Solved

How can Buffer Overruns be exploited for Code Execution

Posted on 2006-06-30
8
342 Views
Last Modified: 2010-04-15
Hi,

I just wanted to know how Buffer Overruns may be exploited for code exection...

For example:

void myMethod(char * pStr) {
    char pBuff[10];
    int nCount = 0;
    strcpy(pBuff, pStr);
}

void foo()
{

}

If I overrun the pBuff[] array, how can i cause code to be exeucuted which as ppl say is why BO's are dangerous?

I'm just askign for a technical discussion on this as to how the function foo() might be executed when the pBuff is BO'd...

This has been taken from:
http://weblogs.asp.net/gad/archive/2004/03/23/94996.aspx
0
Comment
Question by:rasys
8 Comments
 
LVL 45

Expert Comment

by:Kdo
Comment Utility

Hi Rasys,

Without giving too much away, Buffer Overruns are particularly dangerous where the code and data are placed in the same "block".

Given your function:

void myMethod(char * pStr) {
    char pBuff[10];
    int nCount

    nCount = 0;
    strcpy(pBuff, pStr);
}

Build this into a complete program, dump the resulting binary, and if pBuff[] is positioned immediately before the statements "nCount = 0" then all you have to do is overrun pbuff with the correct binary data and you've accomplished a buffer overrun and can make the function do anything that you want.  You just need to be very proficient with assembly code and be able to plug in the correct codes.


Kent
0
 
LVL 86

Expert Comment

by:jkr
Comment Utility
Check out e.g. http://hack3rs.org/~shadown/Twister/papers/Intro%20to%20Win32%20Exploits.pdf ("Sergio Alvarez: Real Life Vuln-Dev Process of a Win32 Stack Buffer Overflow")
0
 
LVL 22

Expert Comment

by:grg99
Comment Utility
Nowdays you usually can't overwrite the code directly with the stack.  The stack is almost always in its own segment, and can't reach the code.

*But* the stack has both local variables and function return addresses.  This is an economical way to manage local variables and return addresses, as they naturally nest, BUT it has a downside.  If you overflow local variables, you'll smash the return address and then anything can happen.  

 If you overwrite the return address with random data, the program will return to some random address, 97% resulting in a program crash.

If you overwrite the local variabels with some known 4-byte value, the function will return to that address!  If you have the source code to the program you might be able to figure out the adderss of some interesting code inthe program that you could jump to.  Like a place that starts a sub-shell:  system("/bin/sh").

Or if you're really clever, you can overwrite the local variables with that same code "system("/bin/sh")", preceded by say 10 megabytes of NOP's.  Then you end it with an approximate return address.  The 10 megabytes of nIOP's gives you lots of slop-- any jump destination in that range will be close enough to fall into your code.



0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 86

Accepted Solution

by:
jkr earned 250 total points
Comment Utility
Oh, and also http://www.phrack.org/phrack/49/P49-14 ("Smashing The Stack For Fun And Profit") as well as http://www.linuxfocus.org/English/March2003/article282.shtml#282lfindex11 ("Buffer overflow")
0
 

Author Comment

by:rasys
Comment Utility
Hi all,

Thanx a lot for all your comments...They helped a lot.

Basically what i want is to demonstrate using a very basic example that using Buffer Overrun, one carry out code execution on a Windows based machine.

The first link posted by jkr didnt work so couldnt delve into that.
0
 
LVL 53

Assisted Solution

by:Infinity08
Infinity08 earned 250 total points
Comment Utility
As posted by jkr :

http://www.phrack.org/phrack/49/P49-14

this is indeed THE reference.

A lot depends on the way the software is written ... don't ever trust a user, check all user input, and of course check all buffer boundaries !! Always !
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

An Outlet in Cocoa is a persistent reference to a GUI control; it connects a property (a variable) to a control.  For example, it is common to create an Outlet for the text field GUI control and change the text that appears in this field via that Ou…
This tutorial is posted by Aaron Wojnowski, administrator at SDKExpert.net.  To view more iPhone tutorials, visit www.sdkexpert.net. This is a very simple tutorial on finding the user's current location easily. In this tutorial, you will learn ho…
The goal of this video is to provide viewers with basic examples to understand opening and writing to files in the C programming language.
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use while-loops in the C programming language.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now