boris/G4G0-2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
ae837183f1ec23c09316de550f35d9b3d6759834
G4G0-2/Penetration Testing/Week 15/Week 15 - Buffer Overflow.md
boris ae837183f1 vault backup: 2025-03-16 18:59:42
2025-03-16 18:59:42 +00:00

69 lines
2.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# What is Buffer Overflow
- Buffer is a sequential allocated for anything from strings to integers
- Buffer overflow is when more data is trying to be stored than what is allocated
- Writing outside the bounds of a block can crash an application, corrupt data, or cause the ability to execute malicious code remotely
- Languages such as Java provide automatic checking of buffer bounds, however C does not.
# How Are Overflow Bugs Found?
If source code is available:
- Source code audit / review
If source code not available:
- Reverse engineering
- Fuzzing
- Interactive debugger
- Patience
# X86 Architecture
- CU gets instructions executed from RAM via Instruction Pointer (EP)
- ALU executes instructions fetched from RAM by CU and stores results in Registers
- Registers are the CPU's basic storage data units used to save time and needless RAM access.
## Registers
- EAX Accumulator (stores function return values and used by addition and multiplication)
- EBX - Base pointer to the data section
- ECX - Counter for string and loop operations
- EDX - I/O pointer
- ESI - Source pointer for string operations
- EDI - Destination pointer for string operations
- ESP - Stack pointer (last item on the stack)
- EBP - Stack frame base pointer and reference to arguments and local variables
- EIP - Pointer to the next instruction to execute (“instruction pointer”)
### Segment Registers
- CS : Holds the address to the Code segment of the program
- DS : Holds the address to the Data segment of the program
- SS : Holds the address to the Stack segment of the program
- ES,FS,GS : Hold the address to the extra segments
### Flags
- Zero Flag (ZF) - Set if the result of some instruction is zero; cleared otherwise.
- Sign Flag (SF) - Set equal to the most-significant bit of the result, which is the sign bit of a signed integer. (0 indicates a positive value and 1 indicates a negative value)
- Carry Flag (CF): Set if an arithmetic operation generate a carry or a borrow out of the most significant bit of the result, cleared otherwise
- Parity Flag (PF): Set if the least-significant byte of the result contains an even number of 1 bit, cleared otherwise.
- Overflow Flag (OF): Set if the integer result is too large a positive number or too small a negative number, excluding the sign bit, to fit in the destination operand, cleared otherwise. This flag indicates an overflow condition for signed-integer that is twos complement arithmetic.
- ![](Pasted%20image%2020250116093127.png)
### Push / Pop
PUSH src
- src operand can be a register or immediate
- In a DWORD scenario, the PUSH instruction automatically decrements the stack pointer by 4, i.e., sp <- sp-4
POP src
- Src operand can be a register
- In a DWORD scenario, the POP instruction automatically takes a DWORD off the stack, puts in a register and increments the stack pointer by 4, i.e., sp <- sp+4
#### Examples of PUSH / POP
![](Pasted%20image%2020250116093226.png)
![](Pasted%20image%2020250116093312.png)
Reference in New Issue View Git Blame Copy Permalink