logo
0 anonymous
Views: 1027832 Challenges: 342
Users: 12689 Online: 10

How does bufferoverflows work ? – 6 Posts

  • How does bufferoverflows work ?

    06/03/2006 14:37
    beetleflux's Avatar beetleflux 190
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    <pre> #include&lt;string.h&gt; int main(int argc, char **argv){ char buf[256]; strcpy(buf, argv[1]); } </pre><br>This code is vulnerable to buffer overflow. Im trying to learn about exploiting these kind of codes, so, I know its common to make it spawn a shell, but what would I input if I wanted to make the program print out \"hello world\" ? Is it A*256 cout&lt;&lt;\"hello world\" ?<br><br>I know I have to overwrite the memory and such, but I dont know the details. Can someone explain to me how and why it it possible to exploit the code above ?
  • 06/03/2006 14:37
    belo's Avatar belo 410
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Well, the point of the buffer overflow is to overwrite the return address in the stack. The return address is used when the function returns and is an address of the next instruction to execute in the calling function. But if u change the value of the return address, you can execute any code you want (granted u have enough place to store it).<br><br>Basically, u filled the buffer with ur shellcode (which is only executable code, compiled asm if u want (if i'm not mistaken)), then u add some padding to overwrite what u don't want and then u finally replace the return address so that it points to the code in the buffer.<br><br>The only thing i don't get is how can u know the correct address to use for the return address ?
  • 06/03/2006 14:37
    theblacksheep's Avatar theblacksheep 5610
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    If you write local exploits you can often use the environment to store your shellcode. Never kernels use some randomization but in older ones you can calculate the exact address.<br><br>The second method is to use the buffer you overwrite for storing your shellcode.<br>Then you have to guess a little bit where exactly it is located.<br><br>tbs<br><br>PS: Usually the first thing you do is writing a \"Hello World\" programm but you should start your exploiting career with spawning a shell.
  • 06/03/2006 14:37
    miStycaL's Avatar miStycaL 250
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Hi <img alt="\&quot;:)\&quot;" src="%5C"><br> In a windows OS, you can try it <br><br> put some junk until reach EIP,<br> debug you vulnerable program with Olly and start put some A's until you fill you EIP<br> with the A's.<br> Then you will need 2 things , a shellcode and a return address<br> In windows, you can't use a static address in your stack.<br> To make your exploit more 'stable' you will need jump(return <img alt="\&quot;:)\&quot;" src="%5C">) to a location first<br> and then jump to stack.<br> You can use a opcode jmp esp,call esp, or push esp ret for it <img alt="\&quot;:)\&quot;" src="%5C"><br> You can use a address of one of this opcodes, I sujest you use a address of<br> one that is located in a very common dll, like kernel32, User32, msvcrt <img alt="\&quot;:)\&quot;" src="%5C">, or inside<br> your vulnerable program.<br> You can use some softwares to search for this opcode<br> you can use SAC,and if you don't want use SAC you can user my own opcode finder, if you want, send me a pm, <br> ADMIN if you can put it in bright-shadows download section I will be a happy girl <img alt="\&quot;:)\&quot;" src="%5C"><br><br> then you buffer layout will like it<br> <br> <br> aaaaaaaaaaaaaaaaaaaaaaaaaa[Jmp esp]x90x90x90x90x90x90x90[Shellcode]<br><br> then make a program that make this buffer and send the buffer to the program <img alt="\&quot;:)\&quot;" src="%5C"><br><br> I hope it helps you
  • 06/03/2006 14:37
    DevAstatoR's Avatar DevAstatoR 90
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Try the book \"forbidden code\" from Jon Erickson
  • 06/03/2006 14:37
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    yeah this really is a larger topic than we could cover in a forum thread...<br><br>to find opcodes on a linux, box which might also be the case.<br>you could use this command<br><br>objdump /bin/*|grep -i [mnemonic]<br><br>it's quick and dirty just the way i like it <img alt="\&quot;:)\&quot;" src="%5C">