Buffer overflow and ip spoofing
What exactly is IP spoofing and IP forwarding? How does it work and why use it?
I also have some questions about how crackers exploit a buffer overflow. What is a buffer overflow (I have a clue about it but am not entire sure). I just read in a book that mentioned that when exploiting a buffer overflow the exploit could change where the function should return after being executed to make it return to the crackers own program/code. I know a little about programming in C/C++ so I know about how functions work and so on. |
One of many explanations on google. (First result, im not claiming its the best =P)
http://www.linuxjournal.com/article/6701 (hows the hdds on the wall going? =D) |
This is one of the most famous papers on "smashing the stack" (buffer overflows) on the net.
|
Buffer overflow is probably the most prevalent and probably the most dangerous security flaws out there today. There is a lot of documentation out there on the subject, but in short, it usually has to do with poor coding allowing a user to overflow the stack with useless data and then causing his own code to execute off the stack (usually code that has a "call back" feature allowing remote root access to the comprimised machine). A really bad flaw to have in your code!
Some hardware vendors, namely AMD, is trying to produce a chip that prevents this type of overflow by stopping it at the hardware level (since this is easier done than having to training all programmers to write secure code ;) A simple google search will give you more details on this and the other questions you had. BTG |
Thanks for all help on the subject. But all this was a little to much to understand so I copied some codes from that "Smashing the stack for fun and profit" but I could not really understand how the exploit there could be used on a bad-programmed daemon running on another server.
So I have now tried to code my own "bad server" which makes an buffer overflow pretty easy. This can be done easy with telnet just to shut it down but I can't figure out how to spawn a remote shell. I understand some of what's being told in "Smashing..." but I don't get the whole thing. A little help here? :) This is the "bad server" I made and it's called vuln_server.c Code:
#include <string.h> I compile this with gcc -o vuln_server vuln_server.c and then run it: Code:
$ ./vuln_server 5000 What about the shell now? Can it be applied and how the **** does it actually work? :) |
Quote:
Some of the fine folks over at IBM produced patches to GCC called ProPolice, which is a software stack protection mechanism. Some of the more secure by default operating systems out there have even included it in their base compilers, and Immunix has StackGuard. While it would be kind of interesting to have this in hardware, I can't see people paying extra for it. |
Quote:
Quote:
Fun, eh? ;) As for how it works -- When a program calls into a subroutine, the machine takes note of the memory location it's branching from. When the subroutine finishes, the machine looks at the "stack pointer" to see where it should continue execution of the code from. In the case of a buffer overflow, you're overwriting *just* enough stack so that you put the address of *your* code into the stack pointer. That way, when the subroutine returns, the machine runs your code instead of the real program code. That's about as much detail as I'm going to go into (don't want to upset the moderators). Besides ... shellcode is like anything else. It's better when you learn it the way everyone else did ... The hard way :P |
Thanks, sigsegv.
I am getting the big picture of how functions uses return addresses and how the overflow overwrites that to return to the buffer in which I have written a code that spawns a shell. It's starting to clear up. :) The thing I do not really understand is how assembler codes work (I maby have to learn that language before I can continue). And the big question right now is: Can I just code a program that acts like a client (like telnet). The program connects to the running daemon, creates the fitting data to send to it, sends it, the data overflows the buffer with code to spawn a shell and changes the return address. I just need to know the principles right now. Code:
------------------- |
Quote:
edit: And also, on an interesting note, Microsoft tried this awhile back. The folks over at immunix verified that M$ stack guard was a direct port of immunix's. Also, it was badly ported, leading to a couple of security flaws in the very mechanism that was supposed to provide security. |
That's MicroSoft for ya ...
I wasn't suggesting that stack protection was the "do all end all" of security ... The only thing that will stop buffer overflows is for people who don't understand pointers and memory allocation to stop writing software in languages that lets them shoot themserves in the foot, or to learn proper code technique ... |
oh, I know. I just dont want anybody to get the wrong idea, and do what these stack guards are making so many people do: think "whew, im safe, now I can code however I want".
|
All times are GMT -5. The time now is 08:36 AM. |