Buffer overflow - concept
BoF is a type of attack that is common for any remote service that accepts user input.(but also very common for clients)
To get an idea of how this works lets break down the word buffer overflow.
A buffer is an allocation of memory that has the same data type.
This can often be referred to as a buffer array.
Buffers of a applications are located on the stack among the local variables of the function they belong to.
To overflow is to exceed a certain limit, or boundary.
Overflowing is possible on a stack because the stack is limited to a finite memory space allocated per function by the operation system.
This allocation occurs at program run time.
Since the stack is an essential part o a BoF attack, lets take closer look at it.
It grows upward in memory space.
What makes it special is the way it is implemented.
A stack uses a last in, First out architecture(LIFO).
This means that if you were to put the letter A then B then C in a stack, A would be on the bottom and C would be on top.
Check the diagram above to see how a stack grows.
The operation that we just did is called PUSH.
Now if we want to remove data from the stack the first letter to leave would be C.
This is called a POP operation.
Well, let’s say that we have an array of intergers allocated for 3 locations of memory represented in light blue.
Ex). Int c[3] = {2, 3, 4};
Each location of memory is a row of the table above and each contains on interger.
Before that, we have another array of 5 integers.
C is meant to contain only 3 numbers.
If we put more than 3 elements of data in the lighter array, it will flow into the memory space of the red stack space(thus overflowing).
On the stack we do not just have application variables, but also data that rules the functioning of the program.
When these special data is overwritten, this will normally cause a segmentation fault and crash the program.
For Example, if the array only holds room for 12 bytes of c = {2, 3, 4} (number is 4 bytes)
And we decide to put more than expected
c[3] = 0;
c[4] = 0;
We will store those 2 extra numbers in memory that do not belong to variable C thus overflowing(and overwriting locations) into B’s memory(the red area).
What an attacker wants is to overflow the buffer and change the EIP register.
The EIP register is the instruction pointer.
This means it holds the value of the address of the next instruction to be executed.
Once someone has the EIP under their control it's game over.
They will be able to change the way the program works by executing a so called shellcode instead of the regular application code.
So the trick is to overwrite the EIP, writing into it an address of memory in which our shellcode resides.
The shellcode can spawn shells that have the same permissions as the target program, and possibly gain root access. We will move on to how to exploit these vulnerable applications using a popular tool called Metasploit in a bit.
To be continued!
What an attacker wants is to overflow the buffer and change the EIP register.
The EIP register is the instruction pointer.
This means it holds the value of the address of the next instruction to be executed.
Once someone has the EIP under their control it's game over.
They will be able to change the way the program works by executing a so called shellcode instead of the regular application code.
So the trick is to overwrite the EIP, writing into it an address of memory in which our shellcode resides.
The shellcode can spawn shells that have the same permissions as the target program, and possibly gain root access. We will move on to how to exploit these vulnerable applications using a popular tool called Metasploit in a bit.
To be continued!
댓글 없음:
댓글 쓰기