rasys
asked on
How can Buffer Overruns be exploited for Code Execution
Hi,
I just wanted to know how Buffer Overruns may be exploited for code exection...
For example:
void myMethod(char * pStr) {
char pBuff[10];
int nCount = 0;
strcpy(pBuff, pStr);
}
void foo()
{
}
If I overrun the pBuff[] array, how can i cause code to be exeucuted which as ppl say is why BO's are dangerous?
I'm just askign for a technical discussion on this as to how the function foo() might be executed when the pBuff is BO'd...
This has been taken from:
http://weblogs.asp.net/gad/archive/2004/03/23/94996.aspx
I just wanted to know how Buffer Overruns may be exploited for code exection...
For example:
void myMethod(char * pStr) {
char pBuff[10];
int nCount = 0;
strcpy(pBuff, pStr);
}
void foo()
{
}
If I overrun the pBuff[] array, how can i cause code to be exeucuted which as ppl say is why BO's are dangerous?
I'm just askign for a technical discussion on this as to how the function foo() might be executed when the pBuff is BO'd...
This has been taken from:
http://weblogs.asp.net/gad/archive/2004/03/23/94996.aspx
Check out e.g. http://hack3rs.org/~shadown/Twister/papers/Intro%20to%20Win32%20Exploits.pdf ("Sergio Alvarez: Real Life Vuln-Dev Process of a Win32 Stack Buffer Overflow")
Nowdays you usually can't overwrite the code directly with the stack. The stack is almost always in its own segment, and can't reach the code.
*But* the stack has both local variables and function return addresses. This is an economical way to manage local variables and return addresses, as they naturally nest, BUT it has a downside. If you overflow local variables, you'll smash the return address and then anything can happen.
If you overwrite the return address with random data, the program will return to some random address, 97% resulting in a program crash.
If you overwrite the local variabels with some known 4-byte value, the function will return to that address! If you have the source code to the program you might be able to figure out the adderss of some interesting code inthe program that you could jump to. Like a place that starts a sub-shell: system("/bin/sh").
Or if you're really clever, you can overwrite the local variables with that same code "system("/bin/sh")", preceded by say 10 megabytes of NOP's. Then you end it with an approximate return address. The 10 megabytes of nIOP's gives you lots of slop-- any jump destination in that range will be close enough to fall into your code.
*But* the stack has both local variables and function return addresses. This is an economical way to manage local variables and return addresses, as they naturally nest, BUT it has a downside. If you overflow local variables, you'll smash the return address and then anything can happen.
If you overwrite the return address with random data, the program will return to some random address, 97% resulting in a program crash.
If you overwrite the local variabels with some known 4-byte value, the function will return to that address! If you have the source code to the program you might be able to figure out the adderss of some interesting code inthe program that you could jump to. Like a place that starts a sub-shell: system("/bin/sh").
Or if you're really clever, you can overwrite the local variables with that same code "system("/bin/sh")", preceded by say 10 megabytes of NOP's. Then you end it with an approximate return address. The 10 megabytes of nIOP's gives you lots of slop-- any jump destination in that range will be close enough to fall into your code.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi all,
Thanx a lot for all your comments...They helped a lot.
Basically what i want is to demonstrate using a very basic example that using Buffer Overrun, one carry out code execution on a Windows based machine.
The first link posted by jkr didnt work so couldnt delve into that.
Thanx a lot for all your comments...They helped a lot.
Basically what i want is to demonstrate using a very basic example that using Buffer Overrun, one carry out code execution on a Windows based machine.
The first link posted by jkr didnt work so couldnt delve into that.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi Rasys,
Without giving too much away, Buffer Overruns are particularly dangerous where the code and data are placed in the same "block".
Given your function:
void myMethod(char * pStr) {
char pBuff[10];
int nCount
nCount = 0;
strcpy(pBuff, pStr);
}
Build this into a complete program, dump the resulting binary, and if pBuff[] is positioned immediately before the statements "nCount = 0" then all you have to do is overrun pbuff with the correct binary data and you've accomplished a buffer overrun and can make the function do anything that you want. You just need to be very proficient with assembly code and be able to plug in the correct codes.
Kent