How To Conduct Your Very Own Buffer Overflow

Adam writes "If you've ever wanted to create your own buffer overflow or just to see how one works, check out this tutorial. The article talks about how a buffer overflow works and gives a guided example through an exploit to help you on your way. Definitely worth checking out." From the article: "Every now and again we all hear about an exploit that takes place thanks to a buffer overflow, but what is a buffer overflow? By definition it is when a program attempts to store more data in an array (buffer) than it was intended to hold, thus overwriting the return address of the function. To show how this is actually done, I'll explain how to do a simple attack on a fairly small program."

Once again, Zonk lowers the bar.

Zonk posts a story from a submitter that wrote the page being submitted for the story, who, as it turns out, blatantly plagarized the content from Bryant and O'Hallaron's Computer Systems book.

As a matter of fact, on the webpage itself, the very first response to the post calls Adam out about this, but apparently, it is still suffficiently 'news' to merit posting here.

Way to go, Zonk...once again, you've lowered the standard.

Re:Once again, Zonk lowers the bar.

[reynaert]

The standard text is still Smashing The Stack For Fun And Profit, I think.

Re:Once again, Zonk lowers the bar.

[thundercatslair]

Lowered? I didn't think that it could go any lower.

Re:Once again, Zonk lowers the bar.

Mods should have the guts to mod the parent insightful. Speaking up is the only way to prevent our favorite reading forum devolving into a tool for people to drive hits to their websites. I come to /. because I can depend on it doing the filtering for me. If the standards are lowered here, I stop visiting and so will others. For those who say "just don't read it if you don't like it," you're missing the point--the beauty of /. is that we can come here and be assured of a quality read, not a vast dumping ground that we then have to further sift. When abusers like Roland Piqupaille (or whatever his impossible last name is) or this guy (who cribbed it from a book) can make Slashdot do their bidding, we all lose.

Re:Once again, Zonk lowers the bar.

[frakir]

There is one old but nicely written buffer overflow tutorial at
http://www.cultdeadcow.com/cDc_files/cDc-351/essen ce.html

News?

[American+AC+in+Paris]

Look, this may be useful information, but it's not even remotely newsworthy. It's a freakin' intro-level homework exercise.

What's next, "How To Conduct Your Very Own Segmentation Fault"?

Re:News?

[chrism238]

Agreed; and it's overly simplistic to say "... it is when a program attempts to store more data in an array (buffer) than it was intended to hold, thus overwriting the return address of the function." Just overflowing a buffer may not make any change to a return address - else nearly every off-by-one programming error would be disastrous.

Re:News?

[hoka]

Seriously, buffer overflows are not only simple attack vectors, there are multiple ways to deal with them (hardware and software). All the hardened distros I know of use something to prevent it (Active Bounds Checking, Stack Smashing). What people really need to be aware of are things like SQL injection attacks, Cross-Site Scripting attacks, social engineering, and people should also know how to configure their machine to limit data penetration once the user is inside (ACLs, Chroots, jails, etc). I suppose I can't be all that mad, since most people really don't understand attack vectors in the first place, let alone how any one vector works.

Re:News?

[IainMH]

Look, this may be useful information, but it's not even remotely newsworthy. It's a freakin' intro-level homework exercise.

Hey hang on there horsey. This is a good article. Why shouldn't it have a place here? If you don't want to read it, don't read it. /. is a place were news and more importantly and community convenes to learn a little bit more each day about our (nerdy) world.

I for one enjoyed this article. Don't complain if some article don't conform to your expectation of what you think /. should be.

Re:News?

[Otter]

This is a good article. Why shouldn't it have a place here?

No, it's literally an intro-level homework exercise. It's a code snippet copied out of a textbook.

Re:News?

[ajs]

Hmmm... how to construct your very own SEGV, eh? ... well, I guess "kill -SEGV $$" is a bit obvious.

How about

perl -le 'print unpack("P","\0\0\0\01")'

Good enough? ;-)

Yeah, I know. You're wondering, "why that trailing 1"? It's because Perl explicitly checks for the boneheaded maneuver of dereferencing NULL in an unpack and prevents it. Of course (as the docs point out), there's not much it can do to prevent you using this particular tool to shoot yourself in the foot.

Re:News?

[telstar]

What's next, "How To Conduct Your Very Own Segmentation Fault"?

• nope .... "How to Slashdot a webserver."

Re:News?

[evilrip]

Uhm , if all the hardening make the distros so secure, why are they still getting owned via one or another variant of the buffer overflow (stack or heap based, overflowed, underflowed, integer manipulation, etc). Although I agree that the point of entry often is via other types of attacks when the attack is happening from a remote location and not locally, say like php-code injection, sql-manipulation, perl fun, etc. The x86 especially has poor protection from attacks of the buffer overflow kind as most protection is software based, which is really a failed approach. That said, make no mistake and think that a cpu with a no-exec bit for writeable pages or similar will make you entirely safe either. The x86 isn't alone about this problem but it sure is amongst the most vulnerable to it. Thankfully, exploiting buffer overflows is becoming harder even on the x86(depending on OS, hardware, etc), but it's still far from immune. This was alotta text to waste just to say what others have said time and time again before me. And everyone knows about the legendary phrack(p49 article 14) article by alephone that beat this one by what, 9 years?

Re:News?

[aluser]

golf!

perl -e%::=1,//

Re:News?

[ajs]

"How about a new /. rule where whenever someone posts a perl script [...]"

How about a new /. rule where whenever someone can't tell the difference between a script and a one-liner, they aren't allowed to use a keyboard?

Hmm

[Dante+Shamest]

Is the tutorial correct?

It doesn't seem to wo----

Tutorials?

Tutorials are for wimps.

Real men create buffer overflows by accident.

Re:Tutorials?

[chucks86]

I accidentally created a tutorial once...

Re:Tutorials?

[Loki_1929]

Wimp.

Re:Tutorials?

[fbjon]

Real Men log in by using creative buffer overflowing instead of wimpy user/pass combinations. Real Men use buffer overflows just to write to disk.

Real Men flip out regularly and buffer overflow just for the hell of it, because they are sooo cool!

Once I heard that this wimpy guy dropped a teaspoon, and this Real Man like totally buffer overflowed him, right there on the spot!

Buffer Overflows are totally sweet.

And that's what I call real ultimate power! Check it out, it's totally sweet!

The Tao of Windows Buffer Overflow

[nweaver]

Another good reference is the Tao of Windows Buffer Overflow by the Cult of the Dead Cow. A very detailed explanation how to exploit stack overflows on Windows.

Why not just look at this?

This even has great source code and explains the theory quite well.

http://www.gergltd.com/IATAC-BufferOverflowExploit .pdf

Buffer Overflows

[joeytsai]

The best article about buffer overflows is the well-known "Smashing the Stack for Fun and Profit" by Aleph One in Phrack. Here's the first link google gave me.

Everything else (like this article) pales in comparison.

Re:Buffer Overflows

[Stalyn]

I'm sorry but the article you mention is not within the blogosphere and therefore meaningless to today's society. Please either contact this "Aleph One" to create a blog and post his/her article there or remove it from your message. Thank You.

Thank you but...

[frank_adrian314159]

I can overflow buffers quite well on my own without any help.

Another article.

[zymano]

Great article on countering buffer overflows.

No Guide Needed!

[ThisIsFred]

Just teach yourself C! You'll discover every possible way in which things can go wrong, and in no time at all.

the author of it thinks -o means to compile

[mrterrysilver]

the author of the article states: "-o tells gcc to compile the file"

but fortunately he didnt write the example, its taken from Bryant and O'Hallaron's Computer Systems.

Re:Oh good

[chrism238]

By their nature, script-kiddies won't bother reading TFA and writing such an exploit. By their nature, they just download and run them.

How to exploit a buffer overflow in windows:

[GNUALMAFUERTE]

1 - Choose random windows version.
2 - Choose random exe or dll that cames with the OS.
3 - Choose a random base address.
4 - Write your code
5 - ???
6 - Profit!

It's like trying to throw a rock to the floor, you just can't miss ;-)

Re:How to exploit a buffer overflow in windows:

[CypherXero]

I live in space, you insensitive clod!

Smashing The Stack For Fun And Profit

[bajan_on_ice]

Read what I consider the seminal hacker work on this subject by Aleph One over at phrack.org

http://www.phrack.org/show.php?p=49&a=14

A little on the detailed side, especially the gdb stuff, but a GREAT article.

MOD PARENT UP

[wan-fu]

This kid is just trying to drum up visitors to his site. The site itself is pretty much devoid of content and the code is taken without citation.

Re:MOD PARENT UP

[HikeFanatic]

The web site got /.'d fast. This is what I see now. I love explanation #2. Just comical.

If he wanted traffic to his web site, he got it! As the saying goes, "Be careful what you wish for".

Account Suspended
Your account has been suspended for 1 of 2 reasons.

1. Your bill is over due. In this case please email billing@vizaweb.com

2. You account what causing a problem of some sort. In this case please contact CustomerCare@vizaweb.com

Re:MOD PARENT UP

[jayloden]

Any idea who the kid is (last name, etc)? I'm just curious because I maintain an anti-virus tool, and one of the virus writers whose crap I remove is named Adam, and it'd be a kind of funny coincidence if it was the same Adam, especially as I got an email from a script kiddie today defending how "leet" the guy is.

-Jay

Here's a sample...

[pg110404]

#include
#include <string.h>

char bigBuffer[4096];

void overflowMe();

main()
{
memset(bigBuffer, 0, sizeof(bigBuffer));
overflowMe();
}

/* this function should never return, in fact it
should/might SIGSEGV as the return address will be esentially reset to IP=0x00000000 */
void overflowMe()
{
char localBuffer[256];

/* deliberately copy from a larger buffer to a stack segment buffer more than it can hold */
memcpy(localBuffer, bigBuffer, sizeof(bigBuffer));
}

Re:Here's a sample...

[HyperChicken]

There's a security bug in your code.

Re:Here's a sample...

[pg110404]

There's a security bug in your code.

Yeah, I know. Here's the patch

#include <stdio.h>
main()
{
}

Re:Here's a sample...

[pg110404]

In any case, you've missed the point.

Actually I didn't miss the point. I could have made a far more elaborate program that actually did demonstrate that very fact, but I didn't want to spend 20 hours writing the damn thing then post 20 hours later when everybody else moved on.

If you look at the memset before the function call, I set the entire 8k buffer to zeros, and then when I call overflowMe(), I copy 8k - 256 bytes beyond the 256 byte local buffer, extending well past over the return address. A fact that I even commented at the start of the function. That the return address is reset to 0x00000000.

The purpose was not to actually give a working example of a successful exploit but to give an example of how it could be done.

I know full well that I what I need to do is to put the machine code for the 'malicious' code in the actual buffer and to keep overflowing with nop instructions for the proper number of bytes so the final 4 bytes I copy into that overflowed buffer on any intel 32bit processor will align with the return address from that function and if it is set correctly by taking into account the proper stack trace, can be known beforehand and thus when the function returns, it resumes execution of code at the start of the buffer that you overflowed.

That point was not lost on me.

Re:Here's a sample...

[Beatlebum]

this is getting really tiresome.

Did it occur to you that the sequence JMP ESP could be there by pure accident? It's just two bytes, perhaps it could be there at an irregular offset of a compiler generated assembly sequence, or perhaps it could be there as part of an address in memory. Get it now?

Re:slashdotted...

[millennial]

Yeah. You have a web site that makes it onto Slashdot, and you have a comment system with no size limit on your comments, and comments can be made every 15 seconds per connection. Wow, that's a pretty bad idea.

All you C Programmers should do thing the DJB way.

[TheNarrator]

You know why Qmail has had one of the best security records of any C program out there?

DJ Bernstein Will Tell You Why

Among my favorite advice of his is to completely give up on the standard C library. Really, everybody should have done it a while ago. It's one of those things like the unix pipe model that was a good start, but now that it has hung around for 25 years, it needs an upgrade. How about everybody stop using the standard C library and switch to something like the Apache Portable Runtime?

Write bug-free code. I've mostly given up on the standard C library. Many of its facilities, particularly stdio, seem designed to encourage bugs. A big chunk of qmail is stolen from a basic C library that I've been developing for several years for a variety of applications. The stralloc concept and getln() make it very easy to avoid buffer overruns, memory leaks, and artificial line length limits.

Not too hard

[springbox]

#include <stdio.h>
#include <string.h>

int main()
{
struct
{
unsigned char buffer[4];
unsigned char overrun;
} data;

data.overrun = 0xFF;

printf("Initial: %u\n", data.overrun);
memset(&data.buffer[0], 0, 5);
printf("Final: %u\n", data.overrun);
}

5 bytes get pushed onto the stack to reserve memory for the structure data when main is invoked. Memset starts writing to the base address of the structure at data.buffer[0] for 5 bytes. The space allocated for buffer, however is only 4 bytes, which causes the operation to leak into the variable overrun. When the output is displayed, overrun should change from 255 to 0.

Re:Not too hard

[pg110404]

This is a buffer overflow, but not all overflows will trample on the stack causing unexpected code execution.

The main problem with buffer overflows wrt security vulnerabilities is that an overflow has the potential to "return" to a block of code that what not where it was called from

e.g.

overflowBuffer = {binary code that executes a new program + padding bytes}{return ip address that points back to the address of stack buffer that is about to be overflowed}

memcpy(buffer to overflow, overflowBuffer, bytes needed);

In this example, a deliberate byte pattern is copied to the buffer to be overflowed that causes the computer to jump back to that spot when the function returns and that allows dynamic code execution through that vulnerability.

While your overflow demonstrates the capability of a language to overflow a specific buffer, not all overflows are unwelcomed.

for example, I'll often define a struct as follows:

struct {
int setting;
int sequenceCount;
int otherVariables;
int bytes;
char buffer[1];
} data;

I'll then do this

ptr = (struct data *)malloc(sizeof(struct data) + bufferBytes);
memcpy(ptr->buffer, source, bufferBytes);
ptr->bytes = bufferBytes;

I've implemented this trick for my own PVR recording program I wrote that reads from the video capture card and stuffs it in a fifo.

In this case, buffer overflow is desired as it allows me to allocate an arbitrary number of bytes that follows a specific structure.

How To Conduct Your Very Own Slashdot Effect

[TrevorB]

from the downtime-of-my-very-own dept.
Adam writes "If you've ever wanted to create your own Slashdot effect or just to see how one works, check out this tutorial. The article talks about how a Slashdotting works and gives a guided example through an exploit to help you on your way. Definitely worth checking out." From the article: "Every now and again we all hear about an exploit that takes place thanks to the Slashdot effect, but what is the Slashdot effect? By definition it is when a website attempts to service more users than it was intended to hold, thus returning an error message from the server. To show how this is actually done, I'll explain how to do a simple attack on a fairly small Slashdot post."

Ironic - /. ad was for MS Visual Studio .NET

[davidwr]

I loaded up this article and what do I see?
This ad from Microsoft staring back at me.

Reuse: How come overflows still happen?

[G4from128k]

I've been hearing about reuse of code and the development of stable shared libraries for the past 20 years and its probably been going on for longer than that. Why don't people, especially OS and application people, create, debug, and reuse a set of overflow-proof buffer-handling libraries? The libraries could include a range of forked versions for different usage patterns (e.g., big buffers of small data objects, small buffers of big data objects, buffers optimized for variable or fixed size, buffers optimized for frequent writes/sorts/reads/etc. Why is that so hard?

Every buffer-overflow exploit is just evidence of re-invention of a bug-filled wheel.

How To Slahdot Your Very Own Server

[Electron]

Zonk writes "If you've ever wanted to slashdot your own server or just to see how one works, check out this tutorial. The article talks about how the slashdot effect works and gives a guided example through an exploit to help you on your way. Definitely worth checking out." From the article: "Every now and again we all hear about a server disappearing from the face of the earth thanks to the slashdot effect, but what is the slashdot effect? By definition it is when a slashdot editor posts a link on the frontpage to a small server without using coral cache and zillions of slashdotters click on the link the minute the story is published, thus hammering the server into oblivion. To show how this is actually done, I'll explain how to submit a story with a link to your own server by praising Apple, dissing Microsoft or revealing more SCO conspiracies."

account suspended :)

[Inigo+Montoya]

The /. effect knocked the account out of existence!

"Account Suspended
Your account has been suspended for 1 of 2 reasons.

1. Your bill is over due. In this case please email billing@vizaweb.com

2. You account what causing a problem of some sort. In this case please contact CustomerCare@vizaweb.com"

hmm... Even Slashdotted sites can't spell!

Submitter's full name

[Mr.+Underbridge]

Zonk posts a story from a submitter that wrote the page being submitted for the story, who, as it turns out, blatantly plagarized the content from Bryant and O'Hallaron's Computer Systems book.

The submitter's full name is Adam Piquepaille.

Well I got:

[cmacb]

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@collegebums.org and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

So I guess the overflow worked even better than he thought it would.