Buffer overflows-getting started    


1.Who is this article for?
Well,if you are a begginer with security concept,a frusrrated system administrator, a courious person or just someone with a lot of free time this article is for you.

2.What should I know before reading this article?
Not much-this is a very basic guide and the requirments for more advanced articles about this subject(C,assembly etc.) will help you but are not a must. A basic knowledge of computer software concept and memory management will be enough.



What is a buffer overflow?
A buufer overflow is a software condition that happens because of poor programming habbits.The most recent buffer overflow exploite is the 'code red' virus,which taked advantage of a buffer overflow in microsoft IIS server(MS web server). In genral,a buufer overflow occurs when a program declairs a variable with a fixed length(for exapmle,20 bytes long) but the value that was assigned to this variable is greater than the variable size.

Take this example:
My program outputs to the screen: "Please type your first name:" My program will take the input from the user(his first name) and place it in a varibale I declaired in my program.A problem can arrise if the variable that will hold the users' name will be 15 bytes long(looks long enough for a first name), but the users' name will be 25 bytes long.What will happen is that all bytes after the 15th byte will "overflow" the memory that was allocated for the name variable.

When the program starts,memory is allocated like this:

<var1><var2><vname><Other things in memory>
10b 6b 15b

(var1 and var2 are irelevant variables,vname is the variable that
will contain the name the user will input,it's size is 15 bytes long)

assuming the user will input the name "abcabcabcabcabcabcabcabcabc" the memory will look like this:

somevalue2avalusabcabcabcabcabcabcabcabcabc
<var1 ><var2><vname ><other things go here>

So what happended here is that the variable vname was "overflowed" by the input from the user and now the value of "other things in memory" changed bacause of the overflow of charecters from the user input.

Those of you with the criminal mind are asking by now "so how can I exploite this"???
Before we get to that,there are some important basic things we should know about computer architucture.In this article we will discuss linux,but the concept are simialer with other platform.

Proccess
The basic functioning unit in a running computer is a proccess.Eveything the computer is doing is devided to proccesses and the operating system in charge of dividing the working power of a computer between all the many proccesses running together.There is no such thing as true multy-proccessing;the CPU is switching between proccesses so quickly that it looks like many tasks are done simultaniously,but it's only a trick the computer is performing on us,the so slow-minded humans.
Each procces has his own adress space-a part of memory that belongs only to it,and no other proccess can access this memory.Which brings us to the next thing you have to understand:

Memory management.
Modern operating systems manage memory as virtual memory.That means that no appclication has access directly to physical memory.The OS is keeping a mapping table between real physical adresses of memory to virtual adresses.When memory os alocated for some program to run,only the virtual adress is handed to the program, never the physical adress.Another use of virtual memory is that because memory is not accesses directly by each procces(or program),the OS can use space on Hard disk as memory,and the application can never know that the memory in use now is not phsycal RAM memroy,but harddisk swap space.

Now we get to the fun part-how is all that going to give me root access to an exploitable system? Remember we said earlier that when the input from the user is longer than the memory that was allocated for this input,the extra input is overflowing everything in memory that is after the variable name?This is the place we can take advantage of things.
What we do is that:inside our input string(in the example above the first name we should input) we put commands for the computer,the most popular is to make the computer spawn a shell that we can use later to take full control of the exploited system.Making this work is not as simple as it may sound,so if you want to understand how this is done,you will have to read the next article about buffer overflows,that will describe exactly how to exploite one.


Credits:

09/09/2001
by Yossi