[ACCEPTED]-What is a buffer overflow and how do I cause one?-fortify-source

Accepted answer
Score: 33

Classical example of a buffer-overflow:

// noone will ever have the time to type more than 64 characters...
char buf[64];
gets(buf); // let user put his name

The 50 buffer overflow alone does most often not 49 happen purposely. It happens most often 48 because of a so-called "off-by-one" error. Meaning 47 you have mis-calculated the array-size by 46 one - maybe because you forgot to account 45 for a terminating null character, or because 44 some other stuff.

But it can also be used 43 for some evil stuff. Indeed, the user long 42 knew this hole, and then inserts say 70 41 characters, with the last ones containing 40 some special bytes which overwrite some 39 stack-slot - if the user is really tricky 38 he/she will hit the return-address slot 37 in the stack, and overwrites it so it jumps 36 forward into that just inserted buffer: Because 35 what the user entered was not his name, but 34 his shell-code that he previously compiled 33 and dumped out. That one will then just 32 executed. There are some problems. For example, you 31 have to arrange not to have a "\n" in 30 that binary code (because gets would stop 29 reading there). For other ways that mess 28 with dangerous string functions, the binary 27 zero is problematic because string functions 26 stop copying there to the buffer. People 25 have used xor with two times the same value 24 to produce a zero too, without writing a 23 zero byte explicitly.

That's the classic 22 way of doing it. But there are some security 21 blocks that can tell that such things happened 20 and other stuff that make the stack non-executable. But 19 i guess there are way better tricks than 18 i just explained. Some assembler guy could 17 probably now tell you long stories about 16 that :)

How to avoid it

Always use functions that take a maximal-length 15 argument too, if you are not 100% sure that 14 a buffer is really large enough. Don't play 13 such games as "oh, the number will 12 not exceed 5 characters" - it will 11 fail some day. Remember that one rocket 10 where scientists said that the number will 9 not exceed some magnitude, because the rocket 8 would never be that fast. But some day, it 7 was actually faster, and what resulted was 6 an integer overflow and the rocket crashed 5 (it's about a bug in Ariane 5, one of the most expensive 4 Computer bugs in history).

For example, instead 3 of gets use fgets. And instead of sprintf use snprintf where 2 suitable and available (or just the C++ style 1 things like istream and stuff)

Score: 28

A buffer overflow is basically when a crafted 20 section (or buffer) of memory is written 19 outside of its intended bounds. If an attacker 18 can manage to make this happen from outside 17 of a program it can cause security problems 16 as it could potentially allow them to manipulate 15 arbitrary memory locations, although many 14 modern operating systems protect against 13 the worst cases of this.

While both reading 12 and writing outside of the intended bounds 11 are generally considered a bad idea, the 10 term "buffer overflow" is generally 9 reserved for writing outside the bounds, as this 8 can cause an attacker to easily modify the 7 way your code runs. There is a good article 6 on Wikipedia about buffer overflows and the various ways 5 they can be used for exploits.

In terms of 4 how you could program one yourself, it would 3 be a simple matter of:

char a[4];
strcpy(a,"a string longer than 4 characters"); // write past end of buffer (buffer overflow)
printf("%s\n",a[6]); // read past end of buffer (also not a good idea)

Whether that compiles 2 and what happens when it runs would probably 1 depend on your operating system and compiler.

Score: 13

In the modern linux OS you can't made exploiting 33 buffer overflow without some EXTRA experiment. why 32 ? because you will be blocked by ASLR (Address 31 Stack Layer Randomization) and stack protector in this 30 modern GNU C compiler. you will not locate 29 memory easily because memory will fall into 28 random memory caused by ASLR. and you will blocked 27 by stack protector if you try to overflow the program.

For 26 begining you need to put of ASLR to be 0 default 25 value is 2

root@bt:~# cat /proc/sys/kernel/randomize_va_space
2
root@bt:~# echo 0 > /proc/sys/kernel/randomize_va_space
root@bt:~# cat /proc/sys/kernel/randomize_va_space
0
root@bt:~#

in this is case not about OLD 24 STYLE buffer overflow tutorial you may got 23 from internet. or aleph one tutorial will 22 not work anymore in your system now.

now 21 lets make a program vulnerability to buffer 20 overflow scenario

---------------------bof.c--------------------------
#include <stdio.h>
#include <string.h>

int main(int argc, char** argv)
{
        char buffer[400];
        strcpy(buffer, argv[1]);

        return 0;
}
---------------------EOF-----------------------------

looks at strcpy function 19 is dangerous without stack protector, because 18 function without checking how many bytes 17 we will input. compile with extra option 16 -fno-stack-protector dan -mpreferred-stack-boundary=2 for take off stack protector in your C 15 program

root@bt:~# gcc -g -o bof -fno-stack-protector -mpreferred-stack-boundary=2 bof.c
root@bt:~# chown root:root bof
root@bt:~# chmod 4755 bof

buffer overflow C program with SUID 14 root access scenatio now we have make it. now 13 lets search how many bytes we need to put 12 into buffer to made a program segmentation 11 fault

root@bt:~# ./bof `perl -e 'print "A" x 400'`
root@bt:~# ./bof `perl -e 'print "A" x 403'`
root@bt:~# ./bof `perl -e 'print "A" x 404'`
Segmentation fault
root@bt:~#

you see we need 404 bytes to made program 10 segmentation fault (crash) now how many 9 bytes we need to overwrite EIP ? EIP is instruction 8 will be executed after. so hacker do overwrite 7 EIP to evil instruction what they want in the 6 binary SUID on the program. if the program 5 in the SUID root, the instruction will be 4 runned in root access.

root@bt:~# gdb -q bof
(gdb) list
1       #include <stdio.h>
2       #include <string.h>
3
4       int main(int argc, char** argv)
5       {
6               char buffer[400];
7               strcpy(buffer, argv[1]);
8
9               return 0;
10      }
(gdb) run `perl -e 'print "A" x 404'`
Starting program: /root/bof `perl -e 'print "A" x 404'`

Program received signal SIGSEGV, Segmentation fault.
0xb7e86606 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
(gdb) run `perl -e 'print "A" x 405'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bof `perl -e 'print "A" x 405'`

Program received signal SIGSEGV, Segmentation fault.
0xb7e800a9 in ?? () from /lib/tls/i686/cmov/libc.so.6
(gdb)

program GOT segmentation 3 fault return code. let's input more bytes 2 and take see to EIP register.

(gdb) run `perl -e 'print "A" x 406'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bof `perl -e 'print "A" x 406'`

Program received signal SIGSEGV, Segmentation fault.
0xb7004141 in ?? ()
(gdb)

(gdb) run `perl -e 'print "A" x 407'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bof `perl -e 'print "A" x 407'`

Program received signal SIGSEGV, Segmentation fault.
0x00414141 in ?? ()
(gdb)

little more

(gdb) run `perl -e 'print "A" x 408'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bof `perl -e 'print "A" x 408'`

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)

(gdb) i r
eax            0x0      0
ecx            0xbffff0b7       -1073745737
edx            0x199    409
ebx            0xb7fc9ff4       -1208180748
esp            0xbffff250       0xbffff250
ebp            0x41414141       0x41414141
esi            0x8048400        134513664
edi            0x8048310        134513424
eip            0x41414141       0x41414141 <-- overwriten !!
eflags         0x210246 [ PF ZF IF RF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb)

now 1 you can do your next step...

Score: 10

A buffer overflow is just writing past the 1 end of a buffer:

int main(int argc, const char* argv[])
{
    char buf[10];
    memset(buf, 0, 11);
    return 0;
}
Score: 5

In addition to what has already been said, keep 11 in mind that you'r program may or may not 10 "crash" when a buffer overflow occurs. It 9 should crash, and you should hope it does - but 8 if the buffer overflow "overflows" into 7 another address that your application has 6 also allocated - your application may appear 5 to operate normally for a longer period 4 of time.

If you are using a later edition 3 of Microsoft Visual Studio - I would suggest 2 using the new secure counterparts in the 1 stdlib, such as sprintf_s insted of sprintf, ect...

Score: 1

This should be enought to reproduce it:

void buffer_overflow() 
{
    char * foo = "foo";
    char buffer[10];

    for(int it = 0; it < 1000; it++) {
        buffer[it] = '*';
    }

    char accessViolation = foo[0];
}

0

Score: 1

The "classic" buffer overflow 6 example is:

int main(int argc, char *argv[])
{
    char buffer[10];
    strcpy(buffer, argv[1]);
}

That lets you play with the buffer 5 overflow parameters and tweak them to your 4 hearts content. The book "Hacking - The Art of Exploitation" (Link 3 goes to Amazon) goes into great detail about 2 how to play around with buffer overflows 1 (purely as an intellectual exercise obviously).

Score: 1

If you want to check you program for buffer 3 overflows, you could run it with tools like 2 Valgrind. They will find some memory management 1 bugs for you.

Score: 1

This is a general comment about the answers 12 you received. For example:

int main(int argc, char *argv[])
{
    char buffer[10];
    strcpy(buffer, argv[1]);
}

And:

int main(int argc, const char* argv[])
{
    char buf[10];
    memset(buf, 0, 11);
    return 0;
}

On modern 11 Linux platforms, this may not work as expected 10 or intended. It may not work because of 9 the FORTIFY_SOURCE security feature.

FORTIFY_SOURCE 8 uses "safer" variants of high risk functions 7 like memcpy and strcpy. The compiler uses the safer 6 variants when it can deduce the destination 5 buffer size. If the copy would exceed the 4 destination buffer size, then the program 3 calls abort().

To disable FORTIFY_SOURCE for your 2 testing, you should compile the program 1 with -U_FORTIFY_SOURCE or -D_FORTIFY_SOURCE=0.

Score: 0

In this context, a buffer is a portion of 8 memory set aside for a particular purpose, and 7 a buffer overflow is what happens when a 6 write operation into the buffer keeps going 5 past the end (writing into memory which 4 has a different purpose). This is always a bug.

A 3 buffer overflow attack is one which uses 2 this bug to accomplish something that the 1 program's author didn't intend to be possible.

Score: 0

With the correct answers given: To get more 10 into this topic, you might want to listen 9 to the Podcast Security Now. In Episode 39 (a while 8 back) they discussed this in depth. This 7 is a quick way to get a deeper understanding 6 without requiring to digest a whole book.

(At 5 the link you'll find the archive with multiple 4 size versions as well as a transcript, if 3 you're rather visually oriented). Audio 2 is not the perfect medium for this topic but Steve 1 is working wonders to deal with this.

Score: 0

Buffer overflow is the insertion of characters 1 beyond what the allocated memory can hold.

More Related questions