Shellcode Tutorial - Part 2

So we've got a very blurry and nonsensical image of whats kind of going on. In this post I will try to solidify that a little.

In practical terms, a buffer overflow vulnerability appears when a programmer forgets to check the length of user-supplied data. So lets say you're logging into a website, and whoever programmed the process that authenticates the username and password you supply forgot to check the lengths of these two things. You could supply a really really long username, thousands of characters long. But why is this a problem?

This is a problem because of the way the computer (thats the remote server doing the authentication, not the computer infront of you) stores program data. It must 'write down' the username you give it, and to do that it has to allocate a certain amount of space for it. This amount of space is hard coded, and most programmers will think something along the lines of - allocate 20 characters worth of space for the username, and write the username they type in to that space. So if we type in a username longer than 20 characters what happens? Well, we crash the program. Our long username gets written to the allocated space, fills it, and continues to overflow into other areas of memory, overwriting whatever was previously stored there. This is almost always catastrophic for the running program and will almost always cause it to crash with a segfault.

So how do hackers exploit this simple little programming error? Well remember in part 1 that I said the fundamental issue is that program data (in our example that would be the username) and process flow control data (thats information that the program uses internally, its not data any user - even the programmer - is likely to see, but its necessary for a running program to keep track of certain things, these things are the control flow data) are stored side by side in memory. So when our long username overflows its buffer and writes to other areas of memory, sometimes it will overwrite control flow data. And it is in these cases that a skilled hacker can take control of the process by steering it in the direction he wants in just the right way.