2007 A hacking Odyssey: Part One – Reconnaissance

2007 A hacking Odyssey – Reconnaissance

The aim of this series of papers that will take an in-depth look at how someone may target and electronically break into an organisation, is to educate people who may be tasked with looking after and securing a corporate network to do so in an effective manner.

My personal outlook on this issue is that if you have no idea about the steps a would-be attacker will take to try and gain access to your systems, then you as an administrator can not effectively secure your system to an acceptable standard. Some people may disagree about the concept of demonstrating to people how to gain access to networks they are not meant to, whilst others agree with the ‘full disclosure’ approach.

Take a firewall for example – if you don’t understand the steps an attacker will go through to try and get traffic through your firewall, then how can you stop them for doing it? All you can do is configure it the best way you know how and hope it is good enough.

2007 A hacking Odyssey: Part One – Reconnaissance

Cracking WEP with Windows XP pro.

Cracking WEP with Windows XP Pro SP2

There is a Video Counterpart to this which is in the format of me describing what I am doing and how to carry out all the actions in this paper from start to finish. It will be available as soon as I can secure my web site adequately and will only ever be available to registered TAZ members. This paper should be considered the pre-reading for the video tutorial.

This is part one in a two part paper on Cracking WEP with Windows XP. This first part covers sniffing wireless traffic and obtaining the WEP key. Part Two will cover associating with a Wireless AP, spoofing your MAC address, trying to log on administratively to the AP and further things you can carry out on the WLAN once authenticated successfully.

What is WEP:

Wired Equivalent Privacy (WEP) is often mistakenly thought of as a protocol designed to 100% protect wireless traffic, when this is not the case.
As its name suggests it was designed to give wireless traffic the same level of protection as a wired LAN, which when you think about it is a very hard thing to set out to do.

LAN’s are inherently more secure than Wireless LAN’s (WLAN) due to physical and geographical constraints. For an attacker to sniff data on a LAN they must have physical access to it – which is obviously easier to prevent than to prevent access to traffic on a WLAN.

WEP works at the lower layers of the OSI model, layers One and Two to be exact, so it therefore does not provide total end to end security for the data transmission.

WEP can provide a level of security between a Wireless Client and an Access Point or between two wireless clients.


WEP Standards:

WEP is commonly implemented as a 64 bit or 128 bit encryption. These encryption strengths can sometimes be referred to as 40 bit or 104 bit due to the fact that each data packet is encrypted with an RC4 cipher stream which gets generated by an RC4 key. This RC4 key for say a 64 but WEP implementation is composed of a 40 bit WEP key and a 24 bit Initialization Vector (IV) – hence the 64 bit RC4 key, however the actual WEP part of it is only 40 bits long, the IV taking up the other 24 bits, which is why a 64 bit WEP key is sometime referred to as a 40 bit WEP key.

This resultant cipher is ‘XOR’d’ with the plain text data to encrypt the whole packet. To decrypt the packet the WEP key is used to generate an identical ‘key stream’ at the other end to decrypt the whole packet but more about this later on, I will also go over the IV’s in more detail later on as well.

Failures of WEP:

We have heard everyone say WEP is easy to crack and should not be used, can be cracked in 10 minutes etc but why is this?

Well in my opinion WEP is seriously flawed for the following reasons:

1) Initialization Vectors are reused with encrypted packets. As an IV is only 24 bits long it is only a matter of time before it is reused. Couple this with the fact you may have 50 + wireless clients using the same WEP key and the chances of it being reused improve even further.
An IV is sent in clear along with the encrypted part of the packet. The reuse of any encryption element is always a fundamental flaw to that particular encryption and as an IV is sent in clear this further exposes a significant weakness in WEP.

TAZ Forum :: A Computer, Gaming, and Social Network Community of Friends :: View topic – Tutorial – Cracking WEP with Windows XP pro.

Tutorial For Beginners – Windows XP Security

This Windows XP tutorial is for those who are first time computer users or users who have had NO training. This is not a blind HOW TO. The first thing you need to know about computer security is that no matter how secure a system, if the system connects to another system it is vulnerable to attack. And by vulnerable I mean it’s there. Just like your car is vulnerable to theft, even though it’s locked away in your garage with the doors locked and the alarm on, someone can still try to steal it.

All words in bold are key words you should search on if you are interested in learning more about the topic.

Please post any questions in this thread and I will do my best to answer them. I will not respond to PM’s unless I post asking you to.

First of all, let me address something I’ve heard in bars, at parties, my parent’s house and all over the Web.

“Instead of using Windows, switch to something more secure like Linux”.

O.K. There are two problems with that statement.

First: Someone who just picked up their new PC from the local computer store is not going to be able to reinstall Windows much less any other Operating System (OS).

Secondly: Every flavour of *nix (like Linux, BSD, UNIX, etc) has its own unique flaws that can be exploited. It’s not just the OS you have to secure, as with any OS, but it’s also the Applications.

When it comes to which OS is more secure there is only one thing you must know. Microsoft is the biggest software company because THEY WERE FIRST TO MARKET! Let me say that again: FIRST TO MARKET.

Microsoft has the largest percentage of market share because it got there first. It beat Apple and IBM (the major software companies at the time). Microsoft got on the home PC and the rest is history. This is important because the virus writers and “Hackers” – in the beginning, wanted the prestige that came along with defacing, deleting and basically screwing up as many computers as they could with one piece of malicious software. Nowadays, the same types are turning toward making as much money as possible. So if you want to be a bad guy, what are you going to exploit? An operating system installed on 10% of the world’s computers or 90%? If you said 10% … well your program isn’t going to work anyway. The next thing to remember is that first to market means “ship the stuff and well fix the bugs later”. So in the beginning, Microsoft’s software wasn’t that good. But after gaining a dominant position in the market, Microsoft realized that, in order to keep it, they had to produce quality software, instead of quick, bug-ridden software.

Cookies, File Encryption, and Erasing Files.
Not really security as such, but privacy. Cookies are often discussed as a bad thing that steals your information. Well, here’s the scoop. Cookies are given to your computer browser when it visits a web site. When you check “remember me next time I log in”, the cookie is what remembers that. Now there are ways to modify a local cookie and use it to do bad things on the server, but that’s outside the scope of this tutorial. For the most part, don’t worry about cookies. However, a type of cookie can also be issued to you that will collect more data than you wish, but here’s the kicker: you have to visi a website run by unethical individuals. So avoid sites that offer free copies of Microsoft Office and other things that seem too good to be true. “There’s no such thing as a free lunch”. ‘Twas true before the Internet, will be true after the Internet. The most important thing to remember about cookies is that they can be deleted. If you’re reading this from a public computer – don’t forget to clear your browser’s cache!

Ports and Services.
So you’re trying to find out how to “secure” your PC and everything you read says turn off all unnecessary services and close unused ports. Yea RIGHT, what’s a port? Where are these services and how do I turn them off? Do this, give your PC the good ‘ol three finger salute – CTRL+ALT+DELETE (hold down the three keys at once). Now click on the Task Manager Button. Now click the Processes tab. You see all of those weird names listed in the box? Those are services, well at least some are. The majority of the Processes end with .exe, and control how you computer works. For example, see the services.exe process. services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping other services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. Google or www.liutilities.com is a great resource for finding out what all of these services do. Be warned – if a virus ever used any of these services, that will be noted. Don’t freak out thinking you have a virus. I know of at least 50 viruses that infected or used the services.exe program.

Now before I get to showing you how, I have to explain what is known as TCP. This is not an exact description – but just a loose definition. The terminology is something you will need to research yourself as you get further along and become more comfortable with networking. I have put the keywords for your search in bold.

by dinowuff

TAZ Forum :: A Computer, Gaming, and Social Network Community of Friends :: View topic – Tutorial For Beginners – Windows XP Security

Central Secure Logging in a Win2k Environment

Tiger Shark from Antionline has kindly given his permission for his tutorial to be hosted at The Taz.

You can find the original post here: http://www.antionline.com/showthread.php?s=&threadid=246159

Enjoy

Secure Central Logging and Intrusion Detection Systems
in a Windows 2000/XP Environment.

Purpose:

This document details the requirements and implementation of a central logging system and intrusion detection system using freeware/no cost software for non-profit organizations and thus should be attractive to more cost conscious organizations also. It concerns itself primarily with the security and logging of data passing through the perimeter and the detection of internal activity that might indicate suspicious activity emanating from the local network.

Assumptions:

This document assumes that the organization is self-hosting relatively progressive services, (within the realm of non-profit organizations), available from the public internet. These may include, but not be limited to, internet mail, web sites, VPN, Terminal Services, Web Based Email and Domain Name Service, (DNS). It further assumes knowledge of the ports/services commonly used over the internet, TCP/IP, general hacking/cracking techniques and the steps taken in attempting to hack/crack a system, hardening servers and best practices in network security. It further assumes that the administrator maintains a daily check for new patches, monitors such resources as BugTraq, AntiOnline etc. for information regarding new exploits/flaws and mitigates the risk in whatever way is best suited to his/her organization.

Concepts:

1. In so far as Microsoft Windows 2000/XP does not utilize a native central logging system such as *nix’s Syslog without the purchase of expensive third party solutions the task of analyzing logs in even relatively small organizations is unwieldy and prone to error.
2. In order to make the task of managing and analyzing the many systems that produce logs that would be of value in the event of attempted or actual system compromise it is necessary to try to centralize all the logs into one single file.
3. Knowing that the first task of a malicious person after a successful compromise is to try to hide their presence it is imperative that the logs be secure, distributed and properly analyzed on a schedule that appropriately reflects the risk and the traffic of the monitored network(s).
4. Security is best served by defense in depth and security logging should follow the same principle, therefore logging only to syslog would be a mistake. The installation of PureSecure also allows the use of a log sent to a MySQL or MSSQL server so utilize that ability as you see fit.
5. A side benefit of logging to a MySQL/MSSQL server using PureSecure is that the syslog files will scroll too quickly in a busy shop for one to watch the output live in Kiwi Syslog Daemon. This secondary logging through PureSecure adds the extra level of “depth” and allows proper “real time” viewing of IDS alerts on an intuitive interface.
6. The file format for logging should enable the maximum amount of data to be kept within the minimum amount of disk space to enable cost effective archiving and analysis.
7. The minimum logs that should be centralized are firewall logs, Intrusion Detection System, (IDS) logs, Internet Information Server, (IIS), logs and critical server/client event logs. With logs of this nature secured and distributed the information required to track down the events of interest and mitigate any future or current damage should be available.
Conventions:

1. Square brackets, ([ ]), indicate the systems I currently use to operate these systems.
2. NOTE: indicates an area where there may be an issue or that the information given is specific and does not seem, (easily), to be able to be got around. For example: BackIIS allows you to specify the directory to monitor for log events and even writes that information to the registry but it ignores that and insists on looking to %system root%\system32\logfiles\exxxxxx.log for it’s logs. No response was received from the writers of the program so one cannot capture an Exchange server’s mail logs which appear not to be able to be changed from a separate subfolder in that folder.

Specific Hardware Requirements:

1. A dedicated PC, (known from here on as the Log Server), preferably Windows 2000 Server, with a system drive and a large log drive to be the dedicated log server. The CPU/RAM combination need be little more than required to run Windows 2000 in an efficient and fast manner, (this is somewhat a matter of taste and somewhat a matter of the amount of traffic to be logged). [The log server is AMD 900/256M/20G system drive/40G log drive/48xCD Writer/Win2k Server Sp3. This machine is a standalone server, (not a domain member).] This machine is hardened and further protected by an installation of ZoneAlarm Personal Firewall with trusts established to the Primary Sensor and the other installed sensors that will be delineated below. All accounts except the administrators account should be disabled and the administrator should be renamed as part of the hardening, (The same should apply to the Log Server).
2. A dedicated PC, (known from here on as the Primary Sensor), that is a hardened Windows 2000 Pro. Dual NICs are required since one will monitor traffic outside the firewall and the other inside. You will need to place a small hub between your Border router and your firewall but this can be a 10Mbps hub since your traffic will be limited to your internet connection speed which should not exceed the hub’s capability. There should also be a hub inside the firewall that all traffic runs through, (both inbound and outbound), so that the internal sensors may be connected here. The internal hub needs to be sufficiently “sized” to ensure that the sensors NICs can see all the traffic passing that segment so it may be inadvisable to place a 10 “speed” here when the remainder of the network runs at 100Mbps. [The primary Sensor is a PII-233/128/6G/Win 2k Pro SP3. This machine is a standalone workstation].
3. A non-dedicated server with sufficient drive space to archive the log files within the domain structure, (known from here on as the Archive Server). Access to the archived logs is restricted to domain administrators only.
4. A non dedicated workstation that acts as both an additional sensor and as the log analysis machine, (from here on known as the Security Administrator’s PC or SA PC for short). This machine is a domain member, with access to it’s drives restricted to the security administrator’s login and password combination.
5. Publicly available servers from here on these servers will be known as the Public Servers.
6. Non-public servers which are AD servers at primary locations. The machines will be known as the Private Servers.
7. A hardware firewall capable of transmitting it’s log data into the internal network in a format that could be captured in text. Ideally this firewall will natively be able to log to a syslog system.

Specific Software Requirements:

1. Kiwi’s Syslog Daemon is a Win32 syslog service that runs on Windows NT/2000/NT machines and is available at:
http://www.kiwisyslog.com/software_downloads.htm#syslog
2. PureSecure is an IDS system that runs the Win32 port of Snort, (www.snort.org), and also includes a file integrity verification system and a service monitor all in a single package with a usable interface. The main console can manage numerous sensors and the installation is quick and easy. PureSecure is available for non commercial use at http://www.demarc.com. There is a “professional” version which at the time of download was $1500 for the main sensor and $99 for each additional sensor making this a relatively cost effective solution for commercial enterprises, especially when incorporated in the central logging system I am discussing.
3. BackLogIIS is a Win32 system that captures IIS logs that are logged to %system root%\system32\logfiles and forwards them to a syslog server. It can be located here:
http://www.intersectalliance.com/pr…gIIS/index.html
4. Snare is a Win32 Event log system that captures any event log entry and forwards it to a syslog server. It is available from:
http://www.intersectalliance.com/pr…dows/index.html
5. LineStrip is a text file line stripper that can manipulate text files by numerous parameters and dump the output to a new file. It has a full function command line interface that lends itself well to script execution. LineStrip can be found at http://www.lexacorp.com.pg/.
6. TXTCollector is a Win32 system that allows you to join all the text files together in a given directory. This is handy for rejoining the daily syslog files to get a broader look at an IP’s activity over time without the tedium of doing it one file at a time. TXTCollector is available here: http://bluefive.pair.com/free95.htm.

Initial Configuration:

The Primary Sensor: Begin the configuration of the Primary sensor with the installation of PureSecure. If you do not have WinPcap installed it will prompt you to install it. Do so, restart the machine and rerun the installation for PureSecure. Tell the installation program that you want this to be the primary sensor, (name it what you like). Tell it to install MySQL and fill out the usernames and passwords as you see fit. Tell it to install snort firstly on the external sensor. NOTE: The NIC connected to the external sensor must have all protocols unbound. Go to Network Neighborhood – Properties – External Connection – Properties and uncheck all the entries in that dialogue box including TCP/IP, (WinPcap will place the NIC in promiscuous mode without the need for any protocols being bound to it. By doing this you place the NIC in “stealth” mode making it impossible to detect without the cracker gaining a foothold in it’s collision domain – i.e. On the border router or the firewall, which, if they can do, means you are already in pretty deep trouble. When you are asked if you want to allow anonymous access reply with “NO”, (this will mean you can access the console from anywhere within the LAN but will be required to authenticate with the administrators login/password combination). You will now need to configure the IIS server, (steps 36-43), as found in the PureSecure Installation Documentation found at http://www.demarc.com/support/docum…n32install.txt. Then open IE, navigate to http://localhost/demarc/puresecure.exe. Add it to your favorites, select it in your favorites, right click and send it to the desktop for quick access.

For information on the snort.conf file which you will need to modify please see the “Snort Stuff” section at the end of this document.

Under the Configure Integrity checking select this sensor and in the dialogue enter the following lines where the %system path% and “%path% are where you have actually installed the files to be checked:-

RED;%system path%\system32;0;Main Sensor System Files
RED;%path%\autoexec.bat;0;Main Sensor Autoexec.bat
RED;%path%\config.sys;0;Main Sensor Config.sys
RED;%path%\wwwroot;1;Main Sensor wwwroot

NOTE: There is a 1 in the wwwroot entry. The options are 1 and 0 with zero meaning do not check subdirectories and one meaning do check them. In the case of the system32 folder checking the subfolders will result in alarms every few seconds but in the case of the wwwroot it will not since the site is static. It is imperative however that you keep a watch on the subfolders of the web root.
[This sensor typically consumes 2-8% of CPU with an average in the region of 4%. I don’t recall ever seeing it exceed 10%.]

The Log Server: Install Kiwi Syslog Daemon and tell it to both “display” and “log to file” in the options dialogue after install. Tell it where you want the logs sent, (that nice big log drive you installed is a handy place). I use a batch file as follows to turn on and off the real time logging for diagnostics purposes):-

Net stop (the default is syslogd)
%path%\syslogd
net start (again, the default is syslogd)

NOTE: This is necessary because syslog cannot be run twice and will error out if the service is already running, thus stopping the service and running the program allows you to see the syslog window with the log entries scrolling while you test the syslogging from remote machines. When you close the syslog window the service will restart but because you told it to display and log to file you should find the log file is complete, (or darned nearly).

The syslog daemon has the ability to send itself a test message and this is a good time to do so. If you run the system in it’s ‘real-time” mode by using the batch file above you will immediately see the message appear on the screen, then go to the log file itself and make sure that the message appeared there. If it did then the syslog server is all set to go.

Install PureSecure on the Log Server. This time it is not the main sensor, you do not need MySQL and you do not need to run snort. Tell it to report to the Primary Sensor’s MySQL server. At this point and each time you do something new to this server ZoneAlarm is going to “whine”, allow the service to act as a server or to trust incoming from the appropriate machine. Go back to the Primary Server and under the Configure Integrity Checking section you should see the new server. In the configure dialogue enter the following lines:-

RED;%system path$\system32;0;Log Server System Files
RED;%path%\autoexec.bat;0; Log Server Autoexec.bat
RED;%path%\config.sys;0; Log Server Config.sys

NOTE: At this point the Primary sensor should be reporting alerts from the external interface and two systems integrity checking. The integrity checking will take 30 minutes to “kick in” on each system and the alerts may need to be “prodded” by sending a noisy scan at the firewall from outside. If you are not getting this information now is the time to begin troubleshooting – which is a bit too big of a subject to go into here.

If you have these three facets reporting correctly to the MySQL server and thus the PureSecure console then we are good to start adding the “fancy” parts of the overall system.

Complete the “Real-Time” Integrity Checking:

The Public and the Private Servers: The exact configuration of the publicly available servers will depend somewhat in your system itself but the basic folders to watch are the same as we used for the Log Server. If you are hosting publicly available HTTP or HTTPS then the wwwroot needs to be monitored too. Be careful to pick on folders where little or no changes should take place to avoid “falses”. Install PureSecure on all the Public Servers in the same fashion you did for the Log Server, (not primary sensor, no MySQL or Snort and have it report to the Primary Sensor’s MySQL database). After each install check the Integrity Verification in PureSecure to ensure the new server “turned up”, (they usually do, if they don’t go ahead and stop and restart the Demarc Service on the server you installed on. That usually fixes it). Assuming it’s there go ahead and add the lines in the integrity verification to monitor the machine remembering that it takes 30 minutes before the first scan is done.

NOTE: Integrity Checking makes an MD5 signature for every file in the selected folders which it then regenerates and compares against it’s database every 30 minutes. This can be several thousand files and can place a burden on the drive(s). In my experience this can have an effect on slower servers though, for my part, I prefer the “warm, fuzzy” feeling I get knowing they are being watched for me over the relatively small negative impact experienced by the server. In terms of network performance at this time I have noticed no negative impact since the Integrity check itself takes place within the server and only the results appear to be passed across the network.

System monitoring:

Since PureSecure can monitor services we might as well go ahead and use it. It’s really nice to know that a system is down within 5 minutes of the failure which is usually before the users start calling. There is a side benefit to the services monitoring that some may overlook and decide not to install it. The benefit is that if a cracker realized that the primary sensor exists and tries to DoS the machine then running the services monitoring using the Primary Sensor as the monitor means that the monitoring will most probably be disrupted and you will be warned within 5 minutes. A check of your “failed” system will show it to be up and you should start to wonder why and packet sniff the Primary Sensor….. begin to panic when you see the results.

First you need to list all your assets that are critical to the network’s function, (routers, firewalls, services run by servers etc). Then you need to categorize them into groups, (Public Servers, Private Servers, Routers, Firewalls etc). Under the configuration tab of PureSecure create the groups and then the individual assets adding them to the appropriate group as you go. Now you can begin creating the events. The events configuration tab asks you for the asset, the service, the port , and the sensor to monitor from with many of the services being selectable from a drop-down list. So, for example, you would select your mail server, SMTP and the monitoring sensor as the Primary Sensor and click go. From this point on, every 5 minutes the Primary Sensor will go through a complete 3-way handshake and send a “HELO localhost” to the mail server on port 25. When it receives a “250 OK” from the mail server it is happy. If it doesn’t it pops a red light at the top of the console along with the server name and the date/time it failed. % minutes later it will check again. If the service is back up then it will erase the red light but if you select the Monitoring tab you can access the history of each server/service which can sometimes assist you in troubleshooting when a user says they couldn’t get to the internet last night you may be able to see that the border router was unavailable for 10 minutes at the same time, (this should also ring and alarm in your head since routers are not supposed to go “out for lunch”.

The rest here

Tutorial – Buffer Overflows Part 2

Buffer Overflows Part 2!

This is a continuation from my first Buffer Overflow Tutorial; I would highly recommend that you read that tut, before you read this one! (Even if you’ve read it before re-read it to refresh your memory!)

Ok, so in part one we looked at

How a Buffer Overflow happens and the security implications of this.
Ways to find what programs have SUID privileges using the

find / -type f –perm -04000 –ls command .

We also looked at how to change a program to give it #root privileges.

I will start this tutorial off at the point where, you have compiled a piece of code that is vulnerable to an overflow (see part 1), you have changed the ownership of the program to root and you have made it a SUID root program. We will call this program “pool” Smile

So, we know pool can be exploited with a buffer overflow (as we programmed it) and we know it has root privileges (as we gave them to it)

Now what we need to do is generate a program with a buffer (remember a buffer is a portion of memory assigned to a program) that contains the shellcode, which will spawn a shell that can be “fed” into the pool program. We will call this program “snooker” Smile

Our aim is to make the program pool overflow in to the buffer that the program snooker has given it and make the EIP point to where our shellcode within this buffer and then to make snooker accidentally execute this shellcode.

Obviously for this to work we need to know where our shellcode is stored in the buffer!

There two main ways of doing this: Using a NOP sled or by flooding the end of a buffer with quite a few “return addresses”.

No Operation (NOP)

As the name suggests this is an instruction that does nothing, its sole purpose is to take up a byte of memory so nothing else can occupy it.

Why is this useful to us?

For a few reasons really.

1. If our NOP is occupying a byte of memory we know that our shell code couldn’t possibly be there!
2. The processor will skip over a NOP until it gets to something that tells it to do something, i.e. our shellcode (hopefully)
3. A program wont crash if it hits a NOP as the NOP isn’t telling it to do anything, it will just move down or up to the next memory “block”

Consider this (each number represents a bock of memory in our buffer)

Pool Snooker Snooker Shellcode Snooker Snooker Snooker Snooker
1………..2…………3………….4………….5………….6………..7………….8…..
For us to execute our shellcode we would have to ensure the EIP was pointing at “4” and no where else, otherwise snooker would continue to run. There would be a lot of trial and error not to mention luck in executing the shell code!

But, what about if we done this:

Pool Snooker NOP NOP NOP NOP NOP Shellcode
….1……2……..3…….4…….5…….6…….7…….8
As long as the EIP was pointing at either 3,4,5,6,7 or 8 our shellcode would be executed, because as I said earlier the processor would just skip along them NOP’s until it got to something it could execute!
Obviously this gives us a bigger area of error for the EIP to execute the shellcode
So along as we overwrite the EIP with any address in the NOP we can be assured our shellcode will be executed

Thanks!
Nokia

TAZ Forum :: A Computer, Gaming, and Social Network Community of Friends :: View topic – Tutorial – Buffer Overflows Part 2

Tutorial – Buffer Overflows Part 1

Buffer Overflows – what they are and how they work.

This can be quite a complicated issue, so I will try to break it down into different parts and put it into everyday language.

I will assume that if you are reading this you understand a little programming (functions, integers etc)

To understand buffer overflows it helps to know a bit about how a program utilizes memory.

First it will help to understand what an EIP is:

[it is essential to understand an EIP to understand how a buffer overflow works]

EIP:
Extended Instruction Pointer.

The processor has a very small chunk of memory itself, divided into what is called registers.
The most common register is the EIP; this tells the processor where to look in the system memory for the function (or piece of code) that it has to execute.

I.e. the code could be to print the word antionline on to your monitor and has been written to the memory at the address of 0x12345678. (Memory uses the hex numbering system).
The EIP would now tell the processor to go to 0x12345678 and do what ever the code is telling it to do, hence the word “antionline” will be printed on the screen.

Program memory:

There are five types of program memory, text, heap, stack, bss and data.
Each one of these is a special piece of memory reserved for a certain type of purpose.

I will cover text and stack for the purpose of this paper.

Text:

This is where the compiled machine language is stored. Write permissions are disabled here as it is used only to store the code, which is being executed.

When you compile a program, what you are doing is converting it from human readable form into a language the computer understands, it is the output of a compiled program that is stored in the text segment)

So for a very simplified example say you wanted to print the words Hello, goodbye, thank you, and Microsoft rules Wink

(For ease I will use 1,2,3,4,5 etc for memory addresses instead of the correct addresses.

So hello is stored at 1, goodbye at 2, thank you at 3 and Microsoft rules at 4.
Here is what the processor will do

1. Get the address for the first function to complete from the EIP and go there
2. Add the number of bytes in the instruction to the EIP
3. Do what ever the piece of code is telling it to do, (print Hello.)
4. Go back to the EIP to get the next address.

The EIP will know when the instruction has been completed because in step 2 the processor told it how many bytes there was.

Stack:

The stack memory is used as a tempory storage space for functions.

When a function (print) is called by a program it will have its own variables (hello,goodbye,thank you etc)

and the code will be at a different place in the text segment of memory.

(I.e. hello cannot be at the same memory address as goodbye otherwise they would over write each other.)

So the function is to print Hello (1) Goodbye (2) and Thank you (3)

The whole function will be read from the text segment and get passed to the stack segment.
The stack segment will remember the addresses (1,2,3) of each variable and pass this data to the EIP to tell it which memory address to return to when the function is finished.

There is a lot more to the stack segment but it’s not really relevant at this point!

BUFFER OVERFLOWS

Ok, so the programmer has specified that the word Hello with need 5 bytes of memory, but what happens when 7 characters try to write them selves to this piece of memory instead, the word goodbye for example:

|H|E|L|L|O| – No probs here
1 2 3 4 5

|G|O|O|D|B| —— |Y|E| – | – | – | – They overflow into memory held for something else
-1- 2- 3-4-5 —— -6- 7- 8- 9 – 0

5 bytes are allocated but the variable was 7 bytes long. Now it can’t just disappear, it has to be written somewhere so a buffer overflow occurs. If the data that was overwritten in 6 + 7 were a critical part of the program, the program would have crashed.

Here is a well know piece of code to cause a buffer overflow (its very well known and is in most books about the subject, so know one jump on my back for posting it, please)

TAZ Forum :: A Computer, Gaming, and Social Network Community of Friends :: View topic – Tutorial – Buffer Overflows Part 1