How To Conduct Your Very Own Buffer Overflow 186
Adam writes "If you've ever wanted to create your own buffer overflow or just to see how one works, check out this tutorial. The article talks about how a buffer overflow works and gives a guided example through an exploit to help you on your way. Definitely worth checking out." From the article: "Every now and again we all hear about an exploit that takes place thanks to a buffer overflow, but what is a buffer overflow? By definition it is when a program attempts to store more data in an array (buffer) than it was intended to hold, thus overwriting the return address of the function. To show how this is actually done, I'll explain how to do a simple attack on a fairly small program."
Once again, Zonk lowers the bar. (Score:5, Interesting)
Zonk posts a story from a submitter that wrote the page being submitted for the story, who, as it turns out, blatantly plagarized the content from Bryant and O'Hallaron's Computer Systems book [cmu.edu].
As a matter of fact, on the webpage itself [collegebums.org], the very first response to the post calls Adam out about this, but apparently, it is still suffficiently 'news' to merit posting here.
Way to go, Zonk...once again, you've lowered the standard.
Re:Once again, Zonk lowers the bar. (Score:5, Informative)
Re:Once again, Zonk lowers the bar. (Score:1, Redundant)
Hey everyone.... (Score:2)
now back to work...
MOD PARENT UP (Score:5, Interesting)
Re:MOD PARENT UP (Score:2, Funny)
If he wanted traffic to his web site, he got it! As the saying goes, "Be careful what you wish for".
Account Suspended
Your account has been suspended for 1 of 2 reasons.
1. Your bill is over due. In this case please email billing@vizaweb.com
2. You account what causing a problem of some sort. In this case please contact CustomerCare@vizaweb.com
Re:MOD PARENT UP (Score:3)
-Jay
MOD PARENT DOWN (Score:2)
Re:Once again, Zonk lowers the bar. (Score:2, Insightful)
Re:Once again, Zonk lowers the bar. (Score:2)
This is further proof that, even if you've already scraped the bottom of the barrel, if you look under the barrel...
Re:Once again, Zonk lowers the bar. (Score:5, Insightful)
Submitter's full name (Score:5, Funny)
The submitter's full name is Adam Piquepaille.
Re:Once again, Zonk lowers the bar. (Score:2)
Slashdot doesn't even report the stories. It just links to them. What 'standard' is even getting lowered? I hope you don't mean journalistic. If Google linked to that site instead of the original source first, would that be some lowering of standards, too?
Re:Once again, Zonk lowers the bar. (Score:2)
Re:Once again, Zonk lowers the bar. (Score:2, Informative)
http://www.cultdeadcow.com/cDc_files/cDc-351/esse
News? (Score:5, Insightful)
What's next, "How To Conduct Your Very Own Segmentation Fault"?
Fun and Profit (Score:1, Informative)
If anything, one should use this classic text:
http://www.shmoo.com/phrack/Phrack49/p49-14 [shmoo.com]
Re:News? (Score:2)
Re:News? (Score:3, Insightful)
Re:News? (Score:1)
Re:News? (Score:3, Insightful)
Re:News? (Score:2)
A) Until recently, there wasn't a no-exec flag which could be set on a page of memory.
B) On x86, the stack grows *downward*... This means that when you copy past the end of your local stack frame (like, when you do an unchecked strcpy), you will overwrite the return address. Buffer overflow attacks do this so that they can make the execution jump to an arbitrary location. If the stack grew upwards, then you would just trash your l
Re:News? (Score:2)
"Progress," a curious thing, indeed.
Re:News? (Score:2)
The "take into consideration" bit is what separates real programmers from hacks.
Re:News? (Score:3, Insightful)
Hey hang on there horsey. This is a good article. Why shouldn't it have a place here? If you don't want to read it, don't read it.
I for one enjoyed this article. Don't complain if some article don't conform to your expectation of what you think
Re:News? (Score:2)
Re:News? (Score:4, Insightful)
No, it's literally an intro-level homework exercise. It's a code snippet copied out of a textbook.
Re:News? (Score:5, Interesting)
How about Good enough?
Yeah, I know. You're wondering, "why that trailing 1"? It's because Perl explicitly checks for the boneheaded maneuver of dereferencing NULL in an unpack and prevents it. Of course (as the docs point out), there's not much it can do to prevent you using this particular tool to shoot yourself in the foot.
Re:News? (Score:2, Funny)
perl -e%::=1,//
Re:News? (Score:3, Funny)
How about a new
Re:News? (Score:5, Funny)
Re:News? (Score:2)
Given that Slashdot frequently refers to buffer overruns, why is it such a sin that they link to a story that explains them in more detail? So it won't be on CNN, whoop-de-fuck.
Hmm (Score:5, Funny)
Is the tutorial correct?
It doesn't seem to wo----
Tutorials? (Score:5, Funny)
Real men create buffer overflows by accident.
Re:Tutorials? (Score:5, Funny)
Re:Tutorials? (Score:3, Funny)
Re:Tutorials? (Score:1)
I dunno I think it be better put as:
real men never get buffer overflows.
3 non-executable stacks or grsecurity patches.
Re:Tutorials? (Score:2)
Re:Tutorials? (Score:3, Funny)
Real Men flip out regularly and buffer overflow just for the hell of it, because they are sooo cool!
Once I heard that this wimpy guy dropped a teaspoon, and this Real Man like totally buffer overflowed him, right there on the spot!
Buffer Overflows are totally sweet.
And that's what I call real ultimate power! Check it out, it's totally sweet! [www.abo.fi]
The Tao of Windows Buffer Overflow (Score:5, Insightful)
Why not just look at this? (Score:4, Informative)
http://www.gergltd.com/IATAC-BufferOverflowExploi
How to use a memory bounds checker? (Score:1, Offtopic)
comments... (Score:2)
(oh, and no I do not take
Re:comments... (Score:2)
Re:comments... (Score:2)
I wonder how many people are going to attack his hosting provider now? :-)
I can confirm that this works (Score:1, Funny)
Re:I can confirm that this works (Score:1)
POWER Chips represent-sent!
Buffer Overflows (Score:5, Informative)
Everything else (like this article) pales in comparison.
Re:Buffer Overflows (Score:2)
-sirket
Re:Buffer Overflows (Score:5, Funny)
Thank you but... (Score:5, Funny)
Another article. (Score:5, Informative)
No Guide Needed! (Score:5, Funny)
Re:No Guide Needed! (Score:2)
the author of it thinks -o means to compile (Score:2, Interesting)
but fortunately he didnt write the example, its taken from Bryant and O'Hallaron's Computer Systems [pearson.ch].
Doesn't Java fix this? (Score:1, Interesting)
Re:Doesn't Java fix this? (Score:1)
And yes, forcing people to accept runtime checks is a good thing if it reduces severe security bugs.
Once again, go program C if thats what you like, the rest of us will keep up with what computers and languages have to offer
Re:Doesn't Java fix this? (Score:2)
99 out of a 100 you don't pointer arithmetic, and 5 times out of a hundred it will introduce a hard to fix runtime error. Experienced programmers should only be allowed to do it, if i
How to exploit a buffer overflow in windows: (Score:2, Funny)
2 - Choose random exe or dll that cames with the OS.
3 - Choose a random base address.
4 - Write your code
5 - ???
6 - Profit!
It's like trying to throw a rock to the floor, you just can't miss
Re:How to exploit a buffer overflow in windows: (Score:2, Funny)
Smashing The Stack For Fun And Profit (Score:5, Insightful)
http://www.phrack.org/show.php?p=49&a=14 [phrack.org]
A little on the detailed side, especially the gdb stuff, but a GREAT article.
Re:Smashing The Stack For Fun And Profit (Score:2)
I sure hope this dude 'Aleph One' isn't a hacker, 'cos he's bound to get mad after you guys kill his server.
New Logo? (Score:1)
Here's a sample... (Score:5, Informative)
#include <string.h>
char bigBuffer[4096];
void overflowMe();
main()
{
memset(bigBuffer, 0, sizeof(bigBuffer));
overflowMe();
}
should/might SIGSEGV as the return address will be esentially reset to IP=0x00000000 */
void overflowMe()
{
char localBuffer[256];
memcpy(localBuffer, bigBuffer, sizeof(bigBuffer));
}
Re:Here's a sample... (Score:3, Funny)
Re:Here's a sample... (Score:5, Funny)
Yeah, I know. Here's the patch
#include <stdio.h>
main()
{
}
Re:Here's a sample... (Score:1)
Re:Here's a sample... (Score:3, Interesting)
Actually I didn't miss the point. I could have made a far more elaborate program that actually did demonstrate that very fact, but I didn't want to spend 20 hours writing the damn thing then post 20 hours later when everybody else moved on.
If you look at the memset before the function call, I set the entire 8k buffer to zeros, and then when I call overflowMe(), I copy 8k - 256 bytes beyond the 256 byte local buffer, extending well past over the return address. A f
Re:Here's a sample... (Score:2)
Why don't you write one then? My program demonstrates a function being called and overwriting a stack buffer. Upon return from that function, the stack being corrupted jumps to an arbitrary location. Specifically an address that was part of the data that overflowed the buffer. To get the address right, it would be more complex than what I provided.
Re:Here's a sample... (Score:2)
You're the one who didn't get it. JMP ESP if it actually exists is technically an invalid instruction that should NEVER be used.
What that does is to run code specifically found on the stack, and if we step into the way-back machine, in the 8088 days, you had 4 segment registers DS (data segment), ES (extra segment), SS (stack segment), and CS (code segment). The compiler segregated the program into 3 and sometimes 4 separate segments and went out of its way to make sure it di
Re:Here's a sample... (Score:2)
JMP ESP is an instruction that resumes execution on the stack. The stack is NOT SUPPOSED to contain valid code. PERIOD. Even if it is a valid CPU instruction, its an instruction that should never be used. The only thing that could ever have come out of this was buffer overflows. I'm not arguing the fact that it's not an existing inst
Re:Here's a sample... (Score:2, Insightful)
Did it occur to you that the sequence JMP ESP could be there by pure accident? It's just two bytes, perhaps it could be there at an irregular offset of a compiler generated assembly sequence, or perhaps it could be there as part of an address in memory. Get it now?
Re:Here's a sample... (Score:2)
Finally. Thank you for that lucid statement. I understand your point. Just so you know, it did not occur to me that that instruction might have accidentally found its way into memory, thus I didn't see how it could realistically happen.
Next time, you might have tried something like this from the beginning instead of assuming my IQ was so low I couldn't outwit a boiled cabbage:
1 - JMP ESP is a currently valid CPU instruction
Re:Here's a sample... (Score:2)
Ow, you got me there.... perfect example of why I hate to comment unnecessarily. I wrote that up in 1 minutes and spent another 30 seconds on comments. I figured my short term memory was good enough without double checking.
Further, is zeroing a global array necessary? I thought global variables are implicitly zeroed.
It depends on the compiler and on the language. Some compilers will pad out the size of the EXE to include
Re:Here's a sample... (Score:2)
No, you've missed the point. The hard part is writing code that doesn't fall victim to an overflow. Fill bigBuffer from stdin before calling overflowMe(), and you've got a sadly realistic example.
A shame... (Score:2, Insightful)
Just check [debian.org] the debian security mailing list and look how many buffer
All you C Programmers should do thing the DJB way. (Score:3, Interesting)
DJ Bernstein Will Tell You Why [cr.yp.to]
Among my favorite advice of his is to completely give up on the standard C library. Really, everybody should have done it a while ago. It's one of those things like the unix pipe model that was a good start, but now that it has hung around for 25 years, it needs an upgrade. How about everybody stop using the standard C library and switch to something like the Apache Portable Runtime [apache.org]?
Write bug-free code. I've mostly given up on the standard C library. Many of its facilities, particularly stdio, seem designed to encourage bugs. A big chunk of qmail is stolen from a basic C library that I've been developing for several years for a variety of applications. The stralloc concept and getln() make it very easy to avoid buffer overruns, memory leaks, and artificial line length limits.
Not sure about buffer overflows... (Score:1)
Can't wait for tomorrow (Score:2)
Not too hard (Score:2, Informative)
#include <string.h>
int main()
{
struct
{
unsigned char buffer[4];
unsigned char overrun;
} data;
data.overrun = 0xFF;
printf("Initial: %u\n", data.overrun);
memset(&data.buffer[0], 0, 5);
printf("Final: %u\n", data.overrun);
}
5 bytes get pushed onto the stack to reserve memory for the structure data when main is invoked. Memset starts writing to the base address of the structure at data.buffer[0] for 5 bytes. The space allocated for buffer, however is only 4
Re:Not too hard (Score:3, Interesting)
The main problem with buffer overflows wrt security vulnerabilities is that an overflow has the potential to "return" to a block of code that what not where it was called from
e.g.
overflowBuffer = {binary code that executes a new program + padding bytes}{return ip address that points back to the address of stack buffer that is about to be overflowed}
memcpy(buffer to overflow, overflowBuffer, bytes
Re:Not too hard (Score:2)
Writing a buffer overflow bug exploit is a totally different matter though, and I'd love to see some useful tutorial on that - i.e. I find overflowable parameter in some program, what do I feed it to do something useful for me?
How To Conduct Your Very Own Slashdot Effect (Score:3, Funny)
Adam writes "If you've ever wanted to create your own Slashdot effect or just to see how one works, check out this tutorial. The article talks about how a Slashdotting works and gives a guided example through an exploit to help you on your way. Definitely worth checking out." From the article: "Every now and again we all hear about an exploit that takes place thanks to the Slashdot effect, but what is the Slashdot effect? By definition it is when a website attempts to service more users than it was intended to hold, thus returning an error message from the server. To show how this is actually done, I'll explain how to do a simple attack on a fairly small Slashdot post."
Ironic - /. ad was for MS Visual Studio .NET (Score:2, Funny)
This ad [doubleclick.net] from Microsoft staring back at me.
I hate buffer overflows. (Score:2)
Boom. Instant buffer overflow. You're a rogue hacker.
Reuse: How come overflows still happen? (Score:3, Interesting)
Every buffer-overflow exploit is just evidence of re-invention of a bug-filled wheel.
How To Slahdot Your Very Own Server (Score:3, Funny)
Less haste, more speed! (Score:2)
Without further ado, here are some corrections:
To compile this code into an object file, type into the shell gcc -O2 -c assembly.s and then dissemble it by typing objdump -d assembly.o > input.txt.
For example, if %ebp equaled bf ff ef d8 it would become d8 ef ff bf. Once this is all done you can te
Useful buffer overrun (Score:1)
This was very handy for creating some small additions to the game.
Never patched the hole. But then again, the game didn't sell that well.
account suspended :) (Score:3, Funny)
"Account Suspended
Your account has been suspended for 1 of 2 reasons.
1. Your bill is over due. In this case please email billing@vizaweb.com
2. You account what causing a problem of some sort. In this case please contact CustomerCare@vizaweb.com"
hmm... Even Slashdotted sites can't spell!
Well I got: (Score:5, Funny)
Looks like someone smashed his servers stack (Score:2)
There's a better CDC (that's Cult of the Dead Cow for you young fellows) one out there, I just don't have a link to it.
It was actually a web-based tutorial, not a g-file (that's a text page to you young-un's).
Re:Looks like someone smashed his servers stack (Score:2)
http://www.cultdeadcow.com/cDc_files/cDc-351/inde
Other tutorials (Score:2)
Re:Oh good (Score:2, Informative)
Re:Oh good (Score:1)
Re:slashdotted... (Score:2, Funny)
Re:Java version anyone? ... (Score:1)
Re:Does this work?--OFFTOPIC (Score:2)
Something to do while collegebums.org is down (Score:2)
OOTC: I recall intentional buffer overflows and similar hacks in FORTRAN from 25 years ago. I suppose it's good Pascal was never used for a system language, the language definition has array bounds checking built-in. OTOH, pointers can point to anything (IIRC it's calle