Download Buffer Overflow

Buffer Overflow
By: John Quach and
Napoleon N. Valdez
Buffer Overflow Basics
Allocate more data into a program than it
was designed to support
 Data that overflow to another region of
the memory could be fatal
 No outbound checking in C++/C/Fortran

What is a buffer?

A memory space allocated for used
during execution. Frame of function
void function(int a, int b) {
char buffer1[5];
}
void main() {
function(1,2);
}
b
a
ret
SFP
buffer1
Simple Buffer Overflow Example

Show example
Static Variables
ret
SFP
buffer1
B
C
D
E
A
A
A
A
A
A
A
A
A
A
A
A
What happened?
function is called and parameter
“AAAAAAAAAAAABCDE?” was passed
 Since strcpy() does not check string’s
length, the function call caused a the
buffer to overflow

Why is BO so dangerous?
Buffer can grow towards return address
 Malicious code could be executed at the
new address

Example

Exploit a program to execute a malicious
program
DEEEEEEEEEEEE
F0123456789AB
buffer
EEEE
CDEF
sfp
FFFF
0123
ret
FFFF
4567
a
FFFF
89AB
b
FFFF
CDEF
c
[MALICIOUSPRO][GRAM][0xDF][0x01][0x02][0x03]
^
|
|____________________|
Buffer Overflow Exploit Example
Analyst crackme named weird.exe
 Run the program and guess the serial
 Find the correct serial using buffer
overflow

Past BO exploits
Morris Internet worm
 Code Red worm 2001
 Blaster worm 2003
 Internet Information Server (IIS)
 Many more

How to Prevent Buffer Overflow
Always check bounds
 Avoid scanf() and other dangerous
library function call
 Use strncpy instead
 Automatic source code checking
www.polyspace.com (Linux only)
 Compiler add-ons www.immunix.org

Conclusion
Buffer Overflow is simply manipulating
memory to gain control of a program
 Buffer Overflow is hard to successfully
execute
 Hard to fix

Reference
Chuvakin, Anton and Peikari, Cyrus.
Security Warrior. Reilly Associates Inc,
2004. pp.161-175
 One, Aleph, "Smashing The Stack For
Fun And Profit," Phrack, Vol 7, Issue 49,
File 14 of 16
