buffer overflow

[mystic-d]

im learning buffer-overflow and im tring to attack a server that i was build , but the server is not using the function "strcpy()" , so what else did i need to search, for doing the BOF ?

[westin]

welcome to AO!

we probably need some more info about the server... whats running on it?

[morganlefay]

ya think

MLF

[mystic-d]

the server got tcp-connections, and if u connect with the standart client (that i was build speccely for this server) u`ll get menu with this option :
1.add user (and then u send him the username)
2.start new game and so on..
i tryed to send allot of junk beside the username and look at ollydbg what happened, but nothing happened..
there is any more details i can tell u ?

[SirDice]

Why not learn with something you've made yourself instead of a blackbox?

http://insecure.org/stf/smashstack.html

[mystic-d]

its not a black-box its a server that i was build...

[mystic-d]

by the way: i was read this article , but its not help me coz the server isnt using functions like "strcpy(), scanf() and so..", so i want to know what did i need to search for now... i mean , how can i found a vulerability in this server ? (what did i need to looks for..).. ?
thanks !

[sec_ware]

Hi

I like your approach to learn the issue of buffer overflows. As per answering
your question:

Simply spoken, all buffer overflows have in common that you are using some
fixed buffer or you allow the user (or service) to specify the buffer to be
allocated. While the latter seems strange, still nowadays some (older)
applications are in use, which actually trust their clients, allowing for this
scenario.

Because of this generic character, it is thus impossible to give a complete
list (I wouldn't be able to) - sure, check for strcpy, scanf etc. but, more
general, check for all parts in your code where user (or service/protocol/...)
input from "outside" is used - directly, or more difficult to detect, indirectly.
For example, with your little server - what happens with the recv-buffer?
When do you use it, where does it have some impact?

Furthermore, which OS do you use, which Programming Language, which
Framework? It all depends - in particular the existence of a vulnerability:
even if you have found a security flaw, a vulnerable state, which
allows to reach a compromised state using authorised transitions, may not
exist at all.

If you post reasonable code-snippets, I will try to have a look at it

Cheers, and good luck.

P.s. Nowaday, fuzzers become more and more popular. What kind of protocol
are you using? You may find one, which will be appropriate to find some flaw
in your program.

[mystic-d]

first of all, thanks sec_ware !
the protocol that running is TCP and i tryed to send data and triggered the overflow and when im watching ollydbg i saw that the eip is overwrited by this address: 000012FF (no matter is im sending 1 byte more or 500 bytes more), and i want to know if this is a well known address or something common ?

if some1 know a good article (and programs) about fuzzer ,i`ll apericate her help..

[Ivan.M]

@mystic-d

First You must learn about security protections of yours OS. If I`m right you are using Windows and that means that you must know what is /safeseh, /GS, DEP, etc ... (this allude that you know what is buffer overflow, format string, code injections, pointers overwite, memory leaks, race conditions, etc ...).

Than, If you write your own server You will know if there any vuln ... and You can practise writing exploits (You "must" be master of debuging).

Read, read and read