Hello, everybody. And welcome to the episode Number 28. We'll be starting a new model, which is both for our flow.
And we'll see in this video the basic concepts.
My name is Alejandro Gonna and I'll be your instructor for today's session.
The learning argue Tibbs, is to understand the concepts behind the buffer off overflow attack on applying techniques to implement a buffer overflow attack. So let's get down to business, shall we?
First of all, let me give you some basics about the buffer overflow which is also known by buffer overrun. By the way, On this problem, we're program or a tool or, you know, whatever that goes up, you created programmatically ah
that while the data is being written to the buffer of runs and you know the data of around the buffer boundaries on our rights, other memory locations
before you know buffers in this case are areas off memories set aside to hold the data often while moving, you know, moving it from one section to off a program to another or between programs
before overflows can often be triggered by no
my foreign inputs. For example, if one assumes all inputs will be a smaller dance dance. Routine size on the buffer is created to be that size. Then you know a transaction with an ambulance. Are you know,
martyr foreign input can produce more data on, you know, and can cost to ride the bus the end of the buffer. So it overwrites any, you know, Data or executive Executive Okoth
Um and, you know, overwrites the buffer and these my results.
I mean, you know, denial of service, because the application will stop. Um, in the worst case, it could give us remote control of the machine over. You know, it can it can actually execute a reverse shell code
on send his back. You know, I shall back to us to the attacking machine.
which is which are commonly associated with this before our powerful problem R C or C plus plus
Ah c sharp. You know, at this point, I live in the future, Will they will actually implement a security control. But let's just live. It would see playing, See? And why is that? Because they they provide not built in protection
against accessing our overrating
the data in any part of the program. You know, they don't sanitize any but valuable, and, you know that can lead to a before I will throw attack. Now, the problem is that, yeah, I can hear you scream. In truth, you're screaming to the screen.
something that the programming language should do. I mean, that's up to the program the programmer should do. And I agree with you. I mean, when your programming or you're creating some code, you had to be sure that you sanitize our burials. You check all the, uh,
input Bay of also in any any feel that will receive data to check all of this. You know, check that if you're actually receiving Oppa's work, remember that we So we split of the Lin ability in SL Male. What? They had a problem with Paz work
eyes because when they were creating the code,
they didn't actually check that boundaries in the password. I mean, nobody is going to actually have a password. I don't know more than
even even even a pass phrase more than 50 characters. So why am I? What am I doing at, you know? Send in two time 202,000 characters that doesn't make sense.
Bounce checking can prevent a buffer overflows but requires additional code. You know I'm processing time. That's
that's expected, right? Some operating system nowadays use some techniques to actually, you know, protect Protect the operating system against, um, you know, before overflows. For example, random izing
the memory. We'll see that later in more detail. But, you know, random ends in the memory layout
can actually help you with that. Or, you know, live in space between buffers and looking for actions that right into those areas, for example, these are well known as calories on day, you know, once a cannery is reached Oh, are you are you can actually rich.
Ah, memory. Rather is where canneries
that we loved alert, and it will germinate the program. I mean, I know this cut could cast
the sale of service, but you know, it is better than actually getting, um,
you know, remote control or given remote control to an attacker. So hope story. Let's let me give you a really, really basic introduction to buffer overflow here. Basically, we have the buffer has several pointers,
but for this module will be interested in three main pointers.
Ah, the E s P e e i, p and a VP.
The SP is basically the pointed to the top of the stack thistles. You know, if we start depending on how the start was built, you know, like first in first out or last in first out,
depending on the stock, how would this that was built? It could start sending data are saving their from from the bottom to the top or two from the top to the bottom. But in this case, let's assume that it's from the bottom to the top and we'll sell freeing data
and we could rich this pointer. Now,
you know, it's obvious that the E v p is the bottom of the stack pointer the E S p at the top of the stack pointer. But the E i p is a pointer that points to the next instruction to be executed is not the
is not this the next X truck instruction to be executed.
It points to the next instruction to be executed. So if we can actually control this, I mean, I know that if something ineffable for our foe is, you know a bearable is actually vulnerable
to both for overflow. You can just fill up all of this. And, you know, once you reach this point,
it will, you know, the application will crash because you will not have any more space memory space t do. It can function properly. But, you know, the point is, you can actually just if you're not interested in gaining a reverse shell,
Yeah, you can. Or performing other tasks. You can just fill up the stocking. That's it.
But if you actually want to do a little something a little bit more malicious or, you know, I go a little bit further in your penetration testing you actually control the E I. P. And you know, that's the tricky part is
is not exactly in the middle. It could be right here. It could be right here. He could be right here.
we cannot know the location on. We cannot say, OK, the stacks, right that they be e e e I P is right in the middle of stock. That doesn't work that way. So the tricky part is finding where this guy is
and finding if in any position of this stuck. We have something called jump DSP, so we can actually tell it. Okay, you know what? From this location. I don't want you to continue here. I just want you to jump to another E S p
from a different stack so we can have all this space to execute or program or execute or payload. And that's, you know, the basic concepts of half will be where we use him for these All the sessions for the before overflow attack.
let me give you some example. Remember that we told that c doesn't have
building protection against these attacks. Or let me just right out there with a piece of code here.
Um, I don't know. What can I pull it? See Program?
All right. A piece of gory here include
And we will tell it. Thio,
copy the function string copy to copy
whatever we enter. Ah
Thio Another string which obviously doesn't have enough space so I can give you some so you can understand how how these buffer overflow actually works.
What? Let me It's created code.
You know what? Let me use copy based it.
I didn't want to do that because sees kind of picky program or programming language. Because at the end, if I mean something, All right, if I don't see a return carriage at the energy of some line, it will fail. But let me just see if this works. So basically, we're creating a buffer of 32 bytes.
Ah, you know, if whatever pretty error, you have to enter one more value because we're not entering anything. Return Sara. Otherwise, it will use the function of string coffee, and, uh, well, whatever we entered, remember
here will copy to Buffer, and we offer is a 32 bytes long. So if we enter something like three tree, you can see that there is no boundary checking here, so just save it
Okay? Does it matter?
Well, it's telling me that this street copy maybe have some problems, but I don't care about it.
Let me just see if it was generated.
Yeah, There you go. So I would just see pro and put it once, and I don't know
that and no problem, because at the end he was less than 32. But what happens when I put more than treat you
segment intial fault, you know? Ah, because at the end, I'm overriding, um,
string copy. I mean, I'm copy. I don't know, maybe 35 characters into this buffer, which is three to Curtis long or writes long. So whenever I did this, uh, I obviously overruns this exam. I'm passing the 32 characters size of the string
off the buffered, and, you know, it gives me a segmentation fault.
so far, this sea program doesn't have any bills in protection for that. But I am suman that other programming languages will do the exact same thing. I mean, at the end, you can, you know, have something like the garbage collector or some building security features or, you know, a performance features.
you cannot depend on that. You have to create programs. Actually, you know, when you create programs, you have to actually think in security and not just, you know, uh, go, uh, to pretend to.
I don't know that the program or the operating system will take care of that without any and any other additional security programming techniques. So there's that.
What is the difference between EVP An E S P?
Okay. EVP points to the bottom of the stack and e S p points to the top of the stack. Those are the two pointers we see. Remember, guys, this stock has several pointers. But we're interested in these three main pointers, which is the EVP, the ESPN, the AP,
and talking about the where does a P points too?
Well, it points to that next instruction to be executed again. I like to clarify this because this could be confusion confusing. I'm sorry,
e i p is not the neck. The next extraction to be executed is not like okay, It it contains,
I don't know, execute something O r ah, terminal instruction or common on instruction is not. It points to the direction that contains that instruction. So overwriting that for
is the role is one of the main goals or one of the main milestones while creating your buffer overflow exploit.
Because at the end, if you can control that, you can actually leave that a stack or leave that execution program or execute execution path and go to a different path where you can actually control and put whatever instructions you want.
Uh, this video will learn some concepts behind the before overflow attack, and we planned something next to execute the before off low attack. Remember, at the sea program, you have to be very careful when you're actually creating a program. And when you are actually, you know,
checking the input variables. Remember that we already saw the precise crept in the SQL injection so you can start to realize that a good programming or a given problem in life cycle or, you know, into introducing security from the first moment off where you start programming
or where you started that there
they're so for development. Life cycle is key If you don't have securing mind from Moment Zero or you start, you know, even thinking about creating a CE, a program or software or a tool. Um,
if you don't think in security from that point, if you try to introduce security at the end of the Subway Development life cycle, you'll have a headache. You have. You'll have a lot off nights without sleeping, because at the end, security needs to be included for a moment zero where you start planning
off creating a program.
Supplements materials have playbook. So it's always remember this thesis book contains several techniques are several attacks and it also contains the buffalo off attack. And I like to allow you to check the buffer overflow attack
from from these guys on YouTube.
They continue on a really cool basic explanation off. What are how to
maybe not how to implement it, but how it works, what it is and so much more than that. And you know, that's a good reference. If you want to find out more about this attack
looking forward in the speedier, remember will stay in the mood for over four module will see how to use immunity. Immunity the barker on Apply fussing to find Abu Abu for overflow vulnerability.
Okay, that's it for today, folks, I hope in your the video and talk to you soon