Skip to main content

Buffer Overflow And Exploits

Buffer:
Well buffer is nothing,but small amount of memory used for temporary storage of data, usually to compensate for different in processing or transmitting speeds of two connected devices,such as computer and a Printer or any devices.

Stack:
The stack is an area of memory that holds temporary data followed by LIFO(Last In First Out) data structure where items are “pushed” and “popped” onto them.
The data is placed on the stack by PUSH operation and removed by POP operation.

Let's do same thing by doing some illustration below.

First PUSH operation


PUSH 1
PUSH 2
PUSH 3
After PUSH Operation:
The below is how looks stack after PUSH operation happened


Second POP operation:
POP EAX
POP EBX
POP ECX

After POP operation:
The below is how look like in the stack after POP operation happened in the stack

So the following things we have concluded:

The current location of the stack pointer can be accessed at any given time by accessing the stack pointer register (ESP).

The current base of a function can be accessed by using the EBP register which is called the base pointer or frame pointer

The current location of execution can be accessed by accessing the instruction pointer register (EIP)

We will go through a below example:

mov eax,0AAAAAAAAh
mov ebx,0BBBBBBBBh
mov ecx,0CCCCCCCCh
mov edx,0DDDDDDDDh
PUSH eax
Fo ex:Initially ESP contains the address:0xb2000000 and it contains 0AAAAAAAA
so now ESP will be (0xb2000000-4) =0xb1fffffc
So PUSH operation decrements the register by 4 .And if POP operation used,it will increment register by 4.we will see by example below:

PUSH ebx--> 0xb1fffffc-4=0xb1fffff8(ESP) and it contains 0BBBBBBBB

POP esi-->0xb1fffff8+4=0xb1fffffc(point to ESP) and ESI contains the value 0xBBBBBBBB

POP edi-->0xb1fffffc+4=0xb2000000(ESP) and EDI contains the value 0xAAAAAAAA


Registers:
Registers are the small chunk of internal memory that resides with in the processor and can be accessed easily without no performance hampering.A Register may hold A Instruction,Address that have storage

Type Of Registers:
Here we will discuss about IA32 family which is X86 Architecture because of widely used in the community.we will classify as follows:
General Purpose Registers:
These registers are used for common mathmetical Operaion and also can be used to store data and address,offset address and counting Operaion.
There are 8 32 bit General Purpose Register like:
EAX:Accumulators for result and operand data
EBX:Base Register
ECX:Counter for string and loop operation
EDX:Data Register
ESI:Pointer to data in the segment pointed to by the DS register; source pointer for string operations.
EDI:Pointer to data (or destination) in the segment pointed to by the ES register; destination pointer for string operations.
EBP:Pointer to the data on the stack(In the SS segment)/Holds base address of the Stack
ESP:Stack pointer register/Holds the top data of the stack

Also the 32 bit address again can be subdivided into 8 and 16 bit register.check below.
The following figure shows the lower 16 bits of the general-purpose registers can be used with the names AX, BX, CX, DX, BP, SP, SI, and DI (the names for the corresponding 32-bit ones have a prefix "E" for "extended"). Each of the lower two bytes of the EAX, EBX, ECX, and EDX registers can be referenced by the names AH, BH, CH, and DH (high bytes) and AL, BL, CL, and DL (low bytes).

Segment Registers:
There are 6 segment register that holds the 16 bit segment selectors.they are below.
. A segment selector is a special pointer that identifies a segment in memory. The six segment registers are:
  • CS: code segment register
  • SS: stack segment register
  • DS, ES, FS, GS: data segment registers
Four data segment registers provide programs with flexible and efficient ways to access data.
The EFLAGS register :

The EFLAGS register hold the state of the processor. It is modified by many intructions and is used for comparing some parameters,conditional loops and conditional jumps.Each bit holds the specific parameter of the last Instruction. Here is a listing :


Bit   Label    Desciption
---------------------------
0 CF Carry flag
2 PF Parity flag
4 AF Auxiliary carry flag
6 ZF Zero flag
7 SF Sign flag
8 TF Trap flag
9 IF Interrupt enable flag
10 DF Direction flag
11 OF Overflow flag
12-13 IOPL I/O Priviledge level
14 NT Nested task flag
16 RF Resume flag
17 VM Virtual 8086 mode flag
18 AC Alignment check flag (486+)
19 VIF Virutal interrupt flag
20 VIP Virtual interrupt pending flag
21 ID ID flag

Controll Registers:
These registers are the type of registers that are used to controll the function of processor.The most
impoertant of these registers is Extended Instruction Pointer(EIP) or simply Instruction Pointer.EIP contains the address of the next machine instruction to be executed.

There are other types of controll registers availble like CR0 to CR4 which works on Protected mode
ese registers are accessible to systems programmers only via variants of the MOV instruction, which allow them to be loaded from or stored in general registers.Please check below links for more details:
We will discuss about these registers when it comes to use
Exploit:
Exploit is nothing but taking the benifits of vulnerability and taking over programm.In our case after a overflow happen  or after crashing a application if we can take over the system wit the help of that software,then that will be exploit for us.
For crashing we need fuzzing.we will discuss in the future upcoming blogs.After crashing attacker will overwrite the EIP register and successful jump to shell code and shell code contains complete take-over feature.

Comments

Popular posts from this blog

Intro To Malware Analsys

Hi Folks, here I will analyze a malware which is possible packed with nspack. Details are below:SHA256:5df0b1b07143c880c76d6e82253a20192981c83c3ea68bf86ffede6b17c01da4File name:5df0b1b07143c880c76d6e82253a20192981c83c3ea68bf86ffede6b17c01da4

Vanilla Buffer Overflow And Attack On Linux Platform

Buffer Overflow Attack:
What is buffer Overflow:
A buffer overflow happens when too much data put into the buffer which exceed the length of buffer defined and memory corruption happens or application crashes. From Crashing to Exploit: After crashing a application with a fuzzer,next step to own the Application or exploit the Application.so after overflown the extra data is overwriteen to EIP register.we will discuss more in the upcoming blogs.so if we point the EIP to the shellcode we can exploit the application or vulnerability. Here we will discuss exploit and gdb on Linux platform.first we will discuss gdb . so far in the Internet we have seen lots of tutorials regarding Exploit,but in modern L:inux there are lots of protection like DEP,ASLR.so we have to disable that in the OS
ASLR is implemented by the kernel and the ELF loader by randomising the location of memory allocations (stack, heap, shared libraries, etc). This makes memory addresses harder to predict when an attacker is attempt…