Buffer%20Overflow

1
Buffer Overflow

• By John Quach and
• Napoleon N. Valdez

2
Buffer Overflow Basics

• Allocate more data into a program than it was
  designed to support
• Data that overflow to another region of the
  memory could be fatal
• No outbound checking in C/C/Fortran

3
What is a buffer?

• A memory space allocated for used during
  execution. Frame of function
• void function(int a, int b)
• char buffer15
• void main()
• function(1,2)

b
a
ret
SFP
buffer1
4
Simple Buffer Overflow Example

• Show example

Static Variables
ret
B
C
D
E
SFP
A
A
A
A
buffer1
A
A
A
A
A
A
A
A
5
What happened?

• function is called and parameter
  AAAAAAAAAAAABCDE? was passed
• Since strcpy() does not check strings length,
  the function call caused a the buffer to overflow

6
Why is BO so dangerous?

• Buffer can grow towards return address
• Malicious code could be executed at the new
  address

7
Example

• Exploit a program to execute a malicious program

DEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF
F0123456789AB CDEF 0123 4567 89AB CDEF
buffer sfp ret a b
c MALICIOUSPROGRAM0xDF0x010x020x03
____________________
8
Buffer Overflow Exploit Example

• Analyst crackme named weird.exe
• Run the program and guess the serial
• Find the correct serial using buffer overflow

9
Past BO exploits

• Morris Internet worm
• Code Red worm 2001
• Blaster worm 2003
• Internet Information Server (IIS)
• Many more

10
How to Prevent Buffer Overflow

• Always check bounds
• Avoid scanf() and other dangerous library
  function call
• Use strncpy instead
• Automatic source code checking www.polyspace.com
  (Linux only)
• Compiler add-ons www.immunix.org

11
Conclusion

• Buffer Overflow is simply manipulating memory to
  gain control of a program
• Buffer Overflow is hard to successfully execute
• Hard to fix

12
Reference

• Chuvakin, Anton and Peikari, Cyrus. Security
  Warrior. Reilly Associates Inc, 2004. pp.161-175
• One, Aleph, "Smashing The Stack For Fun And
  Profit," Phrack,  Vol 7, Issue 49, File 14 of 16