Forum Thread: Buffer Overflow That Is How It Is Produced?

Well long since I did not leave info, and as I see that this is very poor I'm going to start putting some of the texts that I think they should read and stop reading how to hack hotmaily those things, we go to what is the informaic and the hacking in itself explained simple as always, here I leave a good text for you to understand that it is a buffer overflow or stack overflow.

Buffer overflow explained

Undoubtedly many of you have heard of a vulnerability based on a buffer overflow but it has not become clear to you that it means exactly this.

In general, when such news appears they are usually associated with the term "arbitrary code execution" which is, in fact, the real problem. Let's look a bit more deeply into what a buffer overflow vulnerability means and what it implies.

First, the word overflow comes from English and means overflow (in fact there is the term buffer overflow in Spanish, but like many other things, it is much more common to hear the English term). What does this mean? For neither more nor less than its name indicates, we have a buffer whose capacity has been overwhelmed.

In most programming languages ??a buffer refers to a pointer to reserved memory that has a certain size, if we try to insert data larger than the buffer, it overflows.

We might think that when this happens an exception is made and ready (and in some languages ??this is exactly what happens) however in most languages ??it does not happen, with generally disastrous results.

Suppose the following code fragment in C

void MyUserConsult ()
// We reserved 20 characters for the filename
char fileName 20;
printf ("Enter file name \ n");
scanf ("% s", fileName);
printf ("You typed% s", fileName);

Obviously at this point for those who have programmed something in C or C ++ should be skipping all alarms, but since this is an example well serves to illustrate the case.

The problem that we find here, of course, is what happens if the user gives you to enter more than 20 characters? It seems like an easy question but it is not at all and most of the vulnerabilities found today belong to this "type" of error (without going further the relatively recent vulnerability of Microsoft's GDI + was a variant of this type of error). Obviously our buffer is going to overflow but what consequences does that have?

To understand the problem we must understand that it is happening internally (at the machine code level) when we declare the previous code segment. Basically (I do not want to go into details because they would give for several articles) there are two main "areas" of memory in a program, the stack or heap and the heap in Spanish but the term is never used. The stack is, as its name implies, a memory stack in which data is stored and retrieved incrementally, ie the last inserted is the first thing to recover.

Among the things that are stored in the stack is, on the one hand, the declaration of local variables, that is, those that are ascribed to the scope of the function in progress. In this way the char declaration fileName 20 reserves space for 20 characters in the stack. Another of the things that are stored in the stack, and here's the important point, is the return address of the function, as well as the return value. This way, the scheme of the stack when we arrive at the scanf is the following:


Now we will see what would happen if we introduce more than 20 characters in our buffer. In the first place, these 20 characters would be filled in, then the return value of the function would be overwritten, and finally (or my god) the return point of the function would be overwritten. Do you see the problem?

I explain, if we override the function return point, when the execution pointer reaches the return the compiler will unscrew (and discard) the 20 characters reserved for the buffer, then it will get the return pointer (since our function does not have return value) but here it is that the value is no longer the original but has been overwritten. This means that with a little ingenuity and patience we can skip the execution of the program to any point in the memory we want, including code that we have prepared ourselves. To do this, it will be enough to calculate where the return value is (or not) and also, in our input enter the code (in hexadecimal with the corresponding machine codes) that we want it to be executed.

This is a glance over how to exploit the vulnerability when the overflow occurs in the heap, although it is also possible to exploit it when the data is located in the heap (although in this case it is more difficult).

greetings ....

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active