Understanding Buffer Overflows

Info

Blademaster
2004-03-28
Blademaster@dumbtech.com
http://www.rohitab.com or http://hackerlounge.com

Disclaimer

I can not be held responsible for anything you might ever do. Any spelling errors are transmission errors, 
nd you might be able to sue the hell out of big companies as Microsoft for them. This was written by Blademaster 
A.K.A. nielserman, and you should not copy this and say it's yours (it would be wrong and pathetic to do so)

Introduction

This tutorial will try to explain how buffer overflows work and what they can do. It will NOT contain information 
on how to write and/or exploit a buffer overflow. I will be talking about Stack Based Buffer Overflows, not Heap 
Based Buffer Overflows (but they have got a lot in common).

A Stack Based Buffer Overflow is basically a bug in the code that allows insertion of code into a running program. 
This often happens because the information from a large buffer is copied into a smaller buffer, or a function is 
used that doesn’t do bounds checking. The point of an exploit for these kind of bugs is to elevate privileges, or 
crash a program by making a wrong request from the program.

How the overflow works

As said in the introduction, an overflow occurs when the contents of a large buffer are transferred into a smaller 
buffer (using a function such as “strcpy”), or using a function that does not do bounds checking (such as “get”).  
Let’s imagine the following:

Let’s say buffer1 is 44 characters big, and buffer2 has 36 characters. 8 characters will be “lost” (not exactly, but 
i’ll come to that), the program will give an error (segmentation error).

Behind the buffer

Now u know that an error occurs when  a buffer is being overflowed, you will probably be wondering how this can achieve
 the goal that I mentioned in the introduction. Well, to understand that, you must know what is behind the last buffer.
 The first thing behind the buffer is EBP, the Extended Base Pointer. This is not really important for us, as long as 
we understand that it’s 4 bytes long, and it contains a memory address. After EBP is EIP, the Extended Instruction 
Pointer. EIP contains the memory address of the next function to be executed, and it’s also 4 bytes long (like 0x41414141).
 Now that you know that, you are probably still wondering why the error was caused: because EIP contained an 
invalid address. See fig2

So now, the next address to be executed will be 0x41414141. This is no valid address and a segmentation error is made.
 Easy.

How can this be useful

Let’s say we could input something into buffer1, and it could be anything, then it would be possible to insert code 
into that buffer as well. Let’s say we inserted something like “cout << “display this message\n”;”, it wouldn’t work.
 This has 2 reasons:

Memory is not C++, you want to use HEX to insert code into the buffer
It is not called by anything, so the code will never be reached. 

Now, since we can use the buffer overflow to change the address of EIP, we can also change the flow of the program.
 Let’s say we fill the EIP address with the memory address of  beginning buffer2.


In theory, this would display “Display this message”, but in practice, it won’t for reason 1 explained above. 
exists of HEX, so you would convert the ASM code (or even C++ code) to HEX and insert that into the program to make it
 work.


Functions of a buffer overflow

In the introduction, I said they were often used to elevate privileges on a system. This is because the hackers 
main target is compromising the system, not showing a message from a program. Some important programs, such as web 
servers or other types of servers or software, can require to be ran on root or system privileges, but still any user
 can make use of the service. If there is some kind of buffer overflow in a root program, the code inserted into the
program will also run with root privileges. Some actions require a user to be root, such as ./bin/sh, but as we can 
control a program that is running with root privileges, we can use that program to give use this root shell, and 
compromise the system. Another function of a buffer overflow might be to crash the service, and is much more used 
by script-kiddie’s and crackers, though it can have it’s uses for a white hat hacker (such as crashing a firewall). 
This can be done the same way as our first example, where it gave  segmentation error, and the program exited. 

Final words

I hope that clears up a lot about buffer overflows J If you are interested in writing or exploiting buffer oveflows, 
I suggest you read the “Other good reads” section of this tutorial, and I might just write a tutorial on it too, 
in the far future. Now on to the rest.

Other good reads
http://neworder.box.sk/codebox.links.php?key=exptut
http://julianor.tripod.com/bufo.html
http://www.networkmagazine.com/article/NMG20000511S0015
http://secinf.net/auditing/Advanced_Buffer_Overflow_Exploit.html
http://www.geocities.com/coders_side/tutorials/avoid_buf_ovrflw.htm
http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html
http://www.strath.ac.uk/IT/Docs/Ccourse/
http://www.xs4all.nl/~smit/asm01001.htm
http://www.kegel.com/academy/tutorials.html

Shout outz

Shout outz and greets go out to everyone on rohitab.com, hackerlounge.no-ip.com and tgs-security.com, and in specific: 
Dumbtech, MoTT, Michiel, nofrillz, porchy, soad2k, the whole tgs crew (great site), sheephead, daunknown, Xander, Shaggy, 
legibleskate (in hospital???), Alexia, eZtaR, EsC, shamusthedonkey, creepy~nodque and everyone I forgot

Fuck Off’s

Everyone who has ever e-mailed me about hacking hotmail account's, and everyone who is planning to, and most of all: 
Natalie A.K.A Badgirl, who can't even spell my name right