Hey Amazing hackers,
Today I am going to exhibit a simple buffer overflow script, which can manipulate any systems overall. This could be very harmful because we will be working with C language.That said before introducing the buffer overflow script lets talk about buffer overflow attack what it does shortly.
Buffer overflow in C language
Buffers overflows generally exist in low languages like C. That does not mean that it cannot be occured on other languages or have not overflow vulnerabilities but for the most, C and C++ are the primary culprits.Writing code is not easy and when programs are large and complex it is expected that errors will be made. The classic stack-based buffer overflow is most often present when an unintented write operation, past the end of a buffer overflow into other areas of memory is possible. In order to exploit this vulnerabilty additional steps must be taken to determine if it is possible to write some code of our choosing and to ultimately get that code to execute.
This type of vulnerability is “gets” it involves the use of gets() function which was removed from the C11 standard. This function is dangerous because it does not check how much input sent from stdin. Older programs or developers who are unware of this issue may use gets(). gets() reads characters from stdin and writes them to an array or buffer until and end-of-life or newline character is encountered.
The spring print function. Sprint() copies a string to buffer. In the following example we see this in action, but the program does not check the length of the input string which is called name in this example. The string could come from another part of the program a user, network traffic or an environment variable, so we have no way of knowing how many character it is
Writing a buffer overflow script in C
I mostly prefer IDE (dev c++, CodeBlock) for writing a script/programs however, for this purposes I am going to code this in text editor. We will be using malloc (memory allocation) stay focus on this screenshot below, I will explain this script how it works:)
We have used two variables, which are “hacker“ and “command” to allocate the memory to malloc() furthermore, we did say that “command” may use 128 chars and “hacker” 10 chars. We see a printf statements, which is going to calculate the memory of each of them, and line #16 shall calculate the memory space between hacker and command. So line #17 will be asking for the best hacker:) and thus with system() we see command variable , which has 128 chars.
with that being said, lets execute this script.
We used our favorite GCC compiler and must be an executable script (chmod +x <your-file>).
We are able to see that our memory space is limited to be 32 bytes.
Lets buffer this memory
Everything was as expected until that see the last line (it says sh: 1: b: not found) it attempts to execute whatever is in the “command” variable. Earlier, there was nothing in this variable and nothing executed, but now it appears to execute “b” and it responds with “not found”. It is telling us that it did not find any commands “b” “command” variable memory area and our program attempted to execute it. This is useful information that we might be able to use as an attacker!
Lets we whether we are able to overwrite this memory to be meaningful linux command such as “netstat”, “id”, “ifconfig(pivot attack)”
As we expected we do, because we did overwrite the memory above 32 bytes and each character is 1 byte.
Lastly, it may be out of scope but , most people are confusing between exploit and buffer overflows attack let me explain briefly
Exploits vs Buffer overflows
Such topics might be commonly misunderstood. As you have probably come to realize already, buffer overflows are s specific type of vulnerability and the process of leveraging or utilizing that vulnerabilty to penetrate a vulnerable system is referred to as “exploiting a system”. Exploits are programs that automatically test a vulnerabilty and in most cases attempt to leverage that vulnerability by executing a code, exploit, should the vulnerability be a denial of service attack such that would exploit crash the system, which overuns the buffer.
Buffer overflow attacks are being prevented by large companies such as not using gets(), sprintf() I would say that; buffer overflows will not definetly be removed or prevented totally because such attacks are still existed being aware and analyze the code before executing it.
Thanks for reading this blog.
I would like to hear your thoughts and opinions which can be added at this blog.
Ahmet Göker | PoC/exploit researcher | CTF player | Youtuber
You can follow me on social platforms.