CS196John Quach, Napoleon N. Valdez

PresentationApril 2, 2004

Buffer Overflow

  • Buffer Overflow Overview
  • Allocate more data into a program than it was design to support
  • A buffer overflow attack is intentionally allocating more data into a program than it was designed to support.
  • Data that overflow to another region of the memory could be fatal
  • Data can overflow to another region of the memory which in turn could give an attacker control of the processor.
  • No outbound checking in C++/C/Fortran
  • This is possible due to a flaw in C++/C/Fortran which does not automatically perform outbound checking when passing data.
  • What is a buffer?
  • A memory space allocated for used during execution.
  • When programs are executed, memory is allocated which will be used to store information that the program will need during execution.
  • An illustration: Show a frame of function
  • The figure would be an example of a frame of function
  • Values of variables for example are stored in memory by the program, and pulled back out when the program needs it. This allocated memory is a buffer. Notice that data is entered into the buffer in reverse order
  • Simple buffer overflow demonstration
  • What happened?
  • Since strcpy() does not check string’s length, the function call caused a the buffer to overflow
  • When the program executes, it calls the function and pases it the long string “AAAAAAAAAAAABCDE?” Unforunately, strcpy() never checks the string’s length. This is dangerous because it this case passing a string longer than seven characters generate a buffer overflow.
  • Why is buffer overflow so dangerous?
  • Buffer grows towards return address

During overflow buffer will grow towards the return address. A hacker can in turn alter the return address. That means when the function executes, the new address is popped off the stack and new address is executed.

  • Ex. Exploit a program to spawn a shell
  • By doing this, you can then issue any commands
  • Malicious code is executed at the new address
  • If malicious code is located at the address, it is executed with the same privilege level as the application. This includes commands that will allow hackers remote access to the host computer.
  • Ex: Assume that you have a malicious program you would like to execute by exploiting a buffer overflow. You can overflow the buffer until it overwrites the return address. Change the return address so that it points back to the buffer.
  • Buffer Overflow Exploit Example
  • Analyst crackme named weird.exe
  • Run the program and guess the serial
  • When you run the program, you will see a command line program asking you to enter the serial number to unlock the program. You don’t know the serial number so you have to guess it. If you guess correctly you get a “congratulations” message.
  • Find the correct serial using buffer overflow
  • We are going to need a disassembler to accomplish the task. I decided to use W32DASM.
  • Open W32DASM and disaasemble weird.exe. Based on your intuition, locate a promising text and look at the code for it.
  • The only way to solve this puzzle is by forcing a buffer overflow in order to execute the “congratulations” code.
  • Enter 80 characters
  • 401177==w^Q@
  • Buffer Overflow Exploits in the past
  • Most operating system and server applications vulnerabilities are caused by a buffer overflow.
  • Morris’s Internet Worm
  • Code Red worm 2001
  • Blaster worm 2003
  • Internet Information Server (IIS)
  • Many more.
  • How to prevent buffer overflow
  • Always check bounds
  • always check bounds of an array before writing it to a buffer
  • Avoid scanf() and other dangerous library function call
  • Avoid using dangerous C functions such as the following: scanf(), strcpy(), strcat(), getwd(), gets(), strcmp(), springf().
  • Use strncpy instead
  • strncpy – similar to strcpy but only copies the first n bytes of souce string, which helps prevent a buffer overflow.
  • automated source code checking (
  • Use automated source code checking such as polyspace
  • Designed for Linux platform but Verifier engine to Windows exists
  • compiler add-ons (
  • Use compiler add-ons such as stackguard
  • Conclusion
  • Buffer Overflow is simply manipulating memory to gain control of a program
  • There are many different types of overflow. However, all of them has something in common; manipulate memory space to gain control of the program. For this presentation, our main concern will be stack overflow
  • Buffer Overflow is hard to successfully execute
  • Although it is hard to successfully execute a buffer flow attack, you still need to take precaution. An elite hacker can exploit your computer your operating system had a buffer overflow. In addition, even if the attack fails, it could still cause problem in your system
  • Hard to fix
  • Buffer overflow is hard to fix because many applications were designed in the past. It could also be costly to fix due to the complexity
  • Why fix it if it’s not broken
  • Reference
  • One, Aleph, "Smashing The Stack For Fun And Profit," Phrack, Vol 7, Issue 49, File 14 of 16
  • Security Warriors