UGN Security
Posted By: Ghost Buffer Overflow Attacks - 08/29/03 02:42 AM
Whats a buffer overflow attack, what does it speciffically do, and how is it executed?
Posted By: sinetific Re: Buffer Overflow Attacks - 08/29/03 04:03 AM
A buffer is an allocated space of temporary memory. A buffer overflow is when too much data is recieved causing the buffer to overflow. To understand how they work you'll need to know some uP(microprocessor) theory. But basically you want to offerflow the buffer and have the part is left over an instruction, usually a malicious instruction that would grant you certain privledges on this system. This part that is overflows is the next set of instructions to execute instead of what should normally be executed.
Posted By: Ghost Re: Buffer Overflow Attacks - 08/29/03 04:17 AM
how would i execute one; is it a program or do i connect to a port to do it
Posted By: paradox Re: Buffer Overflow Attacks - 08/29/03 05:08 AM
I think you are talking about exploits.
there are two general kinds of exploits local and remote. Remote exploits use the internet to send a payload to a certain service to overflow it and execute code.. While a local service will do the same but not remotely.. simple really..
A buffer overflow works as said above by writing more data then the buffer allowed.. hence "buffer" overflow an example in c is.
#include
int main(int argc,char *argv[]){
char *buff[20];
strcpy(buff,argv[1]);
}
Now when you run the program
"c:\lala.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
more data is written to the buffer then was allocated and the registers get overwritten if your in windows a error box will pop up and you can find out which registers you overwrote by looking for 41 which is the hex value of "A"
it should overwrite the esp and ebp if you have enuf data seeing as how the buffer is 20 bytes and you wrote more than 21 bytes u overwrite the register why did i say 21 well thats because of the null terminated byte every buffer has '\0' (thats a basic explanation of it all) How do exploits work.. they do just that they overflow buffers and execute shellcode (ahh what is shellcode?) shellcode is opcode(operation code) of an asm program an example .
#include <windows.h>
#include <winbase.h>

void main()
{

LoadLibrary("msvcrt.dll");

__asm {

mov esp,ebp
push ebp
mov ebp,esp
xor edi,edi
push edi
sub esp,04h
mov byte ptr [ebp-08h],63h
mov byte ptr [ebp-07h],6Dh
mov byte ptr [ebp-06h],64h
mov byte ptr [ebp-05h],2Eh
mov byte ptr [ebp-04h],65h
mov byte ptr [ebp-03h],78h
mov byte ptr [ebp-02h],65h
mov eax, 0x77c28044 //put your system() address here
push eax
lea eax,[ebp-08h]
push eax
call dword ptr [ebp-0ch]
}
}
this program just runs cmd.exe using the system function and when u convert this to opcode you have your shellcode.. to get the system address you just use a debugger to find out where the function is stored in memory
Ok thats shellcode.. you understand buffer overflows well the simple version.. So now we make an exploit what this does is overwrite the return address of the program so when it tries to return it executes or shellcode..
there is no easy way to explain this..
but basically you store your shellcode in public memory range 0x00000000 to 0x7FFFFFFF
and overwrite the stack with your shellcodes memory address and execute it. Voila
just google for buffer overflow tutorials wink for a more in depth idea of what they are
Posted By: Ice Re: Buffer Overflow Attacks - 08/29/03 11:30 AM
heres a good txt file by a member of the german group called The Hackers Choice (THC) thc.org

heres the link to the good read, hope this helpes you on ur way of learning

Its on Stacks Overflow's

http://www.thc.org/papers/OVERFLOW.TXT
Posted By: Ghost Re: Buffer Overflow Attacks - 08/30/03 03:59 AM
thanx Sin, Black Night, and 1c3 <img border="0" alt="[yum]" title="" src="graemlins/yum.gif" />
Posted By: Ice Re: Buffer Overflow Attacks - 08/30/03 08:03 AM
np, glad to help

+++EDITED+++
heres another OK txt file i found on packetstorm
its called:

Writing buffer overflow exploits - a tutorial for beginners

and the link is:

http://packetstormsecurity.nl/papers/unix/exploit.txt

Hope this one helps like the last one hopefully did
Posted By: Ntd Re: Buffer Overflow Attacks - 08/30/03 12:52 PM
nice work blackKnight, so lets say i connect to a FTP server and for the password and username i paste 300 characters of stuff will that overflow the buffer?
Posted By: Ice Re: Buffer Overflow Attacks - 08/30/03 01:08 PM
heres yet another great txt file

Advanced buffer overflow exploits
http://www.zone-h.org/files/32/aboep.txt
Posted By: Gollum Re: Buffer Overflow Attacks - 08/30/03 08:33 PM
http://www.cs.ucsb.edu/~jzhou/security/overflow.html

more coming soon//
Posted By: Ghost Re: Buffer Overflow Attacks - 08/31/03 07:39 AM
hey thanx guys.
Posted By: paradox Re: Buffer Overflow Attacks - 08/31/03 06:01 PM
NTD
Depends if they have error checking for the usernames buffer.. but there was a MS ftp vulnrability which allowed people to remotely exploit MS ftp servers because they didnt have buffer checking and of course all the exploit had to do was send a tcp stream
"USER (buffer gets printed here)" and your shellcode should be executed :p but of course remember seeing as how its remote you also have to store the shell code in there memory sumwhere
But i belive u can store your shellcode b4 u overwrite the esp and ebp registers and make them execute the USER buffer's address and that should load your shellcode.. but you would have to find a way to find the address all the time.. i'm not good with remote attacks.. never had to make one..
Posted By: Ice Re: Buffer Overflow Attacks - 09/01/03 10:25 PM
hehe Black ur one 1337 guy = )
Heres another pretty good one

Writing buffer overflow exploits - a tutorial for beginners
http://www.zone-h.org/files/32/buffer_overflows_for_newbies.txt
Posted By: paradox Re: Buffer Overflow Attacks - 09/02/03 06:52 PM
lol thanks..
i don't consider myself "1337" im just learning like the rest, but i just seem to be ahead atm.. everyone can bring forward a different aspect to a project.. like games; they have 20 different people some for algorithims some for gui's etc.. But i appreciate the comment :p
© UGN Security Forum