What is a Buffer OverFlow Attack?
A buffer overflow occurs once the scale of information written to the memory location exceeds what's allotted. This could cause data corruption, program crashes, or perhaps the execution of malicious code that could offer an attacker control over the system. Buffer overflow vulnerabilities typically exist in programming languages like C, C++, and Objective-C as these languages rely on the developer to allocate memory. All be it if code is written in, for example, Python, if it calls on any libraries written in C or C+, it might still be at risk of a buffer overflow attack.
A buffer overflow happens once a program tries to fill a block of memory (a memory buffer) with additional data than the buffer was supposed to hold. By sending suitably crafted user inputs to a vulnerable application, attackers would force the application to execute arbitrary code that could take control of the machine or crash the system. In order to know more about buffer overflows, it is vital to understand a bit about how programs allocate memory.
Buffer overflows will occur on the stack (stack overflow) or on the heap (heap overflow). Stack overflows are more commonly exploited than heap overflows. Frequently, as a result, that stacks contain a sequence of nested functions, each returning the address of the calling function to which the stack should return after the function has finished running. This return address can be replaced with the instruction to execute a piece of malicious code instead.
These are a few ways to mitigate a buffer overflow attack:
Use an interpreted language instead of a compiler language.
Make a stack non-executable by setting the No-execute bit, preventing the attacker from inserting shellcode directly into the stack and executing it there.
Randomize the memory layout of the address space (memory space). In such a case, when malicious code is placed in a buffer, the attacker cannot predict its address.
An example of a buffer overflow exploit:
Fuzzing: Fuzzing helps us with sending our linux commands and redirect the payloads to our application. We create a text file for the program. Debugging helps us out to see what’s happening at a fine grained level.
Segmentation Error: We use rip register to check the buffer overflow. We execute our target application with the generated 5000 5’s and see what’s happening with the registers. We see 0x7ffff as a continuation and check in the ASCII table.
We then use “disassemble memmove“ for the specific register rip. From this point, we add breakpoint on the read function. A breakpoint will cause the program to stop executing when the assembly instruction is reached. This helps us check the exact state of the program.
We rerun the program and see that the execution of the program has stopped at the breakpoint. The essential part is that now we would be able to weaponize the buffer at the addresses which is rip
We use x/100x $rsp, this prints out 120 subsequent hexadecimal addresses from the addressor rsp. Due to the memory address of rbp, this command will view the entire stack.
For the return address, we checked with the register 0x00007fffffffe404 and it works well. Intel does the Big Endian, the least important digit is supposed to be found at the end.
Using the Metasploit framework we create a python script that will help generate a payload that will suit the application's specifications. Adding padding to the payload as we need to return the address to overwrite the bsp register. It’s not possible if the payload is not long enough.
