?? introduction to buffer overflow.htm
字號:
<!-- saved from url=(0022)http://internet.e-mail -->
<html>
<head>
<title>Buffer Overflow</title>
<style type=text/css>A:active {
TEXT-DECORATION: none
}
A:hover {
TEXT-DECORATION: underline
}
A:link {
TEXT-DECORATION: none
}
A:visited {
TEXT-DECORATION: none
}
</style>
</head>
<body text="#000000" bgcolor="#FFFFFF">
<center><table BORDER=0 CELLSPACING=2 CELLPADDING=2 WIDTH="308" >
<caption><TBODY>
<br></TBODY></caption>
<tr>
<td>
<pre><font color="#FF0000">.</font><font color="#000000">########</font><font color="#FF0000">...</font>######<font color="#FF0000">..</font>########<font color="#FF0000">..</font>########
<font color="#FF0000">.</font>##<font color="#FF0000">.....</font>##<font color="#FF0000">.</font>##<font color="#FF0000">....</font>##<font color="#FF0000">.</font>##<font color="#FF0000">.....</font>##<font color="#FF0000">.</font>##<font color="#FF0000">......
.</font>##<font color="#FF0000">.....</font>##<font color="#FF0000">.</font>##<font color="#FF0000">.......</font>##<font color="#FF0000">.....</font>##<font color="#FF0000">.</font>##<font color="#FF0000">......
.</font>########<font color="#FF0000">...</font>######<font color="#FF0000">..</font>########<font color="#FF0000">..</font>######<font color="#FF0000">..
.</font>##<font color="#FF0000">.....</font>##<font color="#FF0000">.......</font>##<font color="#FF0000">.</font>##<font color="#FF0000">...</font>##<font color="#FF0000">...</font>##<font color="#FF0000">......
.</font>##<font color="#FF0000">.....</font>##<font color="#FF0000">.</font>##<font color="#FF0000">....</font>##<font color="#FF0000">.</font>##<font color="#FF0000">....</font>##<font color="#FF0000">..</font>##<font color="#FF0000">......
.</font>########<font color="#FF0000">...</font>######<font color="#FF0000">..</font>##<font color="#FF0000">.....</font>##<font color="#FF0000">.</font>##<font color="#FF0000">......</font></pre>
</td>
</tr>
</table></center>
<center>
<p><a href="http://blacksun.box.sk/" target="_blank">http://blacksun.box.sk/</a><br>
<a href="http://uc.zemos.net/">Unix Clan</a>
<br>Lecturer: <a href="mailto:ghostrider@box.sk">Ghost_Rider</a>
<br>Tutorial: Buffer overflow
<br>Converter: <a href="mailto:DKsk8er166@hotmail.com">DKsk8</a>
</center>
<hr>
<center>
Introduction to Buffer Overflow by Ghost_Rider
</center>
<hr>
<br>
<br>
<hr width="50%">
<center>
Intro
</center>
<hr width="50%">
<br>
<p>Hello, here I am again, this time I'll let you know what is in fact
buffer overflow and how you can detect if some program is vulnerable to buffer
overflow exploits. This tutorial has C source code, so if you don't know C
you can have some problems in this tutorial, you also need to have some
notions on ASM and how to use gdb.</p>
<p>I tried to do the easiest I could, but still this tutorial isn't one
of those where you really don't know shit about nothing and when you end it
you know all this. This one takes some work to understand, hey it took huge
work to write!</p>
<p>A little inside note, like everyone that is reading this lines I like to
learn, so some weeks ago I said to myself "Hey what the heck, why not to start
reading some texts about buffer overflows, I know how everything work but
just superficially", so I just started learning and now I'm trying to pass the
knowledge that I gained, to everyone that is interested. So this won't be one
of those texts where you'll learn everything, this will be like a walkthrough,
like the title says an Introduction, (In the end I'll give you some nice texts).
If you have any questions concerning this tutorial post in our message board,
if you find any "bug" in this tutorial please email me and I'll correct it.
Enjoy.</p>
<br>
<br>
<br>
<hr width="50%">
<center>
Exploit?
</center>
<hr width="50%">
<br>
<p>Well probably everyone knows what an exploit is. But you still got to see
that the ones that are entering the security world for the first time
probably don't have the idea of what that is, that's why I wrote this tinny
section.</p>
<p>So for the ones that don't know an exploit is a program, usually written in
C, that exploits some problem that another program have. The exploit will allow
you to run arbitrary code that will let you do something that you shouldn't be
able to do in your normal status on the system.</p>
<p>Nowadays, most of the exploits are what we call Buffer Overflow Exploits.
What's that you ask. Wait because we'll get there. After all, this is the
subject of this tutorial.</p>
<p>Another thing you should know is that everyone knows how to use them(how do
you think that most of the websites that are defaced?), the script kiddies
just go to sites like security focus, packetstorm or fyodor's exploit world,
download it and run it, and then got busted. But why doesn't everybody write
exploits? Well the problem is that many people doesn't know how to spot some
vulnerability in the source code, or even if they can they aren't able to
write a exploit. So now that you have an idea of what an exploit is, let's
go ahead to the
buffer overflow section.</p>
<hr width="50%">
<center>
Buffer Overflow after all what's that?
</center>
<hr width="50%>
<p>Like I said before most of the exploits are Buffer Overflow exploits.
You are probably now thinking "Bah..this guy is bullshiting around, but
still didn't said what buffer overflow is". So let's just talk about it.</p>
<p>A buffer overflow problem is based in the memory where the program stores
it's data. Why's that, you ask. Well because what buffer overflow do is
overwrite expecific memory places where should be something you want, that
will make the program do something that you want.</p>
<p>Well some of you right now are thinking "WOW, I know how buffer overflow
works", but you still don't know how to spot them.</p>
<p>Let's follow a program and try to find and fix the buffer overflow</p>
<br>
<br>
<center>
<br>------ Partial code below--------
<br>
<br> main(int argc, char **argv) {
<br>
<br> char *somevar;
<br> char *important;
<br>
<br> somevar = (char *)malloc(sizeof(char)*4);
<br> important = (char *)malloc(sizeof(char)*14);
<br>
<br> strcpy(important, "command"); /*This one is the important
<br> variable*/
<br> stcrpy(somevar, argv[1]);
<br>
<br>
<br> ..... Code here ....
<br>
<br> }
<br>
<br>.... Other functions here ....
<br>
<br>------- End Of Partial Code ------
</center>
<br>
<br>
<p>So let's say that important variable stores some system command like, let's
say "chmod o-r file", and since that file is owned by root the program is run
under root user too, this means that if you can send commands to it, you can
execute ANY system command. So you start thinking. How the hell can I put
something that I want in the important variable. Well the way is to overflow
the memory so we can reach it. But let's see variables memory addresses.
To do that you need to re-written the code. Check the following code.</p>
<br>
<br>
<center>
<br>--------- Partial Code ------------
<br>
<br>main (int argc, char **argv) {
<br>
<br>
<br> char *somevar;
<br> char *important;
<br>
<br> somevar=(char *)malloc(sizeof(char)*4);
<br> important=(char *)malloc(sizeof(char)*14);
<br>
<br> printf("%p\n%p", somevar, important);
<br> exit(0);
<br>
<br> rest of code here
<br>
<br>}
<br>
<br>--------- End of Partial Code --------
</center>
<br>
<br>
<p>Well we added 2 lines in the source code and left the rest unchanged. Let's
see what does two lines do.</p>
<p>The printf("%p\n%p", somevar, important); line will print the memory
addresses for somevar and important variables. The exit(0); will just keep the
rest of the program running after all you don't want it for nothing, your goal
was to know where is the variables are stored.</p>
<p>After running the program you would get an output like, you will probably
not get the same memory addresses:<p>
<br>
<center>
<br>
<br> 0x8049700 <----- This is the address of somevar
<br> 0x8049710 <----- This is the address of important
</center>
<p>As we can see, the important variable is next somevar, this will let us use
our buffer overflow skills, since somevar is got from argv[1]. Now, we know
that one follow the other, but let's check each memory address so we can have
the precise notion of the data storage. To do this let's re-write the code
again.</p>
<br>
<br>
<center>
<br>-------- Partial code ---------
<br>
<br>main(int argc, char **argv) {
<br>
<br> char *somevar;
<br> char *important;
<br> char *temp; /* will need another variable */
<br>
<br>
<br> somevar=(char *)malloc(sizeof(char)*4);
<br> important=(char *)malloc(sizeof(char)*14);
<br>
<br> strcpy(important, "command"); /*This one is the important
<br> variable*/
<br> stcrpy(str, argv[1]);
<br>
<br>
<br>
<br> printf("%p\n%p\n", somevar, important);
<br> printf("Starting To Print memory address:\n");
<br>
<br> temp = somevar; /* this will put temp at the first memory address we want
<br>*/
<br> while(temp < important + 14) {
<br>
<br> /* this loop will be broken when we get to the last memory address we
<br> want, last memory address of important variable */
<br>
<br> printf("%p: %c (0x%x)\n", temp, *temp, *(unsigned int*)temp);
<br> temp++;
<br>
<br> }
<br>
<br> exit(0);
<br>
<br> rest of code here
<br>}
<br>------ End Of partial Code ------
</center>
<br>
<br>
<p>Now let's say that the argv[1] should be in normal use send. So you just type
in your prompt:</p>
<br>
<center>
$ program_name send
</center>
<br>
<p>You'll get an output like:</p>
<br>
<center>
<br>0x8049700
<br>0x8049710
</center>
<br>
<p>Starting To Print memory address:</p>
<br>
<center>
<br>0x8049700: s (0x616c62)
<br>0x8049701: e (0x616c)
<br>0x8049702: n (0x61) <---- each of this lines represent a memory address
<br>0x8049703: d (0x0)
<br>0x8049704: (0x0)
<br>0x8049705: (0x0)
<br>0x8049706: (0x0)
<br>0x8049707: (0x0)
<br>0x8049708: (0x0)
<br>0x8049709: (0x19000000)
<br>0x804970a: (0x190000)
<br>0x804970b: (0x1900)
<br>0x804970c: (0x19)
<br>0x804970d: (0x63000000)
<br>0x804970e: (0x6f630000)
<br>0x804970f: (0x6d6f6300)
<br>0x8049710: c (0x6d6d6f63)
<br>0x8049711: o (0x616d6d6f)
<br>0x8049712: m (0x6e616d6d)
<br>0x8049713: m (0x646e616d)
<br>0x8049714: a (0x646e61)
<br>0x8049715: n (0x646e)
<br>0x8049716: d (0x64)
<br>0x8049717: (0x0)
<br>0x8049718: (0x0)
<br>0x8049719: (0x0)
<br>0x804971a: (0x0)
<br>0x804971b: (0x0)
<br>0x804971c: (0x0)
<br>0x804971d: (0x0)
<br>$
</center>
<br>
<p>Nice isn't it? You can now see that there exist 12 memory address empty
between somevar and important. So let's say that you run the program with a
command line like:</p>
<br>
<center>
$ program_name send------------newcommand
</center>
<br>
<p>You'll get an output like:</p>
<br>
<center>
<br>0x8049700
<br>0x8049710
<br>Starting To Print memory address:
<br>0x8049700: s (0x646e6573)
<br>0x8049701: e (0x2d646e65)
<br>0x8049702: n (0x2d2d646e)
<br>0x8049703: d (0x2d2d2d64)
<br>0x8049704: - (0x2d2d2d2d)
<br>0x8049705: - (0x2d2d2d2d)
<br>0x8049706: - (0x2d2d2d2d)
<br>0x8049707: - (0x2d2d2d2d)
<br>0x8049708: - (0x2d2d2d2d)
<br>0x8049709: - (0x2d2d2d2d)
<br>0x804970a: - (0x2d2d2d2d)
<br>0x804970b: - (0x2d2d2d2d)
<br>0x804970c: - (0x2d2d2d2d)
<br>0x804970d: - (0x6e2d2d2d)
<br>0x804970e: - (0x656e2d2d)
<br>0x804970f: - (0x77656e2d)
<br>0x8049710: n (0x6377656e) <--- memory address where important variable starts
<br>0x8049711: e (0x6f637765)
<br>0x8049712: w (0x6d6f6377)
<br>0x8049713: c (0x6d6d6f63)
<br>0x8049714: o (0x616d6d6f)
<br>0x8049715: m (0x6e616d6d)
<br>0x8049716: m (0x646e616d)
<br>0x8049717: a (0x646e61)
<br>0x8049718: n (0x646e)
<br>0x8049719: d (0x64)
<br>0x804971a: (0x0)
<br>0x804971b: (0x0)
<br>0x804971c: (0x0)
<br>0x804971d: (0x0)
</center>
<br>
<p>Hey cool, newcommand got over command. Now it does something you want,
instead of something he was supposed to do.</p>
<center>
<b>NOTE: Remember sometimes those spaces between somevar and
important can have other variables instead of being empty, so check their
values and send them to the same address, or the program can crash before
getting to the variable that you modified.</b>
<center>
<p> Now let's think a little. Why does this happen? As you can see in the source
code somevar is declared before important, this will make, most of the times,
that somevar will be first in memory. Now, let's check how each one is got.
Somevar gets it's value from argv[1], and important gets it from strcpy()
function, but the real problem is that important value is assign first so when
you assign value to somevar that is before it important can be overwritten.
This program could be patched against this buffer overflow switching those two
lines, becoming :</p>
<br>
<center>
<br>strcpy(somevar, argv[1]);
<br>strcpy(important, "command");
</center>
<br>
<p>If this was the way that the program was done even if you give an argument
that would get into the memory address of important, it will be overwritten by
the true command, since after getting somevar, is assign the value command to
important.<p>
<p> This kind of buffer overflow, is a heap buffer overflow. Like you probably
has seen they are really easy to do in theory but, in the real world, it's not
really easy to do them, after all the example I gave was a really dumb
program right? It's a real pain in the ass to find those important
variables, and also to overflow that variable you need to be able to write to
one that is in a lower memory address, most of times all this conditions
doesn't get together, that's why we are now gonna talk about stack buffer
overflows.<p>
<center>
<b>Just a little inside note:
In the last paragraph I talked about heap and stack. You probably be
wondering what each one is. So here's a brief and easy of understanding
definition of each one:</b>
</center>
<br>
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -