18 - Buffer Overflow
Buffer overflow is an anomaly where a program while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. Buffer overflows can be triggered by inputs that are designed to execute code or alter the way the program operates. This may result in erratic program behaviour, including memory access errors, incorrect results, a crash, or a breach of system security.
Module Objective
The objective of this lab is to help students to learn and perform buffer overflow attacks to execute passwords.
In this lab, you need to:
- Prepare a script to overflow buffer
- Run the script against an application
- Perform penetration testing for the application
- Enumerate a password list
Scenario
Hackers continuously look for vulnerabilities in software or a computer to break into the system by exploiting these vulnerabilities.
The most common vulnerability often exploited is the buffer overflow attack, where a program failure occurs either in allocating sufficient memory for an input string or in testing the length of the string if it lies within its valid range. A hacker can exploit such a weakness by submitting an extra-long input to the program, designed to overflow its allocated input buffer (temporary storage area) and modify the values of nearby variables, cause the program to jump to unintended places, or even replace the program's instructions by arbitrary code.
If the buffer overflow bugs lie in a network service daemon, the attack can be done by directly feeding the poisonous input string to the daemon. If the bug lies in an ordinary system tool or application, with no direct access, the hacker attaches the poisonous string with a document or an email which, once opened, will launch a passive buffer overflow attack. Such attacks are equivalent to a hacker logging into the system with the same user ID and privileges as the compromised program.
Buffer overflow bugs are especially common in C programs since that language does not provides built-in array bound checking, and uses a final null byte to mark the end of a string, instead of keeping its length in a separate field. To make things worse, C provides many library functions, such as strcat and getline, which copy strings without any bounds-checking.
As an expert ethical hacker and penetration tester, you must have sound knowledge of when and how buffer overflow occurs. You must understand stacks-based and heap-based buffer overflows, perform penetration tests for detecting buffer overflows in programs, and take precautions to prevent programs from buffer overflow attacks.
I. Buffer Overflow Example
In computer security and programming, a buffer overflow, or buffer overrun, vulnerability appears where an application needs to read external information such as a character string, the receiving buffer is relatively small compared to the possible size of the input string, and the application doesn't check the size. The buffer allocated at run-time is placed on a stack, which keeps the information for executing functions, such as local variables, argument variables, and the return address. The overflowing string can alter such information. This also means that an attacker can change the information as he or she wants to. For example, the attacker can inject a series of machine language commands as a string that also leads to the execution of the attack code by changing the return address to the address of the attack code. The ultimate goal is usually to get control of a privileged shell by such methods.
Programming languages commonly associated with buffer overflows include C and C++, which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries of that array. Bounds checking can prevent buffer overflows.
As a penetration tester, you should be able to implement protection against stack-smashing attacks. You must be aware of all the defensive measures for buffer overflow attacks. You can prevent buffer overflow attacks by implementing run-time checks, address obfuscation, randomizing the location of functions in libc, analyze static source code, be marking stack as non-execute, using type-safe languages such as Java, ML, etc.
Lab Objectives
The objective of this lab is to help students to learn and perform buffer overflow to execute passwords. In this lab, you need to:
- Prepare a script to overflow buffer
- Run the script against an application
- Perform penetration testing for the application
- Enumerate a password list
In this lab, you have learnt to perform buffer overflow to execute passwords.
Module Syllabus
- Buffer Overflows
- Why are Programs And Applications Vulnerable?
- Understanding Stacks
- Stack-Based Buffer Overflow
- Understanding Heap
- Heap-Based Buffer Overflow
- Stack Operations
- Shellcode
- No Operations (NOPs)
- Knowledge Required to Program Buffer Overflow Exploits
- Buffer Overflow Steps
- Attacking a Real Program
- Format String Problem
- Overflow using Format String
- Smashing the Stack
- Once the Stack is Smashed...
- Simple Uncontrolled Overflow
- Simple Buffer Overflow in C
- Code Analysis
- Exploiting Semantic Comments in C (Annotations)
- How to Mutate a Buffer Overflow Exploit?
- Identifying Buffer Overflows
- How to Detect Buffer Overflows in a Program?
- BOU (Buffer Overflow Utility)
- Testing for Heap Overflow Conditions: heap.exe
- Steps for Testing for Stack Overflow in OllyDbg Debugger
- Testing for Stack Overflow in OllyDbg Debugger
- Testing for Format String Conditions using IDA Pro
- BoF Detection Tools
- Defense Against Buffer Overflows
- Preventing BoF Attacks
- Programming Countermeasures
- Data Execution Prevention (DEP)
- Enhanced Mitigation Experience Toolkit (EMET)
- EMET System Configuration Settings
- EMET Application Configuration Window
- /GS http://microsoft.com
- BoF Security Tools
- BufferShield
- Buffer Overflow Penetration Testing