Buffer Overflows (Whiteboard)

This whiteboard lecture explores how to manage an overflow in your programs application space. Since all applications experience buffer overflow eventually, penetration testers most know what's going on with their software applications in order to recognize any unusual behavior. [toggle_content title="Transcript"] In this module let us talk a little bit about buffer overflows. Now to make the case here I want you to think about memory like ice cube tray. What happens if you put too much water into a particular cube that overflows into another cube. Well each cube is a separate application or separate memory space. By manipulating one cube you overflow and manipulate the integrity of another application. So let us take a little bit closer look at some basic concepts of overflow. Well we just talked about the analogy of ice cube tray what you can do is put a boundary check on what gets stored in memory and if you actually set the boundaries then you actually decrease the likelihood of actually overflowing into another section of memory. You have to watch to watch your commands like string copy because this is where we say. Go get something, copy it and put it somewhere else and remove the memory around in terms of heaps and stacks. Also you have got programming vulnerabilities in themselves. So whether you are using c or c++ or whatever the programming language is there are certain vulnerabilities within the way that the programming languages work within themselves. So just knowing that you can use better programming languages that would actually achieve the objective. That is ultimately going to be the better route also security guys are not necessarily programmers and programmers aren't necessarily security guys. More so very few are security people or programs are actually pen testers. So this is definitely a specialized field of penetration testing. You typically can break pen testers down in the basic areas like network pen testers or programming pen testers or wireless pen testers where these security pen testers or software pen testers are definitely unique. Plus you should also understand stacks - the concepts like last in first out or first in first out. This is the way that memory gets stored. So if you understand that well then you can manipulate an application to take advantage of that. Next keeps this is your dynamic memory and we can use code like I caught malicious location but it is actually memory allocation but if it is done wrong well then it could be a malicious location. But it is how do things dynamically get stored in RAM for example let us say an application. You put some input or some data into a field that has to temporarily store that memory. Well it is going to use the heat portion to dynamically allocate that. Also the concepts of pushing and popping. The best example of push and pop that I ever heard is basically if you have ever been to a MacDonalds or something like that where they have the stack of cups. This also gets tied into the last in first out - you take that stack of cups and you basically slide it in. So the last one in is basically the first one out and that is how memory can get stored into the stack in terms of pushing and popping. Also you can use the analogy of the champagne bottle you push it in and pop it out. Otherwise you can do that but if you look at some of the tools we would definitely pay close attention to the extended information pointer. The stack pointer and the base pointer because this is where the programming languages get their next instruction set as they actually process the code. Also we talked basically before about shell code or even polymorphic shell code - in the concept of programming languages. Shell code is code that is specifically relates to an exploit. So as you send the shell code over to get to executed. If it changes the stack or performs a specific exploit like a buffer overflow then that shell code can also be malicious. Then you have no operators or sometimes these are called - no ops or noops even depending on how it is written. It is written in a ton of different ways but nop should work just fine for our purposes. And hex you could go the 0X-90 but is basically. No operator or filling the stock with almost to bypass the instruction set. Therefore manipulating where the next instruction set actually comes in and then there is also the concept of smashing the stack which is just layman terms for creating a buffer overflow. So we look at some of the hands on examples. We are going to look at tools like ali and heap.exe and things like that. There was a handful of tools here that we could use to get the basic idea of how to manipulate memory and buffers and some programming language compiler techniques. How to get information out of executables like bin.txt and things like that. So we are looking at a handful of tools but realistically like I said this is on its own field. So basically let us look at some counter measures what would you do to stop the penetration tester. Again this is high level so one thing I would highly recommend is actually manually check the code in itself and typically we try to rush things to the market. So your programmers develop stuff but they don't necessarily look at the security aspects of that. So there is no really, really good manual auditing of the code. You may have heard what the developers say. Hey great works - where will you really hear developer go - hey great that is secure. They think in terms of functionality, not necessarily security. So when you manually audit the code. Also do it for security not just functionality, use good compilers or safe compilers. Safer library support depending on what programming language you are using. Disabled stack execution if at all possible - you run time checking. So that when the application runs it gets checked. Design the application with security in mind not just functionality - you could use things like stack guards which act as the executable is running. It detects like a buffer overflow and therefore stops or prevents it. It is kind of like a intrusion prevention software for executables if you will also restrict certain components of code or certain uses of it like gets a string copy or malloc or whatever the programming objective you are trying to achieve. There are certain things that you should restrict from using more so than others or at least put a boundary check on them and then if you are from the windows LAN. You could use something like data execution or prevention which is really just a turn on or a turn off component. So in this module we talk about the basics of buffer overflows and we will talk about some tools and how to analyze this. We use some stack analysis tools and we will use - and we will get the basics. But this is definitely its own field outside of the scope of traditional network penetration testing where we focus on scanning and ports and exploits and wireless and things like that. So let us go ahead and take a look at some hands on examples. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?