A program, like our authentication example, is not just a big list of instructions with one following after the other. A program makes decisions, it compares data and performs different tasks according to the result. This is achieved through what are called jumps. A jump in a program is just a decision (based on some program data) as to whether or not the program should 'jump' to another part of the program, or carry on as normal. These jumps are sometimes called branches.
A certain type of branch that is very common is called a function call. When writing a program is is often useful to compartmentalise the the symantic purpose of the program into little chunks. These little chunks are called functions. For example, you might have a function that calculates a Christmas bonus based on salary and performance of your employees. Rather than writing the same calculation over and over for each employee, you would simply write a Christmas bonus function, and call that function with information from each employee. That way you only have to write the calculation once.
These function calls happen all the time in pretty much every program ever written. We are interested in exactly how a function is called in terms of a running process. When a program reaches a function call, the first thing it does is make a note of what is called a return address. This is necessary as when the function completes (in our example; when the Christmas bonus has been calculated) the process needs to return control to whatever the program was doing just before the function call.
So when the function completes, it checks the return address and jumps back to the calling procedure, just after it's own function call, so that the program can continue on as it was. This return address is the target of the majority of buffer overflow attacks. When we overflow our buffer as in Part 2, it is often the case that a return address (of some kind) is overwritten by the overflowing data. It is overwritten with whichever part of our input data happens to end up over the location in memory when the return address was stored
When the function completes, and attempts to jump back up to the calling procedure, it reads the (now incorrect) value stored in the return address, and jumps to this new memory location. This is why the program crashes with a segfault; the program tries to jump to an address that is outside it's allocated memory and the operating system will not allow it (accidentally overwriting a return address has a very very small chance of overwriting it with information that will not cause this kind of crash, as the memory allocated to a process is comparitively tiny in relation to the total potential address space).
So what we can now do, as a hacker, is supply a long username (taking our authentication example from part 2) that causes a carefully chosen address to be overwritten into the return address, whatever we point the address to is what the program will run once it jumps to that address. But what do we jump to? This is the tricky part.
We now have the power to run any set of instructions we like, provided they can already be found somewhere in the memory available to the process. So we could jump to some other random procedure and possibly cause some harm, but we are still confined to just executing instructions that were already present in the program.
Or are we? Remember that we have just written a great big long username into memory, and only the tail end of it is actually doing anything useful (the part that has been carefully crafted with our desired return address). We can use the rest of it to store a sequence of instructions, and then point the return address to the beginning of our sequence of instructions, now we have total control of the process!
The sequence of instructions is called the shellcode, because classically it has always been used to spawn a local or remote shell. The process of writing a shellcode from scratch is quite complex and involved and I plan to address it in a later part to this tutorial (I highly recommend The Shellcoders Handbook for those who want to learn more, link to the side)
. For now just be convinced that we can A) Cause the remote process to jump to any location in memory that we choose, and B) write a sequence of instructions to memory to execute any (albeit small) program we like.
freakin win, and good job explaining it straighforwardly
ReplyDeleteAh, part three, finally. Awesome tutorials!
ReplyDeleteAwesome job man!
ReplyDeleteGetting slightly less confusing...
ReplyDeleteyou sir, are the proud owner of an awesome blog.
ReplyDeletefollowed
awesome blog.. dont do a lot of this kind of programming, but still good reading
ReplyDeleteYou know what, I really am having trouble getting this. Can you make it more clear?
ReplyDeleteHaven't touched programming in years, brings back a lot of memories
ReplyDeletehavent seen this yet, might check it out though
ReplyDeleteNice man, following for sure.
ReplyDeleteHmmm, can shell-code overwrite occupied memory-space?
ReplyDeleteIts nice to have tutorial like these at hand when we need them. Great tips and guides you share man. Will certainly follow.
ReplyDeleteIts becoming clearer.
ReplyDeletegreat points altogether, you simply won a logo new reader. What may you suggest about your publish that you made a few days ago? Any certain?
ReplyDeleteGreetings from Idaho! I'm bored to tears at work so I decided to browse your blog on my iphone during lunch break. I love the info you provide here and can't wait to take a look when I get home. I'm amazed at how quick your blog loaded on my phone .. I'm not even using WIFI, just 3G .. Anyways, good blog!
ReplyDeleteThere is certainly a lot to learn about this issue. I love all of the points you made.
ReplyDeleteMy brother suggested I might like this blog. He was entirely right. This post truly made my day. You cann't imagine just how much time I had spent for this info! Thanks!
ReplyDeleteHello, i believe that i noticed you visited my weblog so i came to go back the want?.I'm attempting to in finding issues to improve my site!I assume its good enough to use some of your ideas!!
ReplyDeleteHurrah! Finally I got a weblog from where I be able to really get valuable data regarding my study and knowledge.
ReplyDeleteI am not sure where you're getting your information, but good topic. I needs to spend some time learning much more or understanding more. Thanks for excellent information I was looking for this information for my mission.
ReplyDeleteAhaa, its good conversation about this article here at this website, I have read all that, so at this time me also commenting at this place.
ReplyDeleteJust want to say your article is as astounding. The clearness for your put up is simply nice and that i could think you're knowledgeable on this subject. Well along with your permission allow me to clutch your RSS feed to stay up to date with approaching post. Thanks one million and please keep up the enjoyable work.
ReplyDeleteI think the admin of this web page is in fact working hard in support of his website, since here every information is quality based information.
ReplyDeleteBecause the admin of this web page is working, no question very rapidly it will be renowned, due to its feature contents.
ReplyDeleteWe're a group of volunteers and starting a new scheme in our community. Your website offered us with valuable info to work on. You have done a formidable job and our entire community will be grateful to you.
ReplyDeletenaturally like your web-site but you need to check the spelling on quite a few of your posts. Many of them are rife with spelling problems and I find it very troublesome to inform the truth nevertheless I'll definitely come again again.
ReplyDeleteHey there! I just want to give you a big thumbs up for the great information you have got right here on this post. I'll be returning to your blog for more soon.
ReplyDeleteWow that was strange. I just wrote an really long comment but after I clicked submit my comment didn't show up. Grrrr... well I'm not writing all that over again. Regardless, just wanted to say wonderful blog!
ReplyDeleteThanks , I've just been looking for information approximately this subject for a while and yours is the greatest I have found out till now. But, what in regards to the bottom line? Are you certain concerning the supply?
ReplyDeleteMagnificent goods from you, man. I've understand your stuff previous to and you are just extremely fantastic. I actually like what you have acquired here, certainly like what you are stating and the way in which you say it. You make it entertaining and you still care for to keep it smart. I cant wait to read much more from you. This is really a terrific web site.
ReplyDeleteYou ought to be a part of a contest for one of the best blogs on the web. I will recommend this web site!
ReplyDeleteHeya i'm for the first time here. I found this board and I find It really useful & it helped me out much. I hope to give something back and help others like you helped me.
ReplyDeleteI'm really impressed along with your writing abilities as well as with the format in your blog. Is this a paid subject matter or did you customize it yourself? Either way keep up the nice high quality writing, it is rare to look a great blog like this one today..
ReplyDeleteGood day I am so delighted I found your webpage, I really found you by error, while I was searching on Askjeeve for something else, Regardless I am here now and would just like to say thanks for a remarkable post and a all round entertaining blog (I also love the theme/design), I don't have time to browse it all at the moment but I have bookmarked it and also added in your RSS feeds, so when I have time I will be back to read more, Please do keep up the great job.
ReplyDeleteI've been surfing online more than 2 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. Personally, if all webmasters and bloggers made good content as you did, the net will be a lot more useful than ever before.
ReplyDeleteWow! This blog looks just like my old one! It's on a completely different topic but it has pretty much the same layout and design. Wonderful choice of colors!
ReplyDeleteHello, i believe that i noticed you visited my site so i came to return the want?.I am trying to find issues to improve my web site!I assume its ok to make use of some of your ideas!!
ReplyDeleteHello! This is kind of off topic but I need some guidance from an established blog. Is it hard to set up your own blog? I'm not very techincal but I can figure things out pretty fast. I'm thinking about making my own but I'm not sure where to begin. Do you have any points or suggestions? Cheers
ReplyDelete