The Anatomy of a Buffer Overflow Exploit

Because buffer overflows are one of the most common methods of application subversion in use today on the Internet, it is important that you understand these attacks and how to stop them. Let's take a look at the anatomy of a buffer overflow attack in detail.

In most buffer overflow attacks, the attacker tries to subvert a program function that reads input and calls a subroutine (see Figure 7-1). What makes this possible is that the exploitable program function does not perform input length checks and allocates a fixed amount of memory for data.

Figure 7-1 Buffer Overflow

Login function User (8char.): userl

Password (8 char.): xxxxxxxx 01ff21ae652db1 call-auth (user, password)

Login function User (8char.): userl

Password (8 char.): xxxxxxxx 01ff21ae652db1 call-auth (user, password)

Stack

Variables Return Address

Stack

Variables Return Address

user

xxxxxxxx

01ff21ae

652db1

Call Authentication Subroutine Return to This Address

• When an application makes a subroutine call, it places all input parameters on the stack.

• To return from the subroutine, the return address is also placed on the stack by the calling function.

• An attacker-supplied parameter can overwrite the return address, being too long to fit on its place on the stack.

The way applications work is that when an application makes a subroutine call, it places all input parameters on the stack. To return from the subroutine, the return address is also placed on the stack by the calling function. An attacker overwrites the return address by sending data that is longer than the fixed memory space on the stack that the application allocated. After this overwrite occurs, the application returns to an attacker-supplied address, pointing to the attacker's malicious code. In essence, the attacker has hijacked this application communication and now can insert his own malicious code. This code is supplied by the attacker as part of the excessively large input. The end result of this attack is that arbitrary code may now be executed with the privileges of the legitimate application.

0 0

Post a comment