The document provides an overview of buffer overflow vulnerabilities including:
1) It explains how buffer overflows work by writing more data to a buffer than it was allocated to hold, overwriting adjacent memory.
2) An example is given of a function that is vulnerable to buffer overflow by copying user input into a fixed-size buffer without checks.
3) It shows how by passing too much input data, the buffer can be overflown and the return address on the stack overwritten to point to the injected data instead of the intended return location.
15. EAX – Accumulator, used for default operands and results EBX – Base, used to store pointers to data ECX – Counter, used to count up or down EDX – Data, used as an I/O pointer EIP – Instruction Pointer, points to the next instruction Flag – Provides result for the latest operation CS – Code Segment, points to the source of code segment CS – Extra Segment, points to the source of extra segment SS – Stack Segment, points to the source of stack segment DS – Data Segment, points to the source of data segment EBP – Base Pointer, points to the base of the stack frame ESP – Stack Pointer, points to the top of the stack frame EDI – Destination Index, points to the data destination ESI – Source Index, points to the source for data C P U R E G I S T E R S
16. 0x100 0x200 0x300 0x400 . LOW . . .HIGH ES SS DS CS ESP, EBP EIP EDX, EBX, ESI, EDI EDX, EBX, ESI, EDI Segment Size: 0x100 S E G M EN T A T I O N
17. Buffer Overflow Basics 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP Stack Operations PUSH – Subtract 4 from ESP and put new value at that address POP – Add 4 to ESP 1A AC 09 CF PUSH 1A P USH CF PUSH 09 POP PUSH AC OPER EBP ESP 36 36 32 28 32 28 36 36 36 36 Stack grows in this direction...
18. main() main() main() main() main() main() fun1() fun1() fun1() fun2() LOW HIGH 1 5 4 3 2 -> fun1() -> fun2() -> fun1() -> main() Stack grows in this direction... Function Calls and Stack
19. int fun (int arg1, int arg2){ int lvar1 = arg1 + arg2; } int main () { int local_var1; fun (arg1, arg2); } 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP OLD EBP lvar1 local_var1 arg2 arg1 RETN ADDR Stack Organization for Function Calls
20. int add (int a, int b) { int c = a + b; } int main () { int x = 18; add (3, 6); } 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP x=18 6 3 RA=999 OLD EBP=48 c=9 Stack Organization for Function Calls
21. int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 EBP ESP 200 220 216 212 208 Buffer Overflow Example
22. int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 200 220 216 212 208 python -c 'print “A”*80' EBP ESP Buffer Overflow Example
23. int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 200 220 216 212 208 EBP ESP Buffer Overflow Example python -c 'print “A”*84'
24. int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 200 220 216 212 208 EBP ESP Buffer Overflow Example python -c 'print “A”*88'
25. So, you can overflow a buffer... now what? Sky is the limit...! Well, not really :) Let's just dig deep and see what exactly the scope of such a vulnerability is