Thursday, 27 August 2015

What is Buffer Overflow ?

Hi friends

If you have been buzzing around what is buffer overflow here is the explanation for your hungry minds

What is buffer overflow ?

Heap Overflow Attacks. Programs use dynamically allocated memory as well as the stack. A vulnerable program uses a call to something like strcpy to copy input into a buffer, allocated on the heap.


Source : Security Stackexchange

it sounds too technical ,i m a beginner how can i understand it?

Imagine you have a list of people you owe money to.
Name | Amount owing
Also, you have a weird pen with built-in correction fluid, so that if you write something in a particular place, and then write something else, it erases the first thing you wrote. This is how computer memory works, which is a bit different from how writing normally works.
You pay someone a $500 deposit on a $5000 car, so you now owe them $4500. They tell you their name is John Smith. You write the amount (4500) and the name (John Smith) in the table. Your table now looks like this:
John Smith | 4500
Later your table reminds you to pay them back. You pay the $4500 (plus interest) and erase it from the table, so now your table is blank again.
Then you get a $1000 loan from someone else. They tell you their name is "John Smithxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9999999999". You write the amount (1000) and the name (John Smithxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9999999999) in your table. Your table now looks like this:
John Smithxxxxxxxxxxxxxxxxxxxxxxx|x99999999990
(the last 0 from 1000 was not written over. This is unimportant.)
When writing the name, you didn't stop when you got to the end of the "name" column, and kept writing into the "amount owing" column! This is a buffer overflow.
Later, your table reminds you that you owe $99999999990 to John Smithxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. You find him again and pay him almost 100 billion dollars.


This is pretty simple to explain if you understand it well enough. Just make sure you hit on the important background. More or less in this order:
  • The "stack" is a place where you can store temporary information. The "stack pointer" determines where the end of the stack is. When a function runs, it moves the stack pointer to give itself memory to work with, and when it's done, it moves the pointer back where it found it.
  • The stack grows backwards. So to give yourself 100 bytes on the stack, you subtract 100 from the stack pointer rather than adding it. If the previous function's stack started at 1000 and I want 100 bytes, then my stack starts at 900.
  • This means that if you use more space than you gave yourself, you won't just continue writing out into empty space, you'll actually start overwriting previous stack values.
  • When my function starts, the very top value left on the stack for me by the previous function is the return address where I should go when my function is done.
  • This means that if my function overruns its stack, the very first thing that it's going to overwrite is the return address. If the attacker is careful about what he fills the stack with, he can specify whatever return address he wants.
  • When my function exists, whatever code is at that return address is what will get executed next.

Simple Example

In Smashing the Stack for Fun and Profit, where this technique was originally described, the most simple and straight-forward technique was introduced. Imagine the function reads your name and then returns. So your stack looks like this:
Stack Pointer                                      Prev. Stack Ptr
+----------------------------------+--------------+................
| Your Name Here                   | Return Addr  |  Old stack ...
+----------------------------------+--------------+................
But the bad guy makes his name long enough to overflow the space. And not only that, instead of typing a real name, he types in some Evil Code, some padding, and the address of that Evil Code.
+----------------------------------+--------------+................
| [ Evil Code ]xxxxxxxxxxxxxxxxxxxxxxEvil Address |  Old stack ...
+----------------------------------+--------------+................
  ▲──────────────────────────────────┘
Now instead of returning back to the previous caller, you jump straight to the [Evil Code]. Now you're running his code instead of your program. From there it's pretty much game-over.

Mitigation and Other Techniques

Two of the techniques used to reduce the effectiveness of stack smashing are DEP and ASLR.
DEP ("Data Execution Prevention") works by marking the stack non-executable. This means that the [Evil Code] on the stack won't run, because running code on the stack is no longer allowed. To get around this, the attacker finds chunks of existing code that will do bits and pieces of what he wants. And instead of just overwriting his own return address, he creates a chain of return addresses down through the stack for all the functions he wants to run in turn. They call this "Return Oriented Programming", or ROP. The chain of returns is called a "ROP Chain". This is really hard to do. But there are tools to help.
ASLR ("Address Space Layout Randomization") works by randomizing the locations of all the interesting functions. Now creating a ROP chain isn't so easy -- every time the program runs, all the addresses are in different places. So when the attacker goes to overwrite the return address with is own Evil Address, he won't know what numbers to use because the code is always in different places.
Neither DEP nor ASLR on its own offers much protection, but both together make successful exploitation very difficult. While some circumventions sometimes exist, there isn't a workaround that works everywhere. If you can get around DEP+ASLR, it's a one-off sort of success



Here's an analogy that isn't the most technically accurate, but it should get the idea across.
Picture a recipe book on 3-hole punch paper in a binder (memory) and a very dumb cook (the processor, i.e. the CPU).
  • People can add or remove pages from the binder (load or unload programs and data in memory)
  • The cook just follows every instruction on the page they're on
  • The cook starts at the beginning (bootloader) and continues on until the instruction is "close book"
    • Even if the instruction is to flip to another page (Turn to page 394)
So, normally, you'd write on page one "Turn to page 200 (waffles)", open up the binder, and put in waffles at page 200. Then have the cook start - the cook should make waffles!
But wait... there's an attacker! They've written notes in the margins of your waffle recipe (outside the buffer) - and the cook executes those instructions even though they're obviously handwritten.
The cook was never told to only do what's printed on the original sheet (in the normal buffer space) - the cook will also do anything after that (in memory after the buffer).
Perhaps the cook adds vinegar to the waffles (corrupts your files). Perhaps the cook turns to page three hundred and ninety four and just leaves the raw egg sitting there, unused, until it rots and molds (turns off your antivirus). Perhaps the cook throws away everything in the kitchen (deletes all your files), or puts a lock on your kitchen door to keep you out (ransomware), or opens the window (installs a trojan/backdoor) so the attacker can climb in the window.



Hope it clarifies how the buffer overflow works and hope you understood about it..

2 comments:

  1. So sad that Infidelity is a very serious issue to deal with and is becoming major threat to most marriages and homes. I was once involved in a very confused situation with my Wife strange movement to the extent that i had to Hire a Private Investigator or hacker who can help me hack into her cell phone to find out what she has been doing in his chat conversations, facebook, instagram, emails, we chat, viber, whatsapp & call logs. It was quite tough to get a real hacker though, most of the hackers recommended online are Faux and unreliable but this hacker is different. He gave me a proof of the hacking results in just few hours to decide my fate. I am very grateful for this wonderful affordable services. If you however need to hire a Legit and very competent hacker to help you out of your situation, simply reach out to..ALEXGHACKLORD@Gmail. com

    ReplyDelete
  2. Selling USA FRESH SSN Leads/Fullz, along with Driving License/ID Number with good connectivity.

    **Price for One SSN lead 2$**

    All SSN's are Tested & Verified. Fresh spammed data.

    **DETAILS IN LEADS/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL
    ->EMPLOYEE DETAILS

    ->Bulk order negotiable
    ->Hope for the long term business
    ->You can asked for specific states too

    **Contact 24/7**

    Whatsapp > +923172721122

    Email > leads.sellers1212@gmail.com

    Telegram > @leadsupplier

    ICQ > 752822040

    ReplyDelete