Recently my article got published in the April 2013 edition of Linux For You magazine, which is Asia’s first and complete magazine on open source technologies. The name of the article is “Preventing buffer overflow attacks using GDB“. It demonstrates the case of a simple buffer overflow and how it can be exploited. The basic usage of GDB is also explained in the article.
You can read the article from here : Preventing buffer overflow attacks using GDB
Does any of the binary exploiters know who Elias Levy is ?
People know him better by the name Aleph One. He is the person who wrote the article “Smashing the Stack for Fun and Profit” which is the first documentation of Buffer Overflows. Buffer Overflows are one of the most common kinds of vulnerabilities found in a C program, wherein a buffer is overflowed with and its adjacent memory locations are overwritten with the desired memory address. The control of the program is changed in such a manner that the code executes the malicious code that person exploiting the vulnerability wants it to execute.
Coming back to Elias Levy, he is the first person who to ever explain Buffer Overflow publicly. He did so by writing an article in Phrack magazine in the year 1996(which currently issues a copy once in a year or so). For all of you who are aspiring to become an expert in Binary exploitation reading and not just reading but thoroughly understanding this article is absolutely mandatory. Elias Levy is also the CTO and co-founder of the computer security company Security Focus. He was also the moderator of the full disclosure mailing list Bugtraq.
- Elias Levy a.k.a. Aleph One
The article gives a very detailed step-by-step explanation of how to overflow a buffer and not only just overflow it but also to take full advantage of the overwritten values. It also explains how to write your own shell code.
But for this article it would have been difficult for me to understand what exactly is happening in Buffer Overflow. Although I’m no expert at it exploiting the vulnerability, I can atleast follow what exactly is happening.
A few days back, I read about stack canaries. I thought I’d blog about it. So here goes…
A Stack Canary is a mechanism that protects the stack from getting attacked by malicious code. A stack canary is an extra bit that is added to the stack after every buffer or function in the code. In short, it is inserted in the memory wherever there is a return address, right after the buffer. This bit is then followed by the return address. Thus, if a hacker tries to overwrite the return address he would have to surely overwrite the canary bit as well. When before execution goes to the overwritten address it checks if the value of the canary bit has changed or not. If it is found that the value has been changed, the execution of the program stops immediately.
The following figure shows a clear picture of where the canary bit is placed.
However, there are ways by which this mechanism could be exploited as well. The hacker could find out the value of the original value of canary bit and then copy the same value into the location of the canary bit when the return address if being overwritten or the buffer is overflowed. So, when the address in the eip is being overwritten and the value of canary is checked it remains the same.
 http://en.wikipedia.org/wiki/Buffer_overflow_protection for data
 For the image : http://www.drdobbs.com/security/anatomy-of-a-stack-smashing-attack-and-h/240001832
Two months back, I had the opportunity to take part in the Secure Capture The Flag(sCTF) contest conducted at Amrita University, Amritapuri by Team bi0s(organizers of India Capture the Flag and one of the only teams from India that have done well in the international CTFs), as a part of the SecurIT (Security of Internet of Things) Conference. That got me interested in CTFs. The contest is named after the outdoor game wherein there are many flags hidden and each team’s objective is to capture the other team’s flags.
What interested me the most is that, in CTFs you get to deal with security issues in the real world. You have attacking, defending and then you need to score as well. This really does help in developing the habit of secure coding. In a CTF, you generally have a machines given to each team and they have to protect an isolated network. At the same time, they have to try to attack other teams’ network and capture the flags(this is might differ in various CTFs – it may even be required that you plant your flag in the opponent’s machine. A CTF generally tests a team’s ability in various aspects of Information Security like cryptography and analysis, vulnerabilities in web , networking, forensics, reverse engineering, binary exploitation and many others.
Right now, I’ve started working in the area of binary exploitation. Binary exploitation is trying to find out vulnerabilities in code and trying to exploit them. Now the slightly difficult part is that the code is not given to you. You have to disassemble the executable(binary) of that code and try to understand where the vulnerability and for this you need to really good at assembly language. I’d like to become an expert in this field before I go to other areas. 🙂 I’ll be posting more about the two things that you need to know for binary exploitation.