0
Buffers Are Overflowing? What?
24 July 2010
Let's talk about buffer overflows, how they work, and what they actually are.
Buffer overflows are found by an attacker sending a long string of characters into a program or remote connection / port until it crashes. Once it crashes the attacker can actually attach a debugger to the process to see the memory address that it crashed at. This memory address is called the ESP(extended stack pointer). What they are trying to achieve is to overwrite the EIP (extended instruction pointer) with code, usually shell code through the use of a nop sled. What is a nop sled, it is called a nop sled because the instruction is sent into the ESP, overwritting the buffer just before the instruction pointer with enough bytes for the nop instruction, then the shell code uses the nop to slide right into the EIP. Everything from the ESP, to the EIP the attacker will try to control.
In a nutshell, the attacker will fill the buffer with more data than what is intended along with a chunk of code(payload), trying to obtain a remote shell. Let's get to the basics: Perl! One way we can find a program with a buffer that can be overwritten is to use perl, through the command: program_name.exe 'perl -e "print 'A' x 10"' . Basically what this will do is try to write data through argv[] or the port, filling 10 bytes of the buffer. We would then keep increasing this number until the program crashes. Then when we have our buffer size, we attach a debugger; one of my favorites is OlyDBG. Now we would run the command again with the debugger attached, setting it up to break when the program crashes so that we can get the memory address. Let's now talk about shell code, shellcode is basically the memory addresses that you will use to inject the payload, along with the address of the payload that will be executed. The memory address that we found, let's say it was 0x4c213a32 it would then be converted int a chunk of the shell code written as so: \x32\x3a\x21\x4c\ as you can see, it is basically written in sections of 2 in reverse order. This is because of the way the instructions are pushed on to the stack. If you think about it, the stack starts at the bottom, and works it's way up, so x4c would be pushed first, then x21, and so on, creating our reference pointer on the stack. That's all there is to it.
There are sites out there that have premade shell code that can be used with a little modification such as adding your pointer, and the vulnerable program name. Here's a link to some shell code: Shellcode
Buffer overflows are found by an attacker sending a long string of characters into a program or remote connection / port until it crashes. Once it crashes the attacker can actually attach a debugger to the process to see the memory address that it crashed at. This memory address is called the ESP(extended stack pointer). What they are trying to achieve is to overwrite the EIP (extended instruction pointer) with code, usually shell code through the use of a nop sled. What is a nop sled, it is called a nop sled because the instruction is sent into the ESP, overwritting the buffer just before the instruction pointer with enough bytes for the nop instruction, then the shell code uses the nop to slide right into the EIP. Everything from the ESP, to the EIP the attacker will try to control.
In a nutshell, the attacker will fill the buffer with more data than what is intended along with a chunk of code(payload), trying to obtain a remote shell. Let's get to the basics: Perl! One way we can find a program with a buffer that can be overwritten is to use perl, through the command: program_name.exe 'perl -e "print 'A' x 10"' . Basically what this will do is try to write data through argv[] or the port, filling 10 bytes of the buffer. We would then keep increasing this number until the program crashes. Then when we have our buffer size, we attach a debugger; one of my favorites is OlyDBG. Now we would run the command again with the debugger attached, setting it up to break when the program crashes so that we can get the memory address. Let's now talk about shell code, shellcode is basically the memory addresses that you will use to inject the payload, along with the address of the payload that will be executed. The memory address that we found, let's say it was 0x4c213a32 it would then be converted int a chunk of the shell code written as so: \x32\x3a\x21\x4c\ as you can see, it is basically written in sections of 2 in reverse order. This is because of the way the instructions are pushed on to the stack. If you think about it, the stack starts at the bottom, and works it's way up, so x4c would be pushed first, then x21, and so on, creating our reference pointer on the stack. That's all there is to it.
There are sites out there that have premade shell code that can be used with a little modification such as adding your pointer, and the vulnerable program name. Here's a link to some shell code: Shellcode
