How To Conduct Your Very Own Buffer Overflow

Adam writes "If you've ever wanted to create your own buffer overflow or just to see how one works, check out this tutorial. The article talks about how a buffer overflow works and gives a guided example through an exploit to help you on your way. Definitely worth checking out." From the article: "Every now and again we all hear about an exploit that takes place thanks to a buffer overflow, but what is a buffer overflow? By definition it is when a program attempts to store more data in an array (buffer) than it was intended to hold, thus overwriting the return address of the function. To show how this is actually done, I'll explain how to do a simple attack on a fairly small program."

Once again, Zonk lowers the bar.

Zonk posts a story from a submitter that wrote the page being submitted for the story, who, as it turns out, blatantly plagarized the content from Bryant and O'Hallaron's Computer Systems book.

As a matter of fact, on the webpage itself, the very first response to the post calls Adam out about this, but apparently, it is still suffficiently 'news' to merit posting here.

Way to go, Zonk...once again, you've lowered the standard.

Re:Once again, Zonk lowers the bar.

This was corrected in the article; "-o tells gcc to compile the file".

Someone should probably finish CS101 before writing tutorials....

Re:Once again, Zonk lowers the bar.

[reynaert]

The standard text is still Smashing The Stack For Fun And Profit, I think.

Re:Once again, Zonk lowers the bar.

[thundercatslair]

Lowered? I didn't think that it could go any lower.

Re:Once again, Zonk lowers the bar.

That's what I thought, but Zonk just keeps on surprising us.

Re:Once again, Zonk lowers the bar.

[grazzy]

Yeah, where all the REAL hakz0rz learnt their skillz.

Re:Once again, Zonk lowers the bar.

Mods should have the guts to mod the parent insightful. Speaking up is the only way to prevent our favorite reading forum devolving into a tool for people to drive hits to their websites. I come to /. because I can depend on it doing the filtering for me. If the standards are lowered here, I stop visiting and so will others. For those who say "just don't read it if you don't like it," you're missing the point--the beauty of /. is that we can come here and be assured of a quality read, not a vast dumping ground that we then have to further sift. When abusers like Roland Piqupaille (or whatever his impossible last name is) or this guy (who cribbed it from a book) can make Slashdot do their bidding, we all lose.

Re:Once again, Zonk lowers the bar.

[Dun+Malg]

Lowered? I didn't think that it could go any lower.

This is further proof that, even if you've already scraped the bottom of the barrel, if you look under the barrel...

Re:Once again, Zonk lowers the bar.

[NanoGator]

"Way to go, Zonk...once again, you've lowered the standard."

Slashdot doesn't even report the stories. It just links to them. What 'standard' is even getting lowered? I hope you don't mean journalistic. If Google linked to that site instead of the original source first, would that be some lowering of standards, too?

Re:Once again, Zonk lowers the bar.

[wan-fu]

Read this comment.

Re:Once again, Zonk lowers the bar.

pwned

Re:Once again, Zonk lowers the bar.

[frakir]

There is one old but nicely written buffer overflow tutorial at
http://www.cultdeadcow.com/cDc_files/cDc-351/essen ce.html

Re:Once again, Zonk lowers the bar.

[some+guy+I+know]

I didn't think that it could go any lower.

And yet, you not only read and post here, but you actually took the time to register an account.

News?

[American+AC+in+Paris]

Look, this may be useful information, but it's not even remotely newsworthy. It's a freakin' intro-level homework exercise.

What's next, "How To Conduct Your Very Own Segmentation Fault"?

Re:News?

[chrism238]

Agreed; and it's overly simplistic to say "... it is when a program attempts to store more data in an array (buffer) than it was intended to hold, thus overwriting the return address of the function." Just overflowing a buffer may not make any change to a return address - else nearly every off-by-one programming error would be disastrous.

Re:News?

[hoka]

Seriously, buffer overflows are not only simple attack vectors, there are multiple ways to deal with them (hardware and software). All the hardened distros I know of use something to prevent it (Active Bounds Checking, Stack Smashing). What people really need to be aware of are things like SQL injection attacks, Cross-Site Scripting attacks, social engineering, and people should also know how to configure their machine to limit data penetration once the user is inside (ACLs, Chroots, jails, etc). I suppose I can't be all that mad, since most people really don't understand attack vectors in the first place, let alone how any one vector works.

Re:News?

[IainMH]

Look, this may be useful information, but it's not even remotely newsworthy. It's a freakin' intro-level homework exercise.

Hey hang on there horsey. This is a good article. Why shouldn't it have a place here? If you don't want to read it, don't read it. /. is a place were news and more importantly and community convenes to learn a little bit more each day about our (nerdy) world.

I for one enjoyed this article. Don't complain if some article don't conform to your expectation of what you think /. should be.

Re:News?

[IainMH]

Yer eejit. Would you use the 'Preview' button next time. Would you just *look* at the construction, spelling and grammar.

/too much wine at dinner.

Re:News?

[Guitarzan]

Ya, we need a machine that can stop people from hacking into it via social engineering.

Re:News?

[Otter]

This is a good article. Why shouldn't it have a place here?

No, it's literally an intro-level homework exercise. It's a code snippet copied out of a textbook.

Re:News?

[ajs]

Hmmm... how to construct your very own SEGV, eh? ... well, I guess "kill -SEGV $$" is a bit obvious.

How about

perl -le 'print unpack("P","\0\0\0\01")'

Good enough? ;-)

Yeah, I know. You're wondering, "why that trailing 1"? It's because Perl explicitly checks for the boneheaded maneuver of dereferencing NULL in an unpack and prevents it. Of course (as the docs point out), there's not much it can do to prevent you using this particular tool to shoot yourself in the foot.

Re:News?

[telstar]

What's next, "How To Conduct Your Very Own Segmentation Fault"?

• nope .... "How to Slashdot a webserver."

Re:News?

[lart2150]

What's next, "How To Conduct Your Very Own Segmentation Fault"?

your right we all know how to boot windows

Re:News?

[evilrip]

Uhm , if all the hardening make the distros so secure, why are they still getting owned via one or another variant of the buffer overflow (stack or heap based, overflowed, underflowed, integer manipulation, etc). Although I agree that the point of entry often is via other types of attacks when the attack is happening from a remote location and not locally, say like php-code injection, sql-manipulation, perl fun, etc. The x86 especially has poor protection from attacks of the buffer overflow kind as most protection is software based, which is really a failed approach. That said, make no mistake and think that a cpu with a no-exec bit for writeable pages or similar will make you entirely safe either. The x86 isn't alone about this problem but it sure is amongst the most vulnerable to it. Thankfully, exploiting buffer overflows is becoming harder even on the x86(depending on OS, hardware, etc), but it's still far from immune. This was alotta text to waste just to say what others have said time and time again before me. And everyone knows about the legendary phrack(p49 article 14) article by alephone that beat this one by what, 9 years?

Re:News?

[SirSlud]

> social engineering

Bingo. I mean, assembler level hacks are cool, and I'm sure are useful for well funded attack networks, but I'm pretty sure that social engineering hacks are easily your best bet.

Or just the direct blackmail route, which a recent article pointed out was a very difficult attack to fight.

I just think its cool. I'm a typical good C programmer without much background in the lower languages and workings of hardware. It's interesting to see the thought processes that goes into these things.

I expect a few yawns on such an old topic, but hey, /. isn't a school, its a hobby. I do what I do well, and /. has been a decent place for many years for nerds to read nerd stuff outside of their own areas of expertise.

Re:News?

[aluser]

golf!

perl -e%::=1,//

Re:News?

[TFGeditor]

Odd. The more "sophisticated" programming languages have this problem, but old, "simple" stuff like BASIC generates an error and halts execution (or enters an error-handling routine) when an array overflow occurs.

"Progress," a curious thing, indeed.

Re:News?

[hoka]

It's all about power. Try buffer overflow in things like Python or Java. They don't exist in the same context (a VM can be vulnerable but these are few and far between, ie pyxmlrpc). Being able to directly access, manipulate, and hack at memory is a long standing pro to C/C++ and other low level languages. Without it, Kernels and other optimizations would be impossible. It's something that we "just have to live with", and should take into consideration when writing software.

Re:News?

[TFGeditor]

"It's something that we "just have to live with", and should take into consideration when writing software."

The "take into consideration" bit is what separates real programmers from hacks.

Re:News?

[petermgreen]

i don't think serious coders ever really used the likes of basic

also unless the compiler is very good at optimising stuff things like array bounds checking are going to carry quite a high penalty. Not to mention it doesn't work too well in conjunction with C's idea that pointers and arrays are more or less the same thing.

the real issue is that C doesn't really have a language level string type (afaict C++ doesn't either but C++ has features that allow you to create one that seems like a primitive to the user) so it has to be done manually with pointers and helper routines which can be error prone to say the least.

Re:News?

technically we call it a slashdot overflow..

Re:News?

[NanoGator]

"Look, this may be useful information, but it's not even remotely newsworthy. It's a freakin' intro-level homework exercise."

Given that Slashdot frequently refers to buffer overruns, why is it such a sin that they link to a story that explains them in more detail? So it won't be on CNN, whoop-de-fuck.

Re:News?

How about a new /. rule where whenever someone posts a perl script, they have to translate it into something people who don't think in punctuation can understand?

Re:News?

^+5!:)

Re:News?

[StuffJustHappens]

I'm waiting for "NOPs for fun and profit"

Re:News?

[Barryke]

When opening the article:
linky

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Its /.o'd

Re:News?

[he-sk]

I agree. Reading Perl code is harder than reading Assembly!

Re:News?

[dustman]

The x86 is particularly vulnerable to these attacks for two main reasons:

A) Until recently, there wasn't a no-exec flag which could be set on a page of memory.

B) On x86, the stack grows *downward*... This means that when you copy past the end of your local stack frame (like, when you do an unchecked strcpy), you will overwrite the return address. Buffer overflow attacks do this so that they can make the execution jump to an arbitrary location. If the stack grew upwards, then you would just trash your local stack frame and unused stack memory.

Re:News?

[ajs]

"How about a new /. rule where whenever someone posts a perl script [...]"

How about a new /. rule where whenever someone can't tell the difference between a script and a one-liner, they aren't allowed to use a keyboard?

Hmm

[Dante+Shamest]

Is the tutorial correct?

It doesn't seem to wo----

Tutorials?

Tutorials are for wimps.

Real men create buffer overflows by accident.

Re:Tutorials?

[chucks86]

I accidentally created a tutorial once...

Re:Tutorials?

[pasv]

Really?
I dunno I think it be better put as:
real men never get buffer overflows.

3 non-executable stacks or grsecurity patches.

Re:Tutorials?

Real men create buffer overflows by accident.

Looks like Microsoft is a frequent subscriber to this idea

Re:Tutorials?

[mOdQuArK!]

Real Men pass arguments by buffer flow!

Re:Tutorials?

[Loki_1929]

Wimp.

Re:Tutorials?

[fbjon]

Real Men log in by using creative buffer overflowing instead of wimpy user/pass combinations. Real Men use buffer overflows just to write to disk.

Real Men flip out regularly and buffer overflow just for the hell of it, because they are sooo cool!

Once I heard that this wimpy guy dropped a teaspoon, and this Real Man like totally buffer overflowed him, right there on the spot!

Buffer Overflows are totally sweet.

And that's what I call real ultimate power! Check it out, it's totally sweet!

There are enough people who know how to do this

What we need are more and better ways of providing defenses against them.

The Tao of Windows Buffer Overflow

[nweaver]

Another good reference is the Tao of Windows Buffer Overflow by the Cult of the Dead Cow. A very detailed explanation how to exploit stack overflows on Windows.

Re:The Tao of Windows Buffer Overflow

[zerojoker]

and don't forget Smashing the Stack for fun and profit

Oh good

[Evets]

Now buffer overflow exploits can be written by everyday common script kiddies now that there is this wonderful tutorial featured on slashdot.

Expect a flood of security patches in the next 30 days, and a strong new virus in the same time frame.

Re:Oh good

[chrism238]

By their nature, script-kiddies won't bother reading TFA and writing such an exploit. By their nature, they just download and run them.

Re:Oh good

[CainMcDougal]

It would get the ball rolling at Microsoft to finally patch those holes.

Fun and Profit

I agree,

If anything, one should use this classic text:

http://www.shmoo.com/phrack/Phrack49/p49-14

Heh.

[Renraku]

Just when you thought it was safe to leave your buffer uncapped.

Why not just look at this?

This even has great source code and explains the theory quite well.

http://www.gergltd.com/IATAC-BufferOverflowExploit .pdf

Re:Why not just look at this?

This is good too, generic examples for many OSs

How to use a memory bounds checker?

[joelparker]

... if you have recommendations or pros/cons, reply to this...

Re:How to use a memory bounds checker?

i have a recommendation: go back to school loffle

comments...

[natron+2.0]

did anyone else notice the comments on the site regarding the blog, how can you take a site seriously with comments like that...

(oh, and no I do not take /. seriously)

Re:comments...

[nizo]

The best part is reloading the page and watching the counter at the bottom get higher and higher as the slashdotting gets closer and closer.

Re:comments...

[plover]

heh, your post is probably causing a bigger slashdotting than he'd otherwise suffer from. For example, in the 8 seconds I reloaded before getting bored to tears, I watched the counter climb 50 hits.

I wonder how many people are going to attack his hosting provider now? :-)

Re:comments...

(oh, and no I do not take /. seriously)

You must take /. seriously, if only because 1 minute after the notice was published, a slashdotter give the truth about it. Only 1 minute. Good mark.

I can confirm that this works

[joshv]

It definitely works, I just compil..0xdeadbeef

Re:I can confirm that this works

[mekkab]

0xdeadbeef

POWER Chips represent-sent!

Buffer Overflows

[joeytsai]

The best article about buffer overflows is the well-known "Smashing the Stack for Fun and Profit" by Aleph One in Phrack. Here's the first link google gave me.

Everything else (like this article) pales in comparison.

Re:Buffer Overflows

[sirket]

I was about to post this- I'm glad to see I'm not the only one who remembers probably the best article on this ever written.

-sirket

Re:Buffer Overflows

[Stalyn]

I'm sorry but the article you mention is not within the blogosphere and therefore meaningless to today's society. Please either contact this "Aleph One" to create a blog and post his/her article there or remove it from your message. Thank You.

Re:Buffer Overflows

I'm not logged in but I wanted to say that you are awesome.. I will remember to mod this up later today when I'm logged in with mod access.

Re:Buffer Overflows

Aleph One's article is certainly worth a read, but it's getting dated. Read Nergal's article on return-into-libc attacks too, that one doesn't pale in comparison. The traditional code-injecting technique doesn't work on modern systems, like Fedora Core, only on Windows, Debian et al..

Thank you but...

[frank_adrian314159]

I can overflow buffers quite well on my own without any help.

Another article.

[zymano]

Great article on countering buffer overflows.

Re:Another article.

Another good one, same site. It is a four part article that does a decent job of showing how it works.

This definitely isn't a news story, though.

No Guide Needed!

[ThisIsFred]

Just teach yourself C! You'll discover every possible way in which things can go wrong, and in no time at all.

Re:No Guide Needed!

[jericho4.0]

Heh. It's funny 'cause it's true.

fun and profit

Didn't Aleph One describe this years ago?

the author of it thinks -o means to compile

[mrterrysilver]

the author of the article states: "-o tells gcc to compile the file"

but fortunately he didnt write the example, its taken from Bryant and O'Hallaron's Computer Systems.

Doesn't Java fix this?

By imposing array bound checking at every operation? I know that the check is redundant for a tight linear algebra loop that is obviously bug free, but I think that I'm in a position to mandate that all these people take the penality hit just because I like the idea of imposing my view on people that are smarter than me. Oh yeah and mandate training wheels on all bicycles too.

Re:Doesn't Java fix this?

[BlurredWeasel]

yes java fixes it, and if you are doing hard core math compuations, you probably don't want to use java. But if you're writing generic software for people, java isn't the worst you could do. It can be more productive than C with fewer fatal bugs (simple things like buffer overruns).
And yes, forcing people to accept runtime checks is a good thing if it reduces severe security bugs.
Once again, go program C if thats what you like, the rest of us will keep up with what computers and languages have to offer us.

Re:Doesn't Java fix this?

[Crouchy]

Why does java not do hard core Maths?

You may want to look at the following articles:

http://www.cs.utk.edu/~dongarra/lyon2002/Pozo.ppt

http://www.ukhec.ac.uk/publications/tw/hpcjava.pdf

From these articles there is a small performance gap, but it doesn't seem that great.

Re:Doesn't Java fix this?

[owlstead]

Java fixes this foremost by not allowing pointer arithmetic. You can program some structures better with goto statements as well, but there is a good reason why they are gone. Pointer arithmetic is the next goto statement. It can be usefull, and sometimes it is difficult to do without (ie embedded or kernel level programming).

99 out of a 100 you don't pointer arithmetic, and 5 times out of a hundred it will introduce a hard to fix runtime error. Experienced programmers should only be allowed to do it, if it wasn't for the fact that everybody things he/she is one of those.

And yes, all arrays and strings are checked.

Re:Doesn't Java fix this?

Java doesn't do math because there is a problem where higher precision numbers used in certain arithmatic operations, will actually produce lower precision answers. It doesn't happen all the time, but one of my profs explained the issue to us (and sun not caring to fix it) and he came up with an assignment where we actually saw this bug in action (not the purpose of the program, but interesting that we happened upon something that would cause it).

How to exploit a buffer overflow in windows:

[GNUALMAFUERTE]

1 - Choose random windows version.
2 - Choose random exe or dll that cames with the OS.
3 - Choose a random base address.
4 - Write your code
5 - ???
6 - Profit!

It's like trying to throw a rock to the floor, you just can't miss ;-)

Re:How to exploit a buffer overflow in windows:

[CypherXero]

I live in space, you insensitive clod!

Hey everyone....

[ImaLamer]

You've Been Zonked!

now back to work...

Smashing The Stack For Fun And Profit

[bajan_on_ice]

Read what I consider the seminal hacker work on this subject by Aleph One over at phrack.org

http://www.phrack.org/show.php?p=49&a=14

A little on the detailed side, especially the gdb stuff, but a GREAT article.

Re:Smashing The Stack For Fun And Profit

Amen to that...

Re:Smashing The Stack For Fun And Profit

[Mac+Degger]

WTF? Now we're even /.-ing articles not in the submitted story?

I sure hope this dude 'Aleph One' isn't a hacker, 'cos he's bound to get mad after you guys kill his server.

MOD PARENT UP

[wan-fu]

This kid is just trying to drum up visitors to his site. The site itself is pretty much devoid of content and the code is taken without citation.

Re:MOD PARENT UP

[HikeFanatic]

The web site got /.'d fast. This is what I see now. I love explanation #2. Just comical.

If he wanted traffic to his web site, he got it! As the saying goes, "Be careful what you wish for".

Account Suspended
Your account has been suspended for 1 of 2 reasons.

1. Your bill is over due. In this case please email billing@vizaweb.com

2. You account what causing a problem of some sort. In this case please contact CustomerCare@vizaweb.com

Re:MOD PARENT UP

[jayloden]

Any idea who the kid is (last name, etc)? I'm just curious because I maintain an anti-virus tool, and one of the virus writers whose crap I remove is named Adam, and it'd be a kind of funny coincidence if it was the same Adam, especially as I got an email from a script kiddie today defending how "leet" the guy is.

-Jay

Re:MOD PARENT UP

Holy Crap!

I know an Adam!!! I'm gonna' turn him in for both plagerism and virus writing!

New Logo?

[CypherXero]

Slashdot: News for ScriptKiddies. Stuff that doesn't matter.

Here's a sample...

[pg110404]

#include
#include <string.h>

char bigBuffer[4096];

void overflowMe();

main()
{
memset(bigBuffer, 0, sizeof(bigBuffer));
overflowMe();
}

/* this function should never return, in fact it
should/might SIGSEGV as the return address will be esentially reset to IP=0x00000000 */
void overflowMe()
{
char localBuffer[256];

/* deliberately copy from a larger buffer to a stack segment buffer more than it can hold */
memcpy(localBuffer, bigBuffer, sizeof(bigBuffer));
}

Re:Here's a sample...

[HyperChicken]

There's a security bug in your code.

Re:Here's a sample...

[pg110404]

There's a security bug in your code.

Yeah, I know. Here's the patch

#include <stdio.h>
main()
{
}

Re:Here's a sample...

[HyperChicken]

Oh thank god. For a second there, I thought I was getting hacked!

Re:Here's a sample...

Wow! 10 minutes from bug released to patch released.

That beats even microsoft.

Re:Here's a sample...

[Beatlebum]

All you've done is overflow the stack, you could have actually achieved the same effect with one line of code. In any case, you've missed the point. The hard part is not overlflowing the stack, it is changing the instruction pointer to the address of the malicious code passed in the buffer. The prefered way to do this is do find a jmp csp in the kernel and overwrite the return address with its location. It will then pass control to the code at the stack pointer- the code in your buffer.

Re:Here's a sample...

[pg110404]

In any case, you've missed the point.

Actually I didn't miss the point. I could have made a far more elaborate program that actually did demonstrate that very fact, but I didn't want to spend 20 hours writing the damn thing then post 20 hours later when everybody else moved on.

If you look at the memset before the function call, I set the entire 8k buffer to zeros, and then when I call overflowMe(), I copy 8k - 256 bytes beyond the 256 byte local buffer, extending well past over the return address. A fact that I even commented at the start of the function. That the return address is reset to 0x00000000.

The purpose was not to actually give a working example of a successful exploit but to give an example of how it could be done.

I know full well that I what I need to do is to put the machine code for the 'malicious' code in the actual buffer and to keep overflowing with nop instructions for the proper number of bytes so the final 4 bytes I copy into that overflowed buffer on any intel 32bit processor will align with the return address from that function and if it is set correctly by taking into account the proper stack trace, can be known beforehand and thus when the function returns, it resumes execution of code at the start of the buffer that you overflowed.

That point was not lost on me.

Re:Here's a sample...

Actually I didn't miss the point. I could have made a far more elaborate program that actually did demonstrate that very fact, but I didn't want to spend 20 hours writing the damn thing then post 20 hours later when everybody else moved on.

If that's the case, why did you type such an elaborate version of something that can be done so much more briefly?

Re:Here's a sample...

[Beatlebum]

Actually you don't get it. You said

"I know full well that I what I need to do is to put the machine code for the 'malicious' code in the actual buffer and to keep overflowing with nop instructions for the proper number of bytes so the final 4 bytes I copy into that overflowed buffer on any intel 32bit processor will align with the return address from that function and if it is set correctly by taking into account the proper stack trace, can be known beforehand and thus when the function returns, it resumes execution of code at the start of the buffer that you overflowed."

That's incorrect. Overwriting the returns address will not resume execution in your buffer because you don't know beforehand the value of the stack pointer at the point at which the function is called, so you do not know the address in memory of your buffer. The solution is to find code in memory that contains a JMP ESP instruction, fill in the address of this instruction and the function will return to JMP ESP which then passes control to your buffer code.

Try searching for a JMP ESP in the kernel, last time I tried I couldn't find on. That's because Microsoft have patched all occurences. I haven't tried this for a while though.

Re:Here's a sample...

[pg110404]

If that's the case, why did you type such an elaborate version of something that can be done so much more briefly?

Why don't you write one then? My program demonstrates a function being called and overwriting a stack buffer. Upon return from that function, the stack being corrupted jumps to an arbitrary location. Specifically an address that was part of the data that overflowed the buffer. To get the address right, it would be more complex than what I provided.

Re:Here's a sample...

[peachpuff]

"In any case, you've missed the point. The hard part is not overlflowing the stack, it is changing the instruction pointer to the address of the malicious code passed in the buffer."

No, you've missed the point. The hard part is writing code that doesn't fall victim to an overflow. Fill bigBuffer from stdin before calling overflowMe(), and you've got a sadly realistic example.

Re:Here's a sample...

[pg110404]

Actually you don't get it

You're the one who didn't get it. JMP ESP if it actually exists is technically an invalid instruction that should NEVER be used.

What that does is to run code specifically found on the stack, and if we step into the way-back machine, in the 8088 days, you had 4 segment registers DS (data segment), ES (extra segment), SS (stack segment), and CS (code segment). The compiler segregated the program into 3 and sometimes 4 separate segments and went out of its way to make sure it didn't execute code on the stack. The data segment, the code segment and the stack segment are separate areas in memory for a reason. The stack is specifically designed to be transient grow and shrink when the program runs. The code segment is determined by the compiler and remains static forever. The data segment like the stack segment is designed to have the data change as the program runs, but unlike the stack, is allocated specifically by the compiler and any given address of the data segment will always refer to one specific thing. The stacks are never allowed to mix or shift if the compiler can help it or you get nasty crashing.

Therefore, the stack pointer is never SUPPOSED to point to valid code, ever which makes JMP ESP an invalid instruction. Anyone who uses it deserves buffer overflows and thus, in an otherwise sane world, your JMP ESP example is false.

which explains why........

Try searching for a JMP ESP in the kernel, last time I tried I couldn't find on[e]

Re:Here's a sample...

Wow! Four lines of code and a total of two bugs!

o Implicit return type of int -- deprecated in c99. The only valid return value type from main() in a hosted environment is int, so this isn't so serious. But it will cause problems for future compilers and consequently, maintainers.

o Despite specifying that the return type is int, you've not actually returned a value. main() MUST return a value. It is acceptable that you "return" a value with exit() but don't forget to include stdlib.h.

This may all sound pedantic but if you can introduce two bugs in just four lines we can only imagine the horrors you'll introduce in any larger program. I'm not going to mention that you've included stdio.h for no good reason because that's just a style issue. Needless to say however, that it hints at a very poor understanding of the C language and suggests to me that you included it because you're not sure what it does.

Please pick a language that tolerates a lasez-faire style of programming. Python is good or Java. But please don't code in C if you're not prepared to learn it. I'm being serious, there is too much code out there written by people who think they know the C language. All that can come of this is exploits galore.

Don't feel too bad though, C (and C++ come to that) is hard and now-a-days should only be a tool for the most serious programmer who needs the level of control C offers.

Re:Here's a sample...

Your program invokes undefined behavior.

You should have written int main(void) { return 0; }

Re:Here's a sample...

[Sir+Codelot]

If you look at the memset before the function call, I set the entire 8k buffer to zeros, and then when I call overflowMe(), I copy 8k - 256 bytes beyond the 256 byte local buffer, extending well past over the return address.

Hate to nitpick, but that was a 4k buffer.

Further, is zeroing a global array necessary? I thought global variables are implicitly zeroed.

Re:Here's a sample...

[Beatlebum]

You're diggging yourself deeper and deeper. JMP ESP is a perfectly valid instruction. Try a search a see the bugtraq hits:

http://groups-beta.google.com/groups?q=JMP%20ESP&h l=en&lr=&safe=off&rls=GGLD,GGLD:2004-41,GGLD:en&sa =N&tab=wg

Re:Here's a sample...

[pg110404]

Try searching for a JMP ESP in the kernel, last time I tried I couldn't find on

Ow, you got me there.... perfect example of why I hate to comment unnecessarily. I wrote that up in 1 minutes and spent another 30 seconds on comments. I figured my short term memory was good enough without double checking.

Further, is zeroing a global array necessary? I thought global variables are implicitly zeroed.

It depends on the compiler and on the language. Some compilers will pad out the size of the EXE to include a data segment and thus will have it explicitly set. Other compilers will only explicitly allocate and set variables that are explicitly set like float PI=3.1415926; and the rest will be left over from what was in memory before. The compiler in the latter case on some platforms in particular will provide a small data segment of actual initialized memory, and instruct the OS the data segment needs to by that much plus a whole bunch more. It helps reduce the size of the EXE. When I learned C on BSD unix, we were taught early on that variables were always undefined.

Assuming global variables, specifically in C, are always implicitly set is a very dangerous game to play.

Re:Here's a sample...

[pg110404]

Just because people are doing it, does that make it right? Does that mean it's right for me to go around killing people if jeffery dahmer or ted bundy killed all them people?

JMP ESP is an instruction that resumes execution on the stack. The stack is NOT SUPPOSED to contain valid code. PERIOD. Even if it is a valid CPU instruction, its an instruction that should never be used. The only thing that could ever have come out of this was buffer overflows. I'm not arguing the fact that it's not an existing instruction, I'm arguing the fact that it if it was a valid instruction, only idiots would use it. Every PUSH instruction, every POP instruction, every CALL instruction every RET instruction that is performed alters the stack frame and changes its dynamic including the current location of the ESP pointer. To JMP ESP is to jump to a location that does not contain and should not contain valid code as that location contains temporary information - that's why it's call a stack. You push stuff temporarily onto the stack which you will later take off the stack. A stack has always been and will always be used as a lifo. That is its purpose. That's why there's a separate area called 'code'. On linux, the code segment is in the 0x080483bd range and the stack is in the 0xbffff818 range. The two are far from each other.

For example the program:

void func() { } main() { func(); }

Produces:

.globl func
.type func, @function
func:
pushl %ebp
movl %esp, %ebp
popl %ebp
ret
.size func, .-func
.globl main
.type main, @function
main:
pushl %ebp
movl %esp, %ebp
subl $8, %esp
andl $-16, %esp
movl $0, %eax
subl %eax, %esp
call func
leave
ret


Notice the clever use of CALL and RET? That is how things are supposed to be done. The fact that microsoft has used such an instruction is a clear demonstration of their lack of assembly language knowledge.

Answer me this. Have you written any assembly language code? I have. I've written more than just the typical classroom exercise. I've written a lot more than that, and in assembly language programming, JMP ESP is a very dangerous and technically illegal instruction.

To allow you to JMP ESP implies that your code is on the stack and any PUSH or POP operation will obliterate your code causing it seg fault or on firmware without a proper OS to protect you, hang.

Perhaps the universe has revealed to you and not to me why a JMP ESP is commonplace, so please share your revelation with me. I want to know.

Re:Here's a sample...

[Beatlebum]

this is getting really tiresome.

Did it occur to you that the sequence JMP ESP could be there by pure accident? It's just two bytes, perhaps it could be there at an irregular offset of a compiler generated assembly sequence, or perhaps it could be there as part of an address in memory. Get it now?

Re:Here's a sample...

[pg110404]

Did it occur to you that the sequence JMP ESP could be there by pure accident?

Finally. Thank you for that lucid statement. I understand your point. Just so you know, it did not occur to me that that instruction might have accidentally found its way into memory, thus I didn't see how it could realistically happen.

Next time, you might have tried something like this from the beginning instead of assuming my IQ was so low I couldn't outwit a boiled cabbage:
1 - JMP ESP is a currently valid CPU instruction that should never have been added to the CPUs instruction set
2 - The 2 byte opcode for the JMP ESP instuction can occur by accident (part of an initialized data segment block or span two valid instructions)
3 - Find the offset of that invalid instruction and overflow the stack so the address of that instruction aligns with the return instruction of the current function
4 - Immediately following that return address as part of your overflow buffer data, place your exploit code.
5 - celebrate your successful buffer overflow.

Instead, you focused on the fact that I couldn't understand the mechanics behind it. I did understand the mechanics behind it. The universe has chosen NOT to reveal the specifics as to how that technically invalid command might have gotten there in the first place.

Once again, thank you for the epiphany.

Re:Here's a sample...

[Beatlebum]

I didn't assume your IQ was low, I merely pointed out that your sample code wasn't illustrative because it didn't show how control was passed to the stack code. I'm genuinely sorry if I hurt your pride. You then went off on a rant telling me that JMP ESP is an illegal instruction and that it would never appear.

Word to the wise, when someone tries to teach you something, do a little research before you tell them they're wrong. Now that the penny has dropped and you understand what I've been trying to tell you, you now have the gaul to tell me that your inability to comprehend is my fault. In any case, I'm glad you now understand how a buffer overflow exploit works. Now I suggest you go and write some non malicous code to demonstrate your knowledge. You see there's a difference between thinking you know something and actually knowing it.

Best regards,

Beatlebum

This was on digg?

Leave it there.

A shame...

[diegocgteleline.es]

Why people does care so much about creating buffer overflows. Just write programs in C/C++, you WILL create buffer overflows. It seems that most of programmers can't avoid them and "buffer-overflow vulnerabilities" are found all the time. Why not care instead about the methods created to fix (most of) them? The ones that many distros are still not shipping despite of being quite obvious that they're need more than the latest KDENOME shit?

Just check the debian security mailing list and look how many buffer overflow security bugs are there: Too many. Too many for something which is know to be (partially) fixable with kernel/compiler tricks. Did GCC 4.0 included finally that FORTIFY thing that includes both compile-time and run-time "buffer overflow protections" BTW? That is interesting, not learning how to create buffer overflows.

Re:A shame...

Red Hat *is* shipping them. I suspect that plenty of other distros are as well.

Hypocrites.

First, you bash a respected university for offering a course on malware, and now you link instructions on how to exploit a buffer overflow from the main page.

Turn in your geek card...

[xxxJonBoyxxx]

If you're reading this and you don't already know what a "buffer overflow" is, turn in your geek card and leave Slashdot immediately.

What's next? "Ever wonder what what Linux was? Here's a great book which (blah, blah, blah)..."

slashdotted...

time of death...

1744 CST

Re:slashdotted...

[millennial]

Yeah. You have a web site that makes it onto Slashdot, and you have a comment system with no size limit on your comments, and comments can be made every 15 seconds per connection. Wow, that's a pretty bad idea.

Re:slashdotted...

good work men.

Java version anyone? ...

I can't seem to create a Java version that lets me execute arbitrary code. Can someone point me in the right direction?

;)

Re:Java version anyone? ...

[HyperChicken]

Check out the Java Virtual Machine. It executes arbitrary code.

All you C Programmers should do thing the DJB way.

[TheNarrator]

You know why Qmail has had one of the best security records of any C program out there?

DJ Bernstein Will Tell You Why

Among my favorite advice of his is to completely give up on the standard C library. Really, everybody should have done it a while ago. It's one of those things like the unix pipe model that was a good start, but now that it has hung around for 25 years, it needs an upgrade. How about everybody stop using the standard C library and switch to something like the Apache Portable Runtime?

Write bug-free code. I've mostly given up on the standard C library. Many of its facilities, particularly stdio, seem designed to encourage bugs. A big chunk of qmail is stolen from a basic C library that I've been developing for several years for a variety of applications. The stralloc concept and getln() make it very easy to avoid buffer overruns, memory leaks, and artificial line length limits.

pr0ggie

[Ride+Jib]

Dose ne1 hav a pr0g that can do dis 4 me? I g0t 2 much hw to lern it. k thx. OMG!!11one one !@1

Not sure about buffer overflows...

[CypherXero]

...but I know for a fact that his server is fighting for it's life right about now! The Slashdot Effect is killing it...

Can't wait for tomorrow

[BarryNorton]

Slashdot's going to show us how to make our very own Hello World program - yay!

Re:Can't wait for tomorrow

[duffel]

#include <stdio.h>
int main (void)
{
char blah [20]="Hello, World!";
char bluh [3];
memcpy(bluh, blah, sizeof(blah));
printf("%s\n",bluh);
return 0;
}

Not too hard

[springbox]

#include <stdio.h>
#include <string.h>

int main()
{
struct
{
unsigned char buffer[4];
unsigned char overrun;
} data;

data.overrun = 0xFF;

printf("Initial: %u\n", data.overrun);
memset(&data.buffer[0], 0, 5);
printf("Final: %u\n", data.overrun);
}

5 bytes get pushed onto the stack to reserve memory for the structure data when main is invoked. Memset starts writing to the base address of the structure at data.buffer[0] for 5 bytes. The space allocated for buffer, however is only 4 bytes, which causes the operation to leak into the variable overrun. When the output is displayed, overrun should change from 255 to 0.

Re:Not too hard

[pg110404]

This is a buffer overflow, but not all overflows will trample on the stack causing unexpected code execution.

The main problem with buffer overflows wrt security vulnerabilities is that an overflow has the potential to "return" to a block of code that what not where it was called from

e.g.

overflowBuffer = {binary code that executes a new program + padding bytes}{return ip address that points back to the address of stack buffer that is about to be overflowed}

memcpy(buffer to overflow, overflowBuffer, bytes needed);

In this example, a deliberate byte pattern is copied to the buffer to be overflowed that causes the computer to jump back to that spot when the function returns and that allows dynamic code execution through that vulnerability.

While your overflow demonstrates the capability of a language to overflow a specific buffer, not all overflows are unwelcomed.

for example, I'll often define a struct as follows:

struct {
int setting;
int sequenceCount;
int otherVariables;
int bytes;
char buffer[1];
} data;

I'll then do this

ptr = (struct data *)malloc(sizeof(struct data) + bufferBytes);
memcpy(ptr->buffer, source, bufferBytes);
ptr->bytes = bufferBytes;

I've implemented this trick for my own PVR recording program I wrote that reads from the video capture card and stuffs it in a fifo.

In this case, buffer overflow is desired as it allows me to allocate an arbitrary number of bytes that follows a specific structure.

Re:Not too hard

[springbox]

I've implemented this trick for my own PVR recording program I wrote that reads from the video capture card and stuffs it in a fifo.

Although that's technically not a buffer overflow since you've explicitly allocated space for it beforehand. The Windows API has some structures in it that also use the technique that you described.

The example I gave is certainly not anything harmful, which was its intention. There are certainly ways to use overflows to do much more damage, but for the example it's better than having a segmentation fault to prove the point eh?

Re:Not too hard

[SharpFang]

Writing buffer overflows is trivial. You do this all the time while programming, whether you want or not (and usually the latter).
Writing a buffer overflow bug exploit is a totally different matter though, and I'd love to see some useful tutorial on that - i.e. I find overflowable parameter in some program, what do I feed it to do something useful for me?

Re:Not too hard

Read the fucking Aleph One tutorial then.

While you're at it, study a little about shellcode.

C'mon, I thought that phrack 49 would historical and mandatory reading even to get a slashdot uid!

How To Conduct Your Very Own Slashdot Effect

[TrevorB]

from the downtime-of-my-very-own dept.
Adam writes "If you've ever wanted to create your own Slashdot effect or just to see how one works, check out this tutorial. The article talks about how a Slashdotting works and gives a guided example through an exploit to help you on your way. Definitely worth checking out." From the article: "Every now and again we all hear about an exploit that takes place thanks to the Slashdot effect, but what is the Slashdot effect? By definition it is when a website attempts to service more users than it was intended to hold, thus returning an error message from the server. To show how this is actually done, I'll explain how to do a simple attack on a fairly small Slashdot post."

Re:How To Conduct Your Very Own Slashdot Effect

Once again, this cheeseball Adam steals someone else's tutorial, posts it as his own and looks forward to the hits. I happen to know that this tutorial on how to be Slashdotted was first posted by one TrevorB, right here on /. Here it is.

How To Conduct Your Very Own Slashdot Overflow

Step 1 : Submit your site to Slashdot.
Step 2 : Sit back and relax while your server melts.

Ironic - /. ad was for MS Visual Studio .NET

[davidwr]

I loaded up this article and what do I see?
This ad from Microsoft staring back at me.

I hate buffer overflows.

[rice_burners_suck]

A whole article had to be written about this? Make a C program. Make an array of char, like char Blah[20]... Write Blah[20] = 'A';

Boom. Instant buffer overflow. You're a rogue hacker.

Reuse: How come overflows still happen?

[G4from128k]

I've been hearing about reuse of code and the development of stable shared libraries for the past 20 years and its probably been going on for longer than that. Why don't people, especially OS and application people, create, debug, and reuse a set of overflow-proof buffer-handling libraries? The libraries could include a range of forked versions for different usage patterns (e.g., big buffers of small data objects, small buffers of big data objects, buffers optimized for variable or fixed size, buffers optimized for frequent writes/sorts/reads/etc. Why is that so hard?

Every buffer-overflow exploit is just evidence of re-invention of a bug-filled wheel.

How To Slahdot Your Very Own Server

[Electron]

Zonk writes "If you've ever wanted to slashdot your own server or just to see how one works, check out this tutorial. The article talks about how the slashdot effect works and gives a guided example through an exploit to help you on your way. Definitely worth checking out." From the article: "Every now and again we all hear about a server disappearing from the face of the earth thanks to the slashdot effect, but what is the slashdot effect? By definition it is when a slashdot editor posts a link on the frontpage to a small server without using coral cache and zillions of slashdotters click on the link the minute the story is published, thus hammering the server into oblivion. To show how this is actually done, I'll explain how to submit a story with a link to your own server by praising Apple, dissing Microsoft or revealing more SCO conspiracies."

Less haste, more speed!

[Henry+Stern]

It seems that the submitter was in such a hurry to plagiarise this article that he didn't have time to proofread it first.

Without further ado, here are some corrections:

• pushl $value of print /x *((int *) $ebp + 1)
  
• movl $0xdeadbeef, %eax
  
• ret
  
• nop
  

To compile this code into an object file, type into the shell gcc -O2 -c assembly.s and then dissemble it by typing objdump -d assembly.o > input.txt.

For example, if %ebp equaled bf ff ef d8 it would become d8 ef ff bf. Once this is all done you can test your exploit by saving input.txt and then typing in ./text < input.txt into the shell.

Useful buffer overrun

[biscuit67]

I once used a buffer overrun in a ps2 game I was working on to allow me to download a patch when no patching mechanism was in place.

This was very handy for creating some small additions to the game.

Never patched the hole. But then again, the game didn't sell that well.

Re:Useful buffer overrun

[biscuit67]

Of course, I also had access to the full source code, symbol tables and a debug kit. So, that made it pretty easy to find the buffer overrun. It was actually in a wide string copy. Src, Dst and data were all on the stack.

What -o means

For all you non-programmers, I'll quote the GCC manpage about what the "-o" gcc option means:

Place output in file file. This applies regardless to whatever sort of output is being produced, whether it be an executable file, an object file, an assembler file or preprocessed C code.

Most programmers compile separately from linking, so they might do a command process like:

gcc myfile1.c -o myfile1.o
gcc myfile2.c -o myfile2.o
ld -o myprogram myfile1.o myfile2.o

They can now run "myprogram" to test their code. They do this, because compiling takes a lot of time and programmers don't want to have to recompile their entire program if they only modified one file. If they only modified myfile2.c in the above example, then they can simply recompile the one file and relink:

gcc myfile2.c -o myfile2.o
ld -o myprogram myfile1.o myfile2.o

Re:What -o means

[Nasarius]

Most programmers compile separately from linking, so they might do a command process like

Well, sort of. Most programmers use make to automate all that stuff.

account suspended :)

[Inigo+Montoya]

The /. effect knocked the account out of existence!

"Account Suspended
Your account has been suspended for 1 of 2 reasons.

1. Your bill is over due. In this case please email billing@vizaweb.com

2. You account what causing a problem of some sort. In this case please contact CustomerCare@vizaweb.com"

hmm... Even Slashdotted sites can't spell!

ob Simpsons

Let me be the first to welcome our new Von Neuyman overlords.

very interesting

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@collegebums.org and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

Let's queue up...

Let's queue up all of the comments written by people who are going to balk at this for being elementary while secretly pawing through the article for notes.

If you were about to write such a comment: Since people who tend to write such comments tend to be rather unmoved by anything anyone else says or does unless the purveyor of information happens to either be a hot woman or be the coolest mall-goth in their pack at the moment, I am relatively certain that my initial comment pointing out your activity will not dissuade you from posting; however, you can make your post a happier place for other peoples eyes to accidentally crash into if you simply remember that 3's are not E's, 7's are not T's, etc. etc. etc.

If this is a bit over your head, or you'd like some more general information on posting, please view the following film strip:
http://pyro.buildtolearn.net/misc/posting.swf

Internal Server Error

[xv4n]

I got an "Internal Server Error".

Seems like the server's buffers where overflowed. Oh! the irony!

Easy Buffer Overflow

[masterpenguin]

For the easiest buffer overflow ever, just fireup good ol' Windows 95. That'll give you more buffer overflows than you could shake a stick at.

Shortcut

[UltimaL337Star]

Open Windows

Submitter's full name

[Mr.+Underbridge]

Zonk posts a story from a submitter that wrote the page being submitted for the story, who, as it turns out, blatantly plagarized the content from Bryant and O'Hallaron's Computer Systems book.

The submitter's full name is Adam Piquepaille.

Well I got:

[cmacb]

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@collegebums.org and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

So I guess the overflow worked even better than he thought it would.

Re:Does this work?--OFFTOPIC

[TFGeditor]

Boss design?

OK, so the server is now officially dead

[GroeFaZ]

Was that the demonstration? Was the 'fairly small programm' the server itself, maybe on a floppy disk?

Court blocks U.S. rules for anti-piracy TV tech

[Evil+Butters]

This gets published, and my submission on "Court blocks U.S. rules for anti-piracy TV technology" has been pending all day?

MOD PARENT DOWN

[Saeed+al-Sahaf]

Isn't that Slashdot policy? I mean, what with Roland and all? If /. history is any indication, get set to hear a lot more from this boy!

Something to do while collegebums.org is down

[antispam_ben]

you think you've had something pending for a while, check out the pending story (it's a poll, and I didn't even save my own copy, but maybe I'll see it again SOMEDAY...) in my 'recent submissions' http://hardware.slashdot.org/~antispam_ben/

OOTC: I recall intentional buffer overflows and similar hacks in FORTRAN from 25 years ago. I suppose it's good Pascal was never used for a system language, the language definition has array bounds checking built-in. OTOH, pointers can point to anything (IIRC it's called coercion in Pascal - amazing what stuff I remember that's totally useless now).

Now where's that slashdot mirror site???

How to create your own buffer overflows?

Ingenious! I'll have to intergrate this brilliant new feature into all of our new products!

--Bill

The New Hackneyed Bash Quote:

[RukuArtic]

Now run the program. Its really cool! Ok, here goes! user-b signed off. (Buffer overflow) Hahaha

Since when was this not wysiwyg? T_T;

[RukuArtic]

Ok, now run the code
Here goes...
user-b signoff: (Ping Timeout)
Bwahaha, he fell for the old "Buffer Overrun" trick.

Site's buffer overflowed

[Palal]

I guess that's what we should call the /. effect :)

I would...

[derfy]

but, I blew my mod points on the Al Gore article. ...And I just posted.

Heh...

I find it ironic that this is giving me an "Internal Server Error" =P

Looks like someone smashed his servers stack

[bergeron76]

Deserves him right for posting a Phrack article from 97 (or somewhere around then, IIRC).

There's a better CDC (that's Cult of the Dead Cow for you young fellows) one out there, I just don't have a link to it.

It was actually a web-based tutorial, not a g-file (that's a text page to you young-un's).

Re:Looks like someone smashed his servers stack

[bergeron76]

Cool, I found the article; here it is:

http://www.cultdeadcow.com/cDc_files/cDc-351/index .html

Direction of stack growth?

Just a stupid question: Wouldn't it be harder to get damage from accidental buffer overflows, if the stack grew _up_ instead of down?

Re:Direction of stack growth?

Slightly - only in case of initialization errors. You would initialize the stack to the same value you get from malloc(). Now you need to initialize the stack to malloc(n)+n, with all that off-by-one errors, possiblity to store the stack address separately from free() address etc, which is simply more complicated, thus more error-prone. Risk from using - the same. But it would be a bit easier to write exploits since the binary would be pushed on stack in the same order as it's executed. Now the payload of the exploit must be stored backwards.

another one

Here is another tutorial on that (my own, of course):
http://www.hakin9.org/en/attachments/stackoverflow _en.pdf
Hope somebody will like it.

Other tutorials

[bahwi]

This one is basic, but it's always good to know how to mess up a program. Great if you can make it, but if you know how to mess it up really badly, it's easier to patch and fix. Of course, most C libs out there in the OSS world have better functions for the most commonly buffer-overflowed functions, but I know there are other ways.

500 Internal Server Error

[PabloHoffman]

I know they said the best way to learn is through examples, but maybe this guy's approach is a little too rough.

Ooo! I know how!

[noamsml]

let me try to program a calculator in C++!

(based on a real story)

Hahahahaha

[duerra]

The guy that owns vizaweb is a good personal friend of mine. You can be sure this site will come up next time I see him.

No pleasing /.'ers is there?

[newpath4comVersion2]

So his site is DEVOID of Content eh? That's an interesting observation. Conversely, my site is JAMMED with stuff... about 180 pages. Anyone, anyone? http://tinyurl.com/bevf9 . Just funning wit you. Have a great weekend everybody. Don't buy any used clusters. Woody

Rule Number 1

[Esel+Theo]

One of the first rules I teach my students:

Never, never ever, call a program test.

I've just seen too many people wondering that their nice new program appears to just do nothing...