|
Page 1 of 2 Introduction to Buffer Overflow by Ghost_Rider
Hello, here I am again, this time I'll let you know what is in
fact buffer overflow and how you can detect if some program is
vulnerable to buffer overflow exploits. This tutorial has C source
code, so if you don't know C you can have some problems in this
tutorial, you also need to have some notions on ASM and how to use
gdb. I tried to do the easiest I could, but still this tutorial
isn't one of those where you really don't know **censored** about
nothing and when you end it you know all this. This one takes some
work to understand, hey it took huge work to write! A little inside
note, like everyone that is reading this lines I like to learn, so
some weeks ago I said to myself "Hey what the heck, why not to
start reading some texts about buffer overflows, I know how
everything work but just superficially", so I just started learning
and now I'm trying to pass the knowledge that I gained, to
everyone that is interested. So this won't be one of those texts
where you'll learn everything, this will be like a walkthrough,
like the title says an Introduction, (In the end I'll give you
some nice texts). If you have any questions concerning this
tutorial post in our message board, if you find any "bug" in this
tutorial please email me and I'll correct it. Enjoy.
Exploit?
Well
probably everyone knows what an exploit is. But you still got to
see that the ones that are entering the security world for the
first time probably don't have the idea of what that is, that's
why I wrote this tinny section. So for the ones that don't know an
exploit is a program, usually written in C, that exploits some
problem that another program have. The exploit will allow you to
run arbitrary code that will let you do something that you
shouldn't be able to do in your normal status on the system.
Nowadays, most of the exploits are what we call Buffer Overflow
Exploits. What's that you ask. Wait because we'll get there.
After all, this is the subject of this tutorial. Another thing you
should know is that everyone knows how to use them(how do you think
that most of the websites that are defaced?), the script kiddies
just go to sites like security focus, packetstorm or fyodor's
exploit world, download it and run it, and then got busted. But why
doesn't everybody write exploits? Well the problem is that many
people doesn't know how to spot some vulnerability in the source
code, or even if they can they aren't able to write a exploit. So
now that you have an idea of what an exploit is, let's go ahead to
the buffer overflow section.
Buffer Overflow after all what's that?
Like I
said before most of the exploits are Buffer Overflow exploits.
You are
probably now thinking "Bah..this guy is bull**censored**ing around,
but still didn't said what buffer overflow is". So let's just
talk about it. A buffer overflow problem is based in the memory
where the program stores it's data. Why's that, you ask. Well
because what buffer overflow do is overwrite expecific memory
places where should be something you want, that will make the
program do something that you want.
Well
some of you right now are thinking "WOW, I know how buffer overflow
works", but you still don't know how to spot them.
Let's
follow a program and try to find and fix the buffer overflow
------
Partial code below--------
main(int argc, char **argv) {
char
*somevar;
char
*important;
somevar
= (char *)malloc(sizeof(char)*4);
important = (char *)malloc(sizeof(char)*14);
strcpy(important, "command"); /*This one is the important
variable*/
stcrpy(somevar, argv[1]);
.....
Code here ....
}
....
Other functions here ....
-------
End Of Partial Code ------
So
let's say that important variable stores some system command like,
let's say "chmod o-r file", and since that file is owned by root
the program is run under root user too, this means that if you can
send commands to it, you can execute ANY system command. So you
start thinking. How the hell can I put something that I want in the
important variable. Well the way is to overflow the memory so we
can reach it. But let's see variables memory addresses.
To do
that you need to re-written the code. Check the following code.
--------- Partial Code ------------
main
(int argc, char **argv) {
char
*somevar;
char
*important;
somevar=(char *)malloc(sizeof(char)*4);
important=(char *)malloc(sizeof(char)*14);
printf("%p
%p", somevar, important);
exit(0);
rest of
code here
}
--------- End of Partial Code --------
Well we
added 2 lines in the source code and left the rest unchanged.
Let's see what does two lines do.
The
printf("%p
%p", somevar, important); line will print the memory
addresses for somevar and important variables. The exit(0); will
just keep the rest of the program running after all you don't want
it for nothing, your goal was to know where is the variables are
stored.
After
running the program you would get an output like, you will probably
not get the same memory addresses:
0x8049700 <----- This is the address of somevar
0x8049710 <----- This is the address of important
As we
can see, the important variable is next somevar, this will let us
use our buffer overflow skills, since somevar is got from argv[1].
Now, we know that one follow the other, but let's check each
memory address so we can have the precise notion of the data
storage. To do this let's re-write the code again.
-------- Partial code ---------
main(int argc, char **argv) {
char
*somevar;
char
*important;
char
*temp; /* will need another variable */
somevar=(char *)malloc(sizeof(char)*4);
important=(char *)malloc(sizeof(char)*14);
strcpy(important, "command"); /*This one is the important
variable*/
stcrpy(str, argv[1]);
printf("%p
%p
", somevar, important);
printf("Starting To Print memory address:
");
temp =
somevar; /* this will put temp at the first memory address we want
*/
while(temp < important + 14) {
/* this
loop will be broken when we get to the last memory address we want,
last memory address of important variable */
printf("%p: %c (0x%x)
", temp, *temp, *(unsigned int*)temp);
temp++;
}
exit(0);
rest of
code here
}
------
End Of partial Code ------
|
Coding vulnerability 
