Skip to content

overflow_intro.md

Latest commit

 

History

History
142 lines (102 loc) · 3.21 KB

overflow_intro.md

File metadata and controls

142 lines (102 loc) · 3.21 KB
title Introduction to Buffer Overflows
sub_title
author Iseefa (aka Duppy)
theme
name override
catppuccin-macchiato
footer
style left center right colors
template
@duppybad
Comsec beginning 2025
{current_slide} / {total_slides}
background foreground
c6a0f6
494d64

Why is an overflow bad?

  • A buffer is a contiguous area in memory used to store data temporarily.
  • Size is often defined by the programmer in lower level langauges (We will be using C for this session)
  • The defined size does not always match the incoming data, especially when the user controls data input....
#include <stdio.h>

void username() {
    char buffer[64];
    
    printf("Enter your name: ");
    gets(buffer);
    
    printf("Hello, %s!\n", buffer);
}

int main() {
    printf("I hope I execute without any problems!\n");
    username();
    printf("Program completed normally.\n");
    return 0;
}

note: gets() is deprecated as of C11

Cool, but how do I abuse this?

Writing past the end of a buffer is undefined behaviour to the developer, but this does not mean it is random.

For example: We declare a char buffer[16], and it is used for the string "HELLO"

Memory: [ H][ E][ L][ L][ O][\0][  ][  ][  ][  ][  ][  ][  ][  ][  ][  ]
         0   1   2   3   4   5   6   7   8   9  10  11  12  13  14  15

Now, if instead we strcpy(buffer, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")

Memory: [ A][ A][ A][ A][ A][ A][ A][ A][ A][ A][ A][ A][ A][ A][ A][ A]
         0   1   2   3   4   5   6   7   8   9  10  11  12  13  14  15
        [ A][ A][ A][ A][ A][\0]

This writes to memory after the declared buffer, ie, corrupting it

Control flow and the stack

With this ability to write arbitrary data to memory, how do we turn this into control of a program?

High Memory
│
├─────────────────┐
│  Return Address │
├─────────────────┤
│  Saved Frame    │
├─────────────────┤
│  buffer[16]     │  
│                 │
└─────────────────┘
│
Low Memory

The return address holds the memory address of the next thing to be executed. If we control this area, we can point the program to execute anything in memory of our choice.

What exactly you want to be executed will depend on the situation, but we will go over some classic CTF style implementations

Returning to prexisting function: Ret2Win

The second challenge is a "Ret2Win" style challenge, where developer has accidentally left a call to "/bin/bash" in the binary, and no compiler optimisation has stripped it

This is where tools like objdump, gdb and readelf are useful. we will be using objdump

objdump -d chal1