Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How can Buffer Overruns be exploited for Code Execution

Posted on 2006-06-30
8
345 Views
Last Modified: 2010-04-15
Hi,

I just wanted to know how Buffer Overruns may be exploited for code exection...

For example:

void myMethod(char * pStr) {
    char pBuff[10];
    int nCount = 0;
    strcpy(pBuff, pStr);
}

void foo()
{

}

If I overrun the pBuff[] array, how can i cause code to be exeucuted which as ppl say is why BO's are dangerous?

I'm just askign for a technical discussion on this as to how the function foo() might be executed when the pBuff is BO'd...

This has been taken from:
http://weblogs.asp.net/gad/archive/2004/03/23/94996.aspx
0
Comment
Question by:rasys
8 Comments
 
LVL 45

Expert Comment

by:Kent Olsen
ID: 17018185

Hi Rasys,

Without giving too much away, Buffer Overruns are particularly dangerous where the code and data are placed in the same "block".

Given your function:

void myMethod(char * pStr) {
    char pBuff[10];
    int nCount

    nCount = 0;
    strcpy(pBuff, pStr);
}

Build this into a complete program, dump the resulting binary, and if pBuff[] is positioned immediately before the statements "nCount = 0" then all you have to do is overrun pbuff with the correct binary data and you've accomplished a buffer overrun and can make the function do anything that you want.  You just need to be very proficient with assembly code and be able to plug in the correct codes.


Kent
0
 
LVL 86

Expert Comment

by:jkr
ID: 17018281
Check out e.g. http://hack3rs.org/~shadown/Twister/papers/Intro%20to%20Win32%20Exploits.pdf ("Sergio Alvarez: Real Life Vuln-Dev Process of a Win32 Stack Buffer Overflow")
0
 
LVL 22

Expert Comment

by:grg99
ID: 17018287
Nowdays you usually can't overwrite the code directly with the stack.  The stack is almost always in its own segment, and can't reach the code.

*But* the stack has both local variables and function return addresses.  This is an economical way to manage local variables and return addresses, as they naturally nest, BUT it has a downside.  If you overflow local variables, you'll smash the return address and then anything can happen.  

 If you overwrite the return address with random data, the program will return to some random address, 97% resulting in a program crash.

If you overwrite the local variabels with some known 4-byte value, the function will return to that address!  If you have the source code to the program you might be able to figure out the adderss of some interesting code inthe program that you could jump to.  Like a place that starts a sub-shell:  system("/bin/sh").

Or if you're really clever, you can overwrite the local variables with that same code "system("/bin/sh")", preceded by say 10 megabytes of NOP's.  Then you end it with an approximate return address.  The 10 megabytes of nIOP's gives you lots of slop-- any jump destination in that range will be close enough to fall into your code.



0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 86

Accepted Solution

by:
jkr earned 250 total points
ID: 17018311
Oh, and also http://www.phrack.org/phrack/49/P49-14 ("Smashing The Stack For Fun And Profit") as well as http://www.linuxfocus.org/English/March2003/article282.shtml#282lfindex11 ("Buffer overflow")
0
 

Author Comment

by:rasys
ID: 17025807
Hi all,

Thanx a lot for all your comments...They helped a lot.

Basically what i want is to demonstrate using a very basic example that using Buffer Overrun, one carry out code execution on a Windows based machine.

The first link posted by jkr didnt work so couldnt delve into that.
0
 
LVL 53

Assisted Solution

by:Infinity08
Infinity08 earned 250 total points
ID: 17035826
As posted by jkr :

http://www.phrack.org/phrack/49/P49-14

this is indeed THE reference.

A lot depends on the way the software is written ... don't ever trust a user, check all user input, and of course check all buffer boundaries !! Always !
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Test against App 49 138
sameEnds challenge 3 179
IIS Log files on Exchange 2013 server 6 163
Assigning default value to structure in C for mutithread application 17 71
Preface I don't like visual development tools that are supposed to write a program for me. Even if it is Xcode and I can use Interface Builder. Yes, it is a perfect tool and has helped me a lot, mainly, in the beginning, when my programs were small…
This is a short and sweet, but (hopefully) to the point article. There seems to be some fundamental misunderstanding about the function prototype for the "main" function in C and C++, more specifically what type this function should return. I see so…
The goal of this video is to provide viewers with basic examples to understand and use structures in the C programming language.
The goal of this video is to provide viewers with basic examples to understand how to create, access, and change arrays in the C programming language.

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question