Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security

How To Conduct Your Very Own Buffer Overflow 186

Posted by Zonk from the a-bug-of-my-very-own dept.
Adam writes "If you've ever wanted to create your own buffer overflow or just to see how one works, check out this tutorial. The article talks about how a buffer overflow works and gives a guided example through an exploit to help you on your way. Definitely worth checking out." From the article: "Every now and again we all hear about an exploit that takes place thanks to a buffer overflow, but what is a buffer overflow? By definition it is when a program attempts to store more data in an array (buffer) than it was intended to hold, thus overwriting the return address of the function. To show how this is actually done, I'll explain how to do a simple attack on a fairly small program."
This discussion has been archived. No new comments can be posted.

How To Conduct Your Very Own Buffer Overflow More

How To Conduct Your Very Own Buffer Overflow

Comments Filter:

  • Once again, Zonk lowers the bar. (Score:5, Interesting)

    by Anonymous Coward on Friday May 06, 2005 @06:15PM (#12457737)


    Zonk posts a story from a submitter that wrote the page being submitted for the story, who, as it turns out, blatantly plagarized the content from Bryant and O'Hallaron's Computer Systems book [cmu.edu].

    As a matter of fact, on the webpage itself [collegebums.org], the very first response to the post calls Adam out about this, but apparently, it is still suffficiently 'news' to merit posting here.

    Way to go, Zonk...once again, you've lowered the standard.

  • News? (Score:5, Insightful)

    by American AC in Paris ( 230456 ) * on Friday May 06, 2005 @06:16PM (#12457738) Homepage
    Look, this may be useful information, but it's not even remotely newsworthy. It's a freakin' intro-level homework exercise.

    What's next, "How To Conduct Your Very Own Segmentation Fault"?

    • Fun and Profit (Score:1, Informative)

      by Anonymous Coward
      I agree,

      If anything, one should use this classic text:

      http://www.shmoo.com/phrack/Phrack49/p49-14 [shmoo.com]
    • Agreed; and it's overly simplistic to say "... it is when a program attempts to store more data in an array (buffer) than it was intended to hold, thus overwriting the return address of the function." Just overflowing a buffer may not make any change to a return address - else nearly every off-by-one programming error would be disastrous.

    • Re:News? (Score:3, Insightful)

      by hoka ( 880785 )
      Seriously, buffer overflows are not only simple attack vectors, there are multiple ways to deal with them (hardware and software). All the hardened distros I know of use something to prevent it (Active Bounds Checking, Stack Smashing). What people really need to be aware of are things like SQL injection attacks, Cross-Site Scripting attacks, social engineering, and people should also know how to configure their machine to limit data penetration once the user is inside (ACLs, Chroots, jails, etc). I suppose
      • Ya, we need a machine that can stop people from hacking into it via social engineering.

      • Re:News? (Score:3, Insightful)

        by evilrip ( 713562 )
        Uhm , if all the hardening make the distros so secure, why are they still getting owned via one or another variant of the buffer overflow (stack or heap based, overflowed, underflowed, integer manipulation, etc). Although I agree that the point of entry often is via other types of attacks when the attack is happening from a remote location and not locally, say like php-code injection, sql-manipulation, perl fun, etc. The x86 especially has poor protection from attacks of the buffer overflow kind as most pro
        • The x86 is particularly vulnerable to these attacks for two main reasons:

          A) Until recently, there wasn't a no-exec flag which could be set on a page of memory.

          B) On x86, the stack grows *downward*... This means that when you copy past the end of your local stack frame (like, when you do an unchecked strcpy), you will overwrite the return address. Buffer overflow attacks do this so that they can make the execution jump to an arbitrary location. If the stack grew upwards, then you would just trash your l
      • Odd. The more "sophisticated" programming languages have this problem, but old, "simple" stuff like BASIC generates an error and halts execution (or enters an error-handling routine) when an array overflow occurs.

        "Progress," a curious thing, indeed.

    • Re:News? (Score:3, Insightful)

      by IainMH ( 176964 ) *
      Look, this may be useful information, but it's not even remotely newsworthy. It's a freakin' intro-level homework exercise.

      Hey hang on there horsey. This is a good article. Why shouldn't it have a place here? If you don't want to read it, don't read it. /. is a place were news and more importantly and community convenes to learn a little bit more each day about our (nerdy) world.

      I for one enjoyed this article. Don't complain if some article don't conform to your expectation of what you think /. sho

    • Re:News? (Score:5, Interesting)

      by ajs ( 35943 ) <ajsNO@SPAMajs.com> on Friday May 06, 2005 @06:54PM (#12458135) Homepage Journal
      Hmmm... how to construct your very own SEGV, eh? ... well, I guess "kill -SEGV $$" is a bit obvious.

      How about
      perl -le 'print unpack("P","\0\0\0\01")'
      Good enough? ;-)

      Yeah, I know. You're wondering, "why that trailing 1"? It's because Perl explicitly checks for the boneheaded maneuver of dereferencing NULL in an unpack and prevents it. Of course (as the docs point out), there's not much it can do to prevent you using this particular tool to shoot yourself in the foot.

      • Re:News? (Score:2, Funny)

        by aluser ( 771756 )
        golf!

        perl -e%::=1,//

    • Re:News? (Score:5, Funny)

      by telstar ( 236404 ) on Friday May 06, 2005 @06:56PM (#12458152)
      What's next, "How To Conduct Your Very Own Segmentation Fault"?
      • nope .... "How to Slashdot a webserver."
    • "Look, this may be useful information, but it's not even remotely newsworthy. It's a freakin' intro-level homework exercise."

      Given that Slashdot frequently refers to buffer overruns, why is it such a sin that they link to a story that explains them in more detail? So it won't be on CNN, whoop-de-fuck.

  • Hmm (Score:5, Funny)

    by Dante Shamest ( 813622 ) on Friday May 06, 2005 @06:16PM (#12457743)

    Is the tutorial correct?

    It doesn't seem to wo----

  • Tutorials? (Score:5, Funny)

    by Anonymous Coward on Friday May 06, 2005 @06:16PM (#12457744)
    Tutorials are for wimps.

    Real men create buffer overflows by accident.

  • The Tao of Windows Buffer Overflow (Score:5, Insightful)

    by nweaver ( 113078 ) on Friday May 06, 2005 @06:17PM (#12457756) Homepage
    Another good reference is the Tao of Windows Buffer Overflow [cultdeadcow.com] by the Cult of the Dead Cow [cultdeadcow.com]. A very detailed explanation how to exploit stack overflows on Windows.

  • Why not just look at this? (Score:4, Informative)

    by Anonymous Coward on Friday May 06, 2005 @06:19PM (#12457781)
    This even has great source code and explains the theory quite well.

    http://www.gergltd.com/IATAC-BufferOverflowExploit .pdf [gergltd.com]
  • ... if you have recommendations or pros/cons, reply to this...
  • did anyone else notice the comments on the site regarding the blog, how can you take a site seriously with comments like that...

    (oh, and no I do not take /. seriously)
    • The best part is reloading the page and watching the counter at the bottom get higher and higher as the slashdotting gets closer and closer.
      • heh, your post is probably causing a bigger slashdotting than he'd otherwise suffer from. For example, in the 8 seconds I reloaded before getting bored to tears, I watched the counter climb 50 hits.

        I wonder how many people are going to attack his hosting provider now? :-)

  • It definitely works, I just compil..0xdeadbeef

  • Buffer Overflows (Score:5, Informative)

    by joeytsai ( 49613 ) on Friday May 06, 2005 @06:21PM (#12457796) Homepage
    The best article about buffer overflows is the well-known "Smashing the Stack for Fun and Profit" by Aleph One in Phrack. Here's the first link [shmoo.com] google gave me.

    Everything else (like this article) pales in comparison.

  • Thank you but... (Score:5, Funny)

    by frank_adrian314159 ( 469671 ) on Friday May 06, 2005 @06:21PM (#12457797) Homepage
    I can overflow buffers quite well on my own without any help.

  • Another article. (Score:5, Informative)

    by zymano ( 581466 ) on Friday May 06, 2005 @06:21PM (#12457802)
    Great article on countering buffer overflows. [ibm.com]

  • No Guide Needed! (Score:5, Funny)

    by ThisIsFred ( 705426 ) on Friday May 06, 2005 @06:22PM (#12457805) Journal
    Just teach yourself C! You'll discover every possible way in which things can go wrong, and in no time at all.
  • the author of the article states: "-o tells gcc to compile the file"

    but fortunately he didnt write the example, its taken from Bryant and O'Hallaron's Computer Systems [pearson.ch].

  • Doesn't Java fix this? (Score:1, Interesting)

    by Anonymous Coward
    By imposing array bound checking at every operation? I know that the check is redundant for a tight linear algebra loop that is obviously bug free, but I think that I'm in a position to mandate that all these people take the penality hit just because I like the idea of imposing my view on people that are smarter than me. Oh yeah and mandate training wheels on all bicycles too.
    • yes java fixes it, and if you are doing hard core math compuations, you probably don't want to use java. But if you're writing generic software for people, java isn't the worst you could do. It can be more productive than C with fewer fatal bugs (simple things like buffer overruns).
      And yes, forcing people to accept runtime checks is a good thing if it reduces severe security bugs.
      Once again, go program C if thats what you like, the rest of us will keep up with what computers and languages have to offer
    • Java fixes this foremost by not allowing pointer arithmetic. You can program some structures better with goto statements as well, but there is a good reason why they are gone. Pointer arithmetic is the next goto statement. It can be usefull, and sometimes it is difficult to do without (ie embedded or kernel level programming).

      99 out of a 100 you don't pointer arithmetic, and 5 times out of a hundred it will introduce a hard to fix runtime error. Experienced programmers should only be allowed to do it, if i
  • 1 - Choose random windows version.
    2 - Choose random exe or dll that cames with the OS.
    3 - Choose a random base address.
    4 - Write your code
    5 - ???
    6 - Profit!

    It's like trying to throw a rock to the floor, you just can't miss ;-)

  • Smashing The Stack For Fun And Profit (Score:5, Insightful)

    by bajan_on_ice ( 32348 ) on Friday May 06, 2005 @06:27PM (#12457861)
    Read what I consider the seminal hacker work on this subject by Aleph One over at phrack.org

    http://www.phrack.org/show.php?p=49&a=14 [phrack.org]

    A little on the detailed side, especially the gdb stuff, but a GREAT article.

  • Slashdot: News for ScriptKiddies. Stuff that doesn't matter.

  • Here's a sample... (Score:5, Informative)

    by pg110404 ( 836120 ) on Friday May 06, 2005 @06:28PM (#12457872)
    #include <stdio.h>
    #include <string.h>

    char bigBuffer[4096];

    void overflowMe();

    main()
    {
    memset(bigBuffer, 0, sizeof(bigBuffer));
    overflowMe();
    }

    /* this function should never return, in fact it
    should/might SIGSEGV as the return address will be esentially reset to IP=0x00000000 */
    void overflowMe()
    {
    char localBuffer[256];

    /* deliberately copy from a larger buffer to a stack segment buffer more than it can hold */
    memcpy(localBuffer, bigBuffer, sizeof(bigBuffer));
    }
    • There's a security bug in your code.

  • A shame... (Score:2, Insightful)

    by diegocgteleline.es ( 653730 )
    Why people does care so much about creating buffer overflows. Just write programs in C/C++, you WILL create buffer overflows. It seems that most of programmers can't avoid them and "buffer-overflow vulnerabilities" are found all the time. Why not care instead about the methods created to fix (most of) them? The ones that many distros are still not shipping despite of being quite obvious that they're need more than the latest KDENOME shit?

    Just check [debian.org] the debian security mailing list and look how many buffer

  • All you C Programmers should do thing the DJB way. (Score:3, Interesting)

    by TheNarrator ( 200498 ) on Friday May 06, 2005 @06:53PM (#12458125)
    You know why Qmail has had one of the best security records of any C program out there?

    DJ Bernstein Will Tell You Why [cr.yp.to]

    Among my favorite advice of his is to completely give up on the standard C library. Really, everybody should have done it a while ago. It's one of those things like the unix pipe model that was a good start, but now that it has hung around for 25 years, it needs an upgrade. How about everybody stop using the standard C library and switch to something like the Apache Portable Runtime [apache.org]?

    Write bug-free code. I've mostly given up on the standard C library. Many of its facilities, particularly stdio, seem designed to encourage bugs. A big chunk of qmail is stolen from a basic C library that I've been developing for several years for a variety of applications. The stralloc concept and getln() make it very easy to avoid buffer overruns, memory leaks, and artificial line length limits.

  • ...but I know for a fact that his server is fighting for it's life right about now! The Slashdot Effect is killing it...
  • Slashdot's going to show us how to make our very own Hello World program - yay!

  • Not too hard (Score:2, Informative)

    by springbox ( 853816 )
    #include <stdio.h>
    #include <string.h>

    int main()
    {
    struct
    {
    unsigned char buffer[4];
    unsigned char overrun;
    } data;

    data.overrun = 0xFF;

    printf("Initial: %u\n", data.overrun);
    memset(&data.buffer[0], 0, 5);
    printf("Final: %u\n", data.overrun);
    }

    5 bytes get pushed onto the stack to reserve memory for the structure data when main is invoked. Memset starts writing to the base address of the structure at data.buffer[0] for 5 bytes. The space allocated for buffer, however is only 4

    • Re:Not too hard (Score:3, Interesting)

      by pg110404 ( 836120 )
      This is a buffer overflow, but not all overflows will trample on the stack causing unexpected code execution.

      The main problem with buffer overflows wrt security vulnerabilities is that an overflow has the potential to "return" to a block of code that what not where it was called from

      e.g.

      overflowBuffer = {binary code that executes a new program + padding bytes}{return ip address that points back to the address of stack buffer that is about to be overflowed}

      memcpy(buffer to overflow, overflowBuffer, bytes
    • Writing buffer overflows is trivial. You do this all the time while programming, whether you want or not (and usually the latter).
      Writing a buffer overflow bug exploit is a totally different matter though, and I'd love to see some useful tutorial on that - i.e. I find overflowable parameter in some program, what do I feed it to do something useful for me?

  • How To Conduct Your Very Own Slashdot Effect (Score:3, Funny)

    by TrevorB ( 57780 ) on Friday May 06, 2005 @06:56PM (#12458155) Homepage
    from the downtime-of-my-very-own dept.
    Adam writes "If you've ever wanted to create your own Slashdot effect or just to see how one works, check out this tutorial. The article talks about how a Slashdotting works and gives a guided example through an exploit to help you on your way. Definitely worth checking out." From the article: "Every now and again we all hear about an exploit that takes place thanks to the Slashdot effect, but what is the Slashdot effect? By definition it is when a website attempts to service more users than it was intended to hold, thus returning an error message from the server. To show how this is actually done, I'll explain how to do a simple attack on a fairly small Slashdot post."
  • I loaded up this article and what do I see?
    This ad [doubleclick.net] from Microsoft staring back at me.
  • A whole article had to be written about this? Make a C program. Make an array of char, like char Blah[20]... Write Blah[20] = 'A';

    Boom. Instant buffer overflow. You're a rogue hacker.

  • Reuse: How come overflows still happen? (Score:3, Interesting)

    by G4from128k ( 686170 ) on Friday May 06, 2005 @07:06PM (#12458257)
    I've been hearing about reuse of code and the development of stable shared libraries for the past 20 years and its probably been going on for longer than that. Why don't people, especially OS and application people, create, debug, and reuse a set of overflow-proof buffer-handling libraries? The libraries could include a range of forked versions for different usage patterns (e.g., big buffers of small data objects, small buffers of big data objects, buffers optimized for variable or fixed size, buffers optimized for frequent writes/sorts/reads/etc. Why is that so hard?

    Every buffer-overflow exploit is just evidence of re-invention of a bug-filled wheel.

  • How To Slahdot Your Very Own Server (Score:3, Funny)

    by Electron ( 598 ) on Friday May 06, 2005 @07:08PM (#12458270)
    Zonk [slashdot.org] writes "If you've ever wanted to slashdot your own server [slashdot.org] or just to see how one works, check out this tutorial. The article talks about how the slashdot effect works and gives a guided example through an exploit to help you on your way. Definitely worth checking out." From the article: "Every now and again we all hear about a server disappearing from the face of the earth thanks to the slashdot effect, but what is the slashdot effect? By definition it is when a slashdot editor posts a link on the frontpage to a small server without using coral cache [nyud.net] and zillions of slashdotters click on the link the minute the story is published, thus hammering the server into oblivion. To show how this is actually done, I'll explain how to submit a story with a link to your own server by praising Apple, dissing Microsoft or revealing more SCO conspiracies."
  • It seems that the submitter was in such a hurry to plagiarise this article that he didn't have time to proofread it first.

    Without further ado, here are some corrections:
    • pushl $value of print /x *((int *) $ebp + 1)
    • movl $0xdeadbeef, %eax
    • ret
    • nop

    To compile this code into an object file, type into the shell gcc -O2 -c assembly.s and then dissemble it by typing objdump -d assembly.o > input.txt.

    For example, if %ebp equaled bf ff ef d8 it would become d8 ef ff bf. Once this is all done you can te

  • I once used a buffer overrun in a ps2 game I was working on to allow me to download a patch when no patching mechanism was in place.

    This was very handy for creating some small additions to the game.

    Never patched the hole. But then again, the game didn't sell that well.

  • account suspended :) (Score:3, Funny)

    by Inigo Montoya ( 31674 ) on Friday May 06, 2005 @07:14PM (#12458316) Journal
    The /. effect knocked the account out of existence!

    "Account Suspended
    Your account has been suspended for 1 of 2 reasons.

    1. Your bill is over due. In this case please email billing@vizaweb.com

    2. You account what causing a problem of some sort. In this case please contact CustomerCare@vizaweb.com"

    hmm... Even Slashdotted sites can't spell!

  • Well I got: (Score:5, Funny)

    by cmacb ( 547347 ) on Friday May 06, 2005 @07:53PM (#12458575) Homepage Journal
    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator, webmaster@collegebums.org and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
    So I guess the overflow worked even better than he thought it would.
  • Deserves him right for posting a Phrack article from 97 (or somewhere around then, IIRC).

    There's a better CDC (that's Cult of the Dead Cow for you young fellows) one out there, I just don't have a link to it.

    It was actually a web-based tutorial, not a g-file (that's a text page to you young-un's).

  • This one is basic, but it's always good to know how to mess up a program. Great if you can make it, but if you know how to mess it up really badly, it's easier to patch and fix. Of course, most C libs out there in the OSS world have better functions for the most commonly buffer-overflowed functions, but I know there are other ways.

Slashdot Top Deals

God help those who do not help themselves. -- Wilson Mizner

Close