# What is a Buffer Overflow?
Let's start with this terminology that 'I think' is the best known in the environment, and by the newbies. Although I think some people also try to expose the subject as a complex concept and it's really all the reverse, you'll see ..
A buffer overflow, means having a full glass of water, butt and then grabbing the water jug, pouring water in that butt glass .. what would make this poor glass of water, is Overflow because it has a limit of capacity to contain such water.
The same thing happens in memory .. it consists of writing data to a buffer above what can contain this as a limit. Let's see an example in c with a "misuse of strcpy", we believe our mini soft vulnerable
Code: C
// Testing Buffer Overflow in HDL
#include <stdio.h>
#include <string.h>
void BufferVulnerable ( char * value ) { // we create our buffer
char buffer 40 ; // as it is a test we simply limit to 40
strcpy ( buffer , value ) ; // copy what is entered into the buffer
}
int main ( int argc , char * argv ) {
if ( argc ! = 2 ) {
printf ( "To use: ./buff characters \ n " , argv 0 ) ;
return 0 ;
}
BufferVulnerable ( argv 1 ) ;
return 0 ;
}
#We compile with GCC.
mohamedx @ kl: ~ / Desktop $ gcc buff.c -o buff
And we execute ./buff `perl -e" print 'O'x100 "`
(the invocation of perl that prints 100 times the letter O, is not to write more of 40 times a character manually, although they can do it quietly, ./buff 00000000000 .... and so up to a considerable load of characters above 40 bytes) but they think that in a real application they will have to enter more than 1,000 bytes generally and it is a pain to do it manually.
Well to execute we returned "Segment Violation" and that is what interests us !.
This is because the buffer was defined by the programmer with a maximum total of 40 and if logically we get 100 when invoking perl,
As this is simply to understand the concepts, the action will do later .. ;)
# What is Heap Overflow?
Well once we have knowledge about the Buffer Overflow or understand what it is really about .. we can say that the HEAP OVERFLOW is a derivation of the BOF, but this has the characteristic of occurring in a certain area of ??memory called HEAP.
This term means a 'monton' / 'portion' of memory or also known as 'dynamic memory' or 'monticulo'.
When running a program the OS the first thing to do is to copy and paste all the code of the program into a zone of memory that is empty / free in addition to reserving extra space for the execution of said program:
- Between that extra space, there is a data zone where the global variables and constants will be stored.
- A zone for the call stack or stack calls where it stores the parameters of the functions, local variables, and return values ??...
- And a zone for the dynamic memory HEAP which is the memory requested for the execution of the program .
Let's look at an example of a simple Heap Overflow:
Code: C
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main ( int argc , char * argv ) {
char * bufferA = malloc ( 40 ) ;
int * access = malloc ( sizeof ( int ) ) ;
- access = 0 ;
strncpy ( bufferA , argv 1 , strlen ( argv 1 ) ) ;
if ( * access ! = 0 ) {
printf ( "Overflow! \ n " ) ;
} else {
printf ( "Nothing happened \ n " ) ;
}
return ( 0 ) ;
}
#We compile:
- gcc heap.c -o heap
And we execute the following way ./heap someValor
In response we get "Nothing happened" ..
As we see the program asks for a data that will be entered by the user whose memory was reserved with malloc ().
But logically we see that it asks for 40 bytes of reserved memory and if we invoke perl again and enter several characters that go beyond the reserved memory let's see the result.
./heap `perl -e" print 'O' x100 "`
And we see what answers we want to see. : D
To finish, I explain the third terminology known as Stack Overflow, I hope I do not bore them.
# What is the Stack Overflow?
The first thing we have to deal with is the term "stack", this term comes from "PILA". Clearly like the Book Stack, where all the books are mounted one above the other and forms a stack ... well that's .. we can also think of it as a LETTER MAZE, which all the letters are stacked .. and the mode of access to these letters is what is known in English as LIFO -Last in first out- / Last entered, first exited. Well ... imagine that it is a deck of cards, where the sword width we put it above the stack, and then to access a card under it, we first have to draw the sword width and then remove if the second card from the pile
This will surely be seen in the future with an assembler course that we have in mind with snf, but at the moment, I'm satisfied that they know that a stack, a stack, is nothing more than a data structure, stacked one above the other and to use the 2nd position we must first remove the first one ...
Well then I will explain in which the stack overflow consists of an example similar to the previous one I suppose that already imagine it knowing the concept of overflow.
To the same glass of water of limited capacity and butt, we charge more water? result? Overflow ...
Let's see this code:
Code: C
#include <stdio.h>
#include <string.h>
int main ( void ) {
char buffer1 16 , buffer2 46 ; // declare 2 buffers the 2nd largest one.
memset ( buffer2 , 'Z' , sizeof ( buffer2 ) - 1 ) ; // fill in 45 times with Z
strcpy ( buffer1 , buffer2 ) ; // copy the buffer2 with the Zetas, to the buffer1
return 0 ; // return 0
}
Well, as always, we compiled with our beloved GCC
$ gcc ac -or
then run:
$ ./a
The much-prized 'Segment Violation' has appeared.
Clearly it appeared because when we copy the contents of buffer2 to buffer1 this overflows of information, since it only has a limit of 16 places ... and buffer2 a container of Zetas: p.
Well, the question now is once that overflow ends there? ... the answer is clearly that it depends on our objectives NOT !.
Let's say we talked a little about the STACK / PILE of the system and we said that this could be imagined as a deck of cards! or a pile of books. Well .. suppose we have something like that relating to the code overflowed.
STACK ............................ buffer2 contains the ZZZZZZZ ....
STACK .......... .................. buffer1 at the moment this is empty, we still do not copy
And below are the EBP & EIP records with certain values ??...
Now once the strcpy is executed, we would have a panorama like this in the stack.
STACK ............................ buffer2 (45z) zzzzzzzzzzzzzzzzzzzz ...
STACK .......... .................. buffer1 zzzzzzzz zzzzzzzz zzzzzzzz and those left over fall into ebp & eip
STACK ................ ............ now are worth EBP = 0x5A5A5A5A EIP = 0x5A5A5A5A
Valen 0x5A5A5A5A because each address is 4bytes and 5A in hexadecimal is Z.
This happens because as the buffer1 did not have capacity to so many rains of Zetas, it passed the limit and overwritten these two records that name.
EIP is a record that contains the address of the instruction that the program will return at the end of this ... then the program overflows and when the Z drops into the EIP register, this at the end tries to execute what is in 0x52525252
but how there is nothing, we throw the famous Segment Violation.
Let's check with an example with my friend Ollydbg aver what happens and what movement does:
When running it, and stop at the strcpy function we see what happens at the register
We see how now EBP and EIP become valid Z ie 0x5A5A5A5A
There we have a clear picture of what the BAT is. And we also see how it is overwritten by the inserted Z's.
And if we see the directions of the dump, there it shows the zetas in their respective positions in memory.
I hope it has helped you get started with overflow concepts.
Regards, any queries, are free to do it!
greetings :
Be the First to Respond
Share Your Thoughts