• C

How can Buffer Overruns be exploited for Code Execution

Hi,

I just wanted to know how Buffer Overruns may be exploited for code exection...

For example:

void myMethod(char * pStr) {
    char pBuff[10];
    int nCount = 0;
    strcpy(pBuff, pStr);
}

void foo()
{

}

If I overrun the pBuff[] array, how can i cause code to be exeucuted which as ppl say is why BO's are dangerous?

I'm just askign for a technical discussion on this as to how the function foo() might be executed when the pBuff is BO'd...

This has been taken from:
http://weblogs.asp.net/gad/archive/2004/03/23/94996.aspx
rasysAsked:
Who is Participating?
 
jkrConnect With a Mentor Commented:
Oh, and also http://www.phrack.org/phrack/49/P49-14 ("Smashing The Stack For Fun And Profit") as well as http://www.linuxfocus.org/English/March2003/article282.shtml#282lfindex11 ("Buffer overflow")
0
 
Kent OlsenData Warehouse Architect / DBACommented:

Hi Rasys,

Without giving too much away, Buffer Overruns are particularly dangerous where the code and data are placed in the same "block".

Given your function:

void myMethod(char * pStr) {
    char pBuff[10];
    int nCount

    nCount = 0;
    strcpy(pBuff, pStr);
}

Build this into a complete program, dump the resulting binary, and if pBuff[] is positioned immediately before the statements "nCount = 0" then all you have to do is overrun pbuff with the correct binary data and you've accomplished a buffer overrun and can make the function do anything that you want.  You just need to be very proficient with assembly code and be able to plug in the correct codes.


Kent
0
 
jkrCommented:
Check out e.g. http://hack3rs.org/~shadown/Twister/papers/Intro%20to%20Win32%20Exploits.pdf ("Sergio Alvarez: Real Life Vuln-Dev Process of a Win32 Stack Buffer Overflow")
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
grg99Commented:
Nowdays you usually can't overwrite the code directly with the stack.  The stack is almost always in its own segment, and can't reach the code.

*But* the stack has both local variables and function return addresses.  This is an economical way to manage local variables and return addresses, as they naturally nest, BUT it has a downside.  If you overflow local variables, you'll smash the return address and then anything can happen.  

 If you overwrite the return address with random data, the program will return to some random address, 97% resulting in a program crash.

If you overwrite the local variabels with some known 4-byte value, the function will return to that address!  If you have the source code to the program you might be able to figure out the adderss of some interesting code inthe program that you could jump to.  Like a place that starts a sub-shell:  system("/bin/sh").

Or if you're really clever, you can overwrite the local variables with that same code "system("/bin/sh")", preceded by say 10 megabytes of NOP's.  Then you end it with an approximate return address.  The 10 megabytes of nIOP's gives you lots of slop-- any jump destination in that range will be close enough to fall into your code.



0
 
rasysAuthor Commented:
Hi all,

Thanx a lot for all your comments...They helped a lot.

Basically what i want is to demonstrate using a very basic example that using Buffer Overrun, one carry out code execution on a Windows based machine.

The first link posted by jkr didnt work so couldnt delve into that.
0
 
Infinity08Connect With a Mentor Commented:
As posted by jkr :

http://www.phrack.org/phrack/49/P49-14

this is indeed THE reference.

A lot depends on the way the software is written ... don't ever trust a user, check all user input, and of course check all buffer boundaries !! Always !
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.