right? Well, remember how I said that it overwrites variables that were put into the stack BEFORE the unchecked buffer? Well, this is where your exploit comes in. If you know where the memory space that this program is going to occupy, you can fill up a buffer with machine code (Shell code) to inject into the unchecked buffer after the bounds of it have been lost.
So, if the "username" variable was called in a function, and the function was returning with information from it, it would have lost the return address since the overflow, and would creep along the memory space that it had until it got to the shellcode and executed the code that was there, your shellcode.
OK.. I know that was not a detailed explaination of overwriting the return address of a function to execute your code, but I'm running out of space on here I think. If you have any more questions about it, we can continue the thread, or you can e-mail me at firstname.lastname@example.org. I'm sure we can discuss the holes I left out and I can explain it more in detail.
Also! Make sure you check us out in the live chat, I"m always there and can explain it a little more clear if you have questions about writing them, or finding them.. irc.antionline.com, #Antionline..