Buffer Overflows
by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
July 2, 2006
This essay is not finished, but will be in 1 week. Check back Sept 16.
Trivial buffer overflows are easy to exploit with the right tools. Aleph released several buffer overflow tools with his remarkable article "Smashing The Stack For Fun And Profit" in Phrack 49. Recent advances in security technologies have made these more difficult, but junior programmers will continue to make these vulnerabilities far into the future. Interpreted languages promise ensured memory, but programs compiled to bytecode will have these problems. Simple security checking can solve buffer overflows by bounds checking and using functions that take into account the size of the destination buffer. The book, Sockets, Shellcode, Coding, and Porting notes that sadly buffer overflows are history in professional coding (heap overflows have a long ways to go though). That may be true in open source software, but in megacorporations and non-professional coding, bugs will remain. Commonly these program will have networking built-in and will be run as root (or suid).
The trick to understanding what the buffer overflow code is doing is found in a
few small things that you have to try yourself. Break out buffovr1-0.1.tgz for
this. If you don't feel like running buffer overflows on your box, then find
someone else's box.
The most simple that you should know already is that a segfault is when you try
to read memory that your process doesn't have access to. The kernel knows where
you are allowed to read and jump to, so if you get a segfault, you've got some
type of buffer/heap overflow.
The second one equally easy is that variables in a program are pushed onto the
stack. If you're defining variables, you're pushing stuff on the stack.
The third idea is absurdly easy: when you write 200 bytes into a 128 byte
buffer on the stack, it will overwrite variables.
The fourth idea is interesting, but easy to see when you're looking at the
code: One of the variables that you don't push manually is the sfp which is
jumped to by the ret opcode. That way we are able to jump to our shellcode in
the buffer.
The fifth idea is pretty interesting: how do we know where the buffer is? If we
have access to the computer, we can just grab the current stack pointer and add
a few. But if not, we can check a similar computer or guess.
Ident Protocol Scan
by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
Oct 28, 2005
This program connects to an identd server and asks for the information. This is an unintended consequence of the design of the server.
Identd is an interesting program. It searches /proc/net/tcp for a matching entry. The input is easy enough for a human to input into telnet if they have the localport and the remoteport. We get the localport from getsockname() and the remote port is the port that we are connected to. This will give us the user that is running the command.
Read more »Linhat/AltBot IRC Bot
by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
Dec 6-7, 2005
Linhat1/AltBot is an IRC Bot written in Perl. It uses MySQL database backend.
AltBot is famous on #neg9 for awesome replies.
(18:52:38) Javantea: altbot concepts
(18:52:39) AltBot: Javantea: Source code now available at: https://www.altsci.com/concepts/linhat_ai1.html
(19:02:48) Javantea: altbot is male
(19:02:48) AltBot: Javantea: mechanical faithlessly males extreme acquired fleets ecclesiastical overhears genius bone demolished taproot waistcoat osteopathy dynamism impressiveness imagining serializability bonny preambles bulls
(19:02:55) Javantea: see?
(19:03:01) MrPrimate: yeah.
(19:03:01) AltBot: MrPrimate: yeah it is awesome
Although AltBot seems to be awesome and perfect, it is a very new project and has a long ways to go. There are a lot of improvements that would make AltBot quite excellent. Look for them coming soon.
Read more »
