boris/G4G0-2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
main
G4G0-2/Penetration Testing/Week 15/Week 15 - Buffer Overflow.md
boris ae837183f1 vault backup: 2025-03-16 18:59:42
2025-03-16 18:59:42 +00:00

2.9 KiB
Raw Permalink Blame History

What is Buffer Overflow

  • Buffer is a sequential allocated for anything from strings to integers
  • Buffer overflow is when more data is trying to be stored than what is allocated
  • Writing outside the bounds of a block can crash an application, corrupt data, or cause the ability to execute malicious code remotely
  • Languages such as Java provide automatic checking of buffer bounds, however C does not.

How Are Overflow Bugs Found?

If source code is available:

  • Source code audit / review

If source code not available:

  • Reverse engineering
  • Fuzzing
  • Interactive debugger
  • Patience

X86 Architecture

  • CU gets instructions executed from RAM via Instruction Pointer (EP)
  • ALU executes instructions fetched from RAM by CU and stores results in Registers
  • Registers are the CPU's basic storage data units used to save time and needless RAM access.

Registers

  • EAX Accumulator (stores function return values and used by addition and multiplication)
  • EBX - Base pointer to the data section
  • ECX - Counter for string and loop operations
  • EDX - I/O pointer
  • ESI - Source pointer for string operations
  • EDI - Destination pointer for string operations
  • ESP - Stack pointer (last item on the stack)
  • EBP - Stack frame base pointer and reference to arguments and local variables
  • EIP - Pointer to the next instruction to execute (“instruction pointer”)

Segment Registers

  • CS : Holds the address to the Code segment of the program
  • DS : Holds the address to the Data segment of the program
  • SS : Holds the address to the Stack segment of the program
  • ES,FS,GS : Hold the address to the extra segments

Flags

  • Zero Flag (ZF) - Set if the result of some instruction is zero; cleared otherwise.
  • Sign Flag (SF) - Set equal to the most-significant bit of the result, which is the sign bit of a signed integer. (0 indicates a positive value and 1 indicates a negative value)
  • Carry Flag (CF): Set if an arithmetic operation generate a carry or a borrow out of the most significant bit of the result, cleared otherwise
  • Parity Flag (PF): Set if the least-significant byte of the result contains an even number of 1 bit, cleared otherwise.
  • Overflow Flag (OF): Set if the integer result is too large a positive number or too small a negative number, excluding the sign bit, to fit in the destination operand, cleared otherwise. This flag indicates an overflow condition for signed-integer that is twos complement arithmetic.

Push / Pop

PUSH src

  • src operand can be a register or immediate
  • In a DWORD scenario, the PUSH instruction automatically decrements the stack pointer by 4, i.e., sp <- sp-4 POP src
  • Src operand can be a register
  • In a DWORD scenario, the POP instruction automatically takes a DWORD off the stack, puts in a register and increments the stack pointer by 4, i.e., sp <- sp+4

Examples of PUSH / POP