Previous Thread
Next Thread
Print Thread
Rate Thread
#10103 08/28/03 06:42 PM
Joined: Jun 2003
Posts: 807
Likes: 2
G
UGN Super Poster
UGN Super Poster
G Offline
Joined: Jun 2003
Posts: 807
Likes: 2
Whats a buffer overflow attack, what does it speciffically do, and how is it executed?

Sponsored Links
▼ Sponsored Links ▼ ▲ Sponsored Links ▲
#10104 08/28/03 08:03 PM
Joined: Mar 2002
Posts: 815
S
nobody
nobody
S Offline
Joined: Mar 2002
Posts: 815
A buffer is an allocated space of temporary memory. A buffer overflow is when too much data is recieved causing the buffer to overflow. To understand how they work you'll need to know some uP(microprocessor) theory. But basically you want to offerflow the buffer and have the part is left over an instruction, usually a malicious instruction that would grant you certain privledges on this system. This part that is overflows is the next set of instructions to execute instead of what should normally be executed.

#10105 08/28/03 08:17 PM
Joined: Jun 2003
Posts: 807
Likes: 2
G
UGN Super Poster
UGN Super Poster
G Offline
Joined: Jun 2003
Posts: 807
Likes: 2
how would i execute one; is it a program or do i connect to a port to do it

#10106 08/28/03 09:08 PM
Joined: Aug 2003
Posts: 240
Member
Member
Joined: Aug 2003
Posts: 240
I think you are talking about exploits.
there are two general kinds of exploits local and remote. Remote exploits use the internet to send a payload to a certain service to overflow it and execute code.. While a local service will do the same but not remotely.. simple really..
A buffer overflow works as said above by writing more data then the buffer allowed.. hence "buffer" overflow an example in c is.
#include
int main(int argc,char *argv[]){
char *buff[20];
strcpy(buff,argv[1]);
}
Now when you run the program
"c:\lala.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
more data is written to the buffer then was allocated and the registers get overwritten if your in windows a error box will pop up and you can find out which registers you overwrote by looking for 41 which is the hex value of "A"
it should overwrite the esp and ebp if you have enuf data seeing as how the buffer is 20 bytes and you wrote more than 21 bytes u overwrite the register why did i say 21 well thats because of the null terminated byte every buffer has '\0' (thats a basic explanation of it all) How do exploits work.. they do just that they overflow buffers and execute shellcode (ahh what is shellcode?) shellcode is opcode(operation code) of an asm program an example .
#include <windows.h>
#include <winbase.h>

void main()
{

LoadLibrary("msvcrt.dll");

__asm {

mov esp,ebp
push ebp
mov ebp,esp
xor edi,edi
push edi
sub esp,04h
mov byte ptr [ebp-08h],63h
mov byte ptr [ebp-07h],6Dh
mov byte ptr [ebp-06h],64h
mov byte ptr [ebp-05h],2Eh
mov byte ptr [ebp-04h],65h
mov byte ptr [ebp-03h],78h
mov byte ptr [ebp-02h],65h
mov eax, 0x77c28044 //put your system() address here
push eax
lea eax,[ebp-08h]
push eax
call dword ptr [ebp-0ch]
}
}
this program just runs cmd.exe using the system function and when u convert this to opcode you have your shellcode.. to get the system address you just use a debugger to find out where the function is stored in memory
Ok thats shellcode.. you understand buffer overflows well the simple version.. So now we make an exploit what this does is overwrite the return address of the program so when it tries to return it executes or shellcode..
there is no easy way to explain this..
but basically you store your shellcode in public memory range 0x00000000 to 0x7FFFFFFF
and overwrite the stack with your shellcodes memory address and execute it. Voila
just google for buffer overflow tutorials wink for a more in depth idea of what they are


The wise make mistakes, the fools repeat them
----------------------------------------
When you have eliminated the impossible, that which remains, however improbable, must be the truth
#10107 08/29/03 03:30 AM
Joined: Nov 2002
Posts: 1,146
Likes: 1
Ice Offline
UGN News Staff
UGN News Staff
Joined: Nov 2002
Posts: 1,146
Likes: 1
heres a good txt file by a member of the german group called The Hackers Choice (THC) thc.org

heres the link to the good read, hope this helpes you on ur way of learning

Its on Stacks Overflow's

http://www.thc.org/papers/OVERFLOW.TXT


Good artists copy, great artists
steal.

-Picasso
#10108 08/29/03 07:59 PM
Joined: Jun 2003
Posts: 807
Likes: 2
G
UGN Super Poster
UGN Super Poster
G Offline
Joined: Jun 2003
Posts: 807
Likes: 2
thanx Sin, Black Night, and 1c3 <img border="0" alt="[yum]" title="" src="graemlins/yum.gif" />

#10109 08/30/03 12:03 AM
Joined: Nov 2002
Posts: 1,146
Likes: 1
Ice Offline
UGN News Staff
UGN News Staff
Joined: Nov 2002
Posts: 1,146
Likes: 1
np, glad to help

+++EDITED+++
heres another OK txt file i found on packetstorm
its called:

Writing buffer overflow exploits - a tutorial for beginners

and the link is:

http://packetstormsecurity.nl/papers/unix/exploit.txt

Hope this one helps like the last one hopefully did


Good artists copy, great artists
steal.

-Picasso
#10110 08/30/03 04:52 AM
Joined: Jan 2003
Posts: 217
Ntd Offline
Member
Member
Joined: Jan 2003
Posts: 217
nice work blackKnight, so lets say i connect to a FTP server and for the password and username i paste 300 characters of stuff will that overflow the buffer?

#10111 08/30/03 05:08 AM
Joined: Nov 2002
Posts: 1,146
Likes: 1
Ice Offline
UGN News Staff
UGN News Staff
Joined: Nov 2002
Posts: 1,146
Likes: 1
heres yet another great txt file

Advanced buffer overflow exploits
http://www.zone-h.org/files/32/aboep.txt


Good artists copy, great artists
steal.

-Picasso
#10112 08/30/03 12:33 PM
Joined: Jun 2002
Posts: 207
Member
Member
Joined: Jun 2002
Posts: 207
http://www.cs.ucsb.edu/~jzhou/security/overflow.html

more coming soon//


Unbodied unsouled unheard unseen
Let the gift be grown in the time to call our own
Truth is natural like a wind that blows
Follow the direction no matter where it goes
Let the truth blow like a hurricane through me
#10113 08/30/03 11:39 PM
Joined: Jun 2003
Posts: 807
Likes: 2
G
UGN Super Poster
UGN Super Poster
G Offline
Joined: Jun 2003
Posts: 807
Likes: 2
hey thanx guys.

#10114 08/31/03 10:01 AM
Joined: Aug 2003
Posts: 240
Member
Member
Joined: Aug 2003
Posts: 240
NTD
Depends if they have error checking for the usernames buffer.. but there was a MS ftp vulnrability which allowed people to remotely exploit MS ftp servers because they didnt have buffer checking and of course all the exploit had to do was send a tcp stream
"USER (buffer gets printed here)" and your shellcode should be executed :p but of course remember seeing as how its remote you also have to store the shell code in there memory sumwhere
But i belive u can store your shellcode b4 u overwrite the esp and ebp registers and make them execute the USER buffer's address and that should load your shellcode.. but you would have to find a way to find the address all the time.. i'm not good with remote attacks.. never had to make one..


The wise make mistakes, the fools repeat them
----------------------------------------
When you have eliminated the impossible, that which remains, however improbable, must be the truth
#10115 09/01/03 02:25 PM
Joined: Nov 2002
Posts: 1,146
Likes: 1
Ice Offline
UGN News Staff
UGN News Staff
Joined: Nov 2002
Posts: 1,146
Likes: 1
hehe Black ur one 1337 guy = )
Heres another pretty good one

Writing buffer overflow exploits - a tutorial for beginners
http://www.zone-h.org/files/32/buffer_overflows_for_newbies.txt


Good artists copy, great artists
steal.

-Picasso
#10116 09/02/03 10:52 AM
Joined: Aug 2003
Posts: 240
Member
Member
Joined: Aug 2003
Posts: 240
lol thanks..
i don't consider myself "1337" im just learning like the rest, but i just seem to be ahead atm.. everyone can bring forward a different aspect to a project.. like games; they have 20 different people some for algorithims some for gui's etc.. But i appreciate the comment :p


The wise make mistakes, the fools repeat them
----------------------------------------
When you have eliminated the impossible, that which remains, however improbable, must be the truth

Link Copied to Clipboard
Member Spotlight
None yet
Forum Statistics
Forums41
Topics33,840
Posts68,858
Members2,176
Most Online3,253
Jan 13th, 2020
Latest Postings
Top Posters
UGN Security 41,392
Gremelin 7,203
§intå× 3,255
SilentRage 1,273
Ice 1,146
pergesu 1,136
Infinite 1,041
jonconley 955
Girlie 908
unreal 860
Top Likes Received
Ghost 2
Dartur 1
Cyrez 1
Girlie 1
unreal 1
Powered by UBB.threads™ PHP Forum Software 8.0.0