Buffer Overflow Attack
I remember when I was at University and I studied the “Computer Introduction” and “Operating Systems” subjects. I learnt about registers and how computers use them. I learnt about assembly language. I learnt about Little-Endian and Big-Endian. When I was studying these subjects, I just wanted to pass my exams. However, I realise this knowledge is useful to discover vulnerabilities. It’s also useful to understand attacks such as Buffer Overflow attacks. These knowledge which I learnt 14 years ago is still useful and it’s the basis of new vulnerabilities and attacks.
If we want to understand how Buffer Overflow attacks work, firstly, we have to understand how the memory is segmented and organized, secondly, why the registers are used and what they are used for, lastly, how attackers take advantages of Buffer Overflow vulnerabilities to take control of computers. If we have these knowledge, we will be ready to discover this kind of vulnerabilities and we will also be ready to develop exploits. However, this is not easy because there are different CPU architectures to take into account and there are increasingly security protections such as ASLR or DEP.
The memory model for an x86 Processor is segmented and organised from higher address to the lower address where the stack is at the top of the memory and the program code is at the bottom of the memory. On the x86-32bit architecture there are 8 general purpose registers that are used to store data and address that point to other positions in memory. The most important registers for Buffer Overflow attacks are ESP, EBP and EIP. The first one, ESP, tells us where on the stack we are, thus, the ESP register always mark the top of the stack. The second one, EBP, points to the base address of the stack. Finally, the EIP register contains the address of the next instruction to read on the program, thus, points always to the “Program Code” memory segment.
When we are developing applications, we can use functions like strcpy, gets, scanf, and others. If we call these functions without previously limiting the buffer, we can allow the program writes out of the buffer. For instance, if the parameter value is higher than the memory buffer space, the EIP register could be overwritten by the parameter value. Obviously, the program will crash and it will stop because the CPU doesn’t know where is the next instruction to read on the program.
What an attacker does to exploit a Buffer Overflow vulnerability? Actually, the attacker writes the address of a malicious code in the EIP section. In other words, the attacker overflows the buffer to write into the EIP section the address which points to the exploit.
However, a Buffer Overflow attack is not so simple. There are some problems. First, we don’t really know where the address of the EIP register is located. Second, we have to capture the ESP value when the buffer overflow exception occur. Third, there are some values that could cause a problem if the address of ESP contains one of this bad characters. Of course, these problems can be resolved. The first one can be resolved sending a unique pattern of characters to find the offset position in the original string. The second one can be resolved using any Disassembler/Debugger. The last problem can be resolved sending all the characters (from 0x00 to 0xFF) and monitor manually with a Disassembler/Debugger thus when a bad character is sent, the string sent is truncated just before the bad character revealing one of the bad characters
Regards my friends. Maybe, this is a very technical post. I've obviated many things. I’ll try making a video.