Tags

, , , ,

This particular bit of code has been covered elsewhere (I think it came from Hacking: The Art of Exploitation), but hopefully I can do a reasonable job of explaining it here also. Basically it’s a very basic C program that initialises two small areas of memory, and overflows one of them into the other. The source file can be downloaded here.

#include
#include

Include header files for standard I/O and string manipulation.

int main(int argc, char *argv[])
int value = 5;
char buffer_one[8], buffer_two[8];

The program has a single global function called main, which could contain any number of other functions. It appears we’re declaring global variables as integers, but they include argv[], which is an array containing command line arguments that’s populated as the program is run, while argc is a counter for the number of command line arguments.
Initially I thought the last line here was about setting up two one-dimensional arrays, but a little research revealed they’re buffers for storing values of up to 8 bytes, which should work out as 8 characters if they’re defined by ASCII code. Anything over 8 bytes (or eight characters) inserted into buffer_two should overflow into buffer_one.

strcpy(buffer_one, "one");
strcpy(buffer_two, "two");

Appears to write strings ‘one’ and ‘two’ into buffer_one and buffer_two. The strings could also be copied from the command line, if the code was changed to strcpy(buffer_one, argv[1]);
As ‘one’and ‘two’ are both three characters long, they’ll fit into both buffers without exceeding their limit.

printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n",
buffer_two, buffer_two);
printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n",
buffer_one, buffer_one);
printf("[BUFFER] value is at %p and is %d (0x%08x)\n", &value, value, value);

This code prints the pointer address and buffer contents to screen before the buffer overflow.

printf("\n[STRCPY] copying %d bytes into buffer_two\n\n", strlen(argv[1]));
strcpy(buffer_two, argv[1]);

This is the main overflow code. The buffers have already been initialised, and we merely have to insert something that exceeds the size limit of 8 bytes for buffer_two so it overflows into buffer_one. That something appears to be a command line argument, and its actual size in bytes is displayed as an integer.
I’ve compiled and run the code in a Linux system, but the program exits with a segmentation error at this point. Probably because I’ve got memory protection features enabled on the system.

printf("[AFTER] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[AFTER] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value);

This merely outputs the values and memory addresses after the buffer limit is exceeded.

So, that’s a buffer overflow program. With skill, effort and research, a similar program used as input in a vulnerable application could cause another program to execute through the manipulation of the instruction pointer. The good news is creating such an exploit is beyond the capabilities of amateurs an most hacktivists, and keeping software updated vastly reduces the probability of being hit with a ready-made exploit.

Advertisements